Brand Impersonation: Mailgun

 1name: "Brand Impersonation: Mailgun"
 2description: "Impersonation of the Mailgun Email delivery platform."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any([
 9          sender.display_name,
10          sender.email.domain.domain,
11          sender.email.local_part,
12          subject.subject
13        ],
14        regex.icontains(strings.replace_confusables(.), "ma[il][il]gun")
15    )
16    or regex.icontains(body.html.raw, 
17      '<title>.*mailgun.*</title>', 'alt\s*=\s*"\s*Mailgun\s*Logo\s*"'
18    )
19    or regex.icontains(body.current_thread.text,
20                       '[©®]\s*(20\d\d\s*)?Mailgun',
21                       'mailgun\s*[©®]'
22    )
23    or any(ml.logo_detect(beta.message_screenshot()).brands,
24           .name == "Mailgun" and .confidence in ("medium", "high")
25    )
26  )
27  and not (
28    // sent from mailgun actual
29    (
30      sender.email.domain.root_domain in (
31        'mailgun.com',
32        'mailgun.net', // official mailgun domains
33        'mailgunwarmup.com', // an unrelated b2b firm
34        'emailonacid.com', // another sinch email product 
35        'elior-na.com', // a domain with a simliar logo that catches on logo_detect
36        'brembo.com' // a domain with a simliar logo that catches on logo_detect
37      )
38      and headers.auth_summary.dmarc.pass
39    )
40    // and not where the recipient include the domain with a simliar logo
41    // and where that recipient shows up in a previous thread
42    or (
43      any(recipients.to, .email.domain.root_domain in ("elior-na.com", "brembo.com"))
44      and any(filter(recipients.to, .email.domain.root_domain in ("elior-na.com", "brembo.com")),
45              (
46                  strings.icontains(body.html.display_text, strings.concat("From: ", .email.email))
47                  or strings.icontains(body.html.display_text, strings.concat("From: ", .display_name))
48              )
49      )
50    )
51    or 
52    // some domains have "mailgun" as a subdomain and are sent via mailgun
53    // these are unlikely to be impersonations
54    (
55      (
56        strings.icontains(sender.email.domain.domain, "mailgun")
57        or strings.icontains(sender.email.local_part, "mailgun")
58      )
59      and (
60        // if mailgun action was in the header.hops very likely not impersonation
61        // sample: https://platform.sublime.security/messages/ff12d4c08177c5505c29fc133201011c802029736f5ca28ee2acfffb60c02581
62        any(headers.domains, .root_domain in ('mailgun.com', 'mailgun.net'))
63        // but if not and there are 4 or more X-Mailgun headers, likely not impersonation
64        // sample: https://platform.sublime.security/messages/62c31e33ac6d8c5b5a8132ba577902eb7fb72775cd8182d168881033cb0751e1
65        or sum(map(filter(headers.hops, .index < 2),
66                   length(filter(.fields,
67                                 strings.starts_with(.name, "X-Mailgun-")
68                          )
69                   )
70               )
71        ) >= 3
72      )
73    )
74  )
75  // negate highly trusted sender domains unless they fail DMARC authentication
76  and (
77    (
78      sender.email.domain.root_domain in $high_trust_sender_root_domains
79      and not headers.auth_summary.dmarc.pass
80    )
81    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
82  )  
83attack_types:
84  - "Credential Phishing"
85  - "BEC/Fraud"
86tactics_and_techniques:
87  - "Impersonation: Brand"
88detection_methods:
89  - "Sender analysis"
90id: "59cc84e6-e16c-58e7-94ad-78dad315e5ab"