Brand Impersonation: Mailgun

Impersonation of the Mailgun Email delivery platform.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Mailgun"
 2description: "Impersonation of the Mailgun Email delivery platform."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any([
 9          sender.display_name,
10          sender.email.domain.domain,
11          sender.email.local_part,
12          subject.subject
13        ],
14        strings.icontains(strings.replace_confusables(.), "mailgun")
15    )
16    or regex.icontains(body.html.raw, '<title>.*mailgun.*</title>')
17    or regex.icontains(body.current_thread.text,
18                       '[©®]\s*(20\d\d\s*)?Mailgun',
19                       'mailgun\s*[©®]'
20    )
21    or any(ml.logo_detect(beta.message_screenshot()).brands,
22           .name == "Mailgun" and .confidence in ("medium", "high")
23    )
24  )
25  and not (
26    // sent from mailgun actual
27    (
28      sender.email.domain.root_domain in (
29        'mailgun.com',
30        'mailgun.net', // official mailgun domains
31        'mailgunwarmup.com', // an unrelated b2b firm
32        'emailonacid.com', // another sinch email product 
33        'elior-na.com', // a domain with a simliar logo that catches on logo_detect
34        'brembo.com' // a domain with a simliar logo that catches on logo_detect
35      )
36      and headers.auth_summary.dmarc.pass
37    )
38    // and not where the recipient include the domain with a simliar logo
39    // and where that recipient shows up in a previous thread
40    or (
41      any(recipients.to, .email.domain.root_domain in ("elior-na.com", "brembo.com"))
42      and any(filter(recipients.to, .email.domain.root_domain in ("elior-na.com", "brembo.com")),
43              (
44                  strings.icontains(body.html.display_text, strings.concat("From: ", .email.email))
45                  or strings.icontains(body.html.display_text, strings.concat("From: ", .display_name))
46              )
47      )
48    )
49    or 
50    // some domains have "mailgun" as a subdomain and are sent via mailgun
51    // these are unlikely to be impersonations
52    (
53      (
54        strings.icontains(sender.email.domain.domain, "mailgun")
55        or strings.icontains(sender.email.local_part, "mailgun")
56      )
57      and (
58        // if mailgun action was in the header.hops very likely not impersonation
59        // sample: https://platform.sublime.security/messages/ff12d4c08177c5505c29fc133201011c802029736f5ca28ee2acfffb60c02581
60        any(headers.domains, .root_domain in ('mailgun.com', 'mailgun.net'))
61        // but if not and there are 4 or more X-Mailgun headers, likely not impersonation
62        // sample: https://platform.sublime.security/messages/62c31e33ac6d8c5b5a8132ba577902eb7fb72775cd8182d168881033cb0751e1
63        or sum(map(filter(headers.hops, .index < 2),
64                   length(filter(.fields,
65                                 strings.starts_with(.name, "X-Mailgun-")
66                          )
67                   )
68               )
69        ) >= 3
70      )
71    )
72  )
73  // negate highly trusted sender domains unless they fail DMARC authentication
74  and (
75    (
76      sender.email.domain.root_domain in $high_trust_sender_root_domains
77      and not headers.auth_summary.dmarc.pass
78    )
79    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
80  )  
81attack_types:
82  - "Credential Phishing"
83  - "BEC/Fraud"
84tactics_and_techniques:
85  - "Impersonation: Brand"
86detection_methods:
87  - "Sender analysis"
88id: "59cc84e6-e16c-58e7-94ad-78dad315e5ab"
to-top