Brand Impersonation: Mailgun
Impersonation of the Mailgun Email delivery platform.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: Mailgun"
2description: "Impersonation of the Mailgun Email delivery platform."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 any([
9 sender.display_name,
10 sender.email.domain.domain,
11 sender.email.local_part,
12 subject.subject
13 ],
14 strings.icontains(strings.replace_confusables(.), "mailgun")
15 )
16 or regex.icontains(body.html.raw, '<title>.*mailgun.*</title>')
17 or regex.icontains(body.current_thread.text,
18 '[©®]\s*(20\d\d\s*)?Mailgun',
19 'mailgun\s*[©®]'
20 )
21 or any(ml.logo_detect(beta.message_screenshot()).brands,
22 .name == "Mailgun" and .confidence in ("medium", "high")
23 )
24 )
25 and not (
26 // sent from mailgun actual
27 (
28 sender.email.domain.root_domain in (
29 'mailgun.com',
30 'mailgun.net', // official mailgun domains
31 'mailgunwarmup.com', // an unrelated b2b firm
32 'emailonacid.com', // another sinch email product
33 'elior-na.com', // a domain with a simliar logo that catches on logo_detect
34 'brembo.com' // a domain with a simliar logo that catches on logo_detect
35 )
36 and headers.auth_summary.dmarc.pass
37 )
38 // and not where the recipient include the domain with a simliar logo
39 // and where that recipient shows up in a previous thread
40 or (
41 any(recipients.to, .email.domain.root_domain in ("elior-na.com", "brembo.com"))
42 and any(filter(recipients.to, .email.domain.root_domain in ("elior-na.com", "brembo.com")),
43 (
44 strings.icontains(body.html.display_text, strings.concat("From: ", .email.email))
45 or strings.icontains(body.html.display_text, strings.concat("From: ", .display_name))
46 )
47 )
48 )
49 or
50 // some domains have "mailgun" as a subdomain and are sent via mailgun
51 // these are unlikely to be impersonations
52 (
53 (
54 strings.icontains(sender.email.domain.domain, "mailgun")
55 or strings.icontains(sender.email.local_part, "mailgun")
56 )
57 and (
58 // if mailgun action was in the header.hops very likely not impersonation
59 // sample: https://platform.sublime.security/messages/ff12d4c08177c5505c29fc133201011c802029736f5ca28ee2acfffb60c02581
60 any(headers.domains, .root_domain in ('mailgun.com', 'mailgun.net'))
61 // but if not and there are 4 or more X-Mailgun headers, likely not impersonation
62 // sample: https://platform.sublime.security/messages/62c31e33ac6d8c5b5a8132ba577902eb7fb72775cd8182d168881033cb0751e1
63 or sum(map(filter(headers.hops, .index < 2),
64 length(filter(.fields,
65 strings.starts_with(.name, "X-Mailgun-")
66 )
67 )
68 )
69 ) >= 3
70 )
71 )
72 )
73 // negate highly trusted sender domains unless they fail DMARC authentication
74 and (
75 (
76 sender.email.domain.root_domain in $high_trust_sender_root_domains
77 and not headers.auth_summary.dmarc.pass
78 )
79 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
80 )
81attack_types:
82 - "Credential Phishing"
83 - "BEC/Fraud"
84tactics_and_techniques:
85 - "Impersonation: Brand"
86detection_methods:
87 - "Sender analysis"
88id: "59cc84e6-e16c-58e7-94ad-78dad315e5ab"