Brand Impersonation: Mailgun

calendar Apr 24, 2025  ·
Share on: linkedin copy

Impersonation of the Mailgun Email delivery platform.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Mailgun"
 2description: "Impersonation of the Mailgun Email delivery platform."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any([
 9          sender.display_name,
10          sender.email.domain.domain,
11          sender.email.local_part,
12          subject.subject
13        ],
14        regex.icontains(strings.replace_confusables(.), "ma[il][il]gun")
15    )
16    or regex.icontains(body.html.raw, 
17      '<title>.*mailgun.*</title>', 'alt\s*=\s*"\s*Mailgun\s*Logo\s*"'
18    )
19    or regex.icontains(body.current_thread.text,
20                       '[©®]\s*(20\d\d\s*)?Mailgun',
21                       'mailgun\s*[©®]'
22    )
23    or any(ml.logo_detect(beta.message_screenshot()).brands,
24           .name == "Mailgun" and .confidence in ("medium", "high")
25    )
26  )
27  and not (
28    // sent from mailgun actual
29    (
30      sender.email.domain.root_domain in (
31        'mailgun.com',
32        'mailgun.net', // official mailgun domains
33        'mailgunwarmup.com', // an unrelated b2b firm
34        'emailonacid.com', // another sinch email product 
35        'elior-na.com', // a domain with a simliar logo that catches on logo_detect
36        'brembo.com' // a domain with a simliar logo that catches on logo_detect
37      )
38      and headers.auth_summary.dmarc.pass
39    )
40    // and not where the recipient include the domain with a simliar logo
41    // and where that recipient shows up in a previous thread
42    or (
43      any(recipients.to, .email.domain.root_domain in ("elior-na.com", "brembo.com"))
44      and any(filter(recipients.to, .email.domain.root_domain in ("elior-na.com", "brembo.com")),
45              (
46                  strings.icontains(body.html.display_text, strings.concat("From: ", .email.email))
47                  or strings.icontains(body.html.display_text, strings.concat("From: ", .display_name))
48              )
49      )
50    )
51    or 
52    // some domains have "mailgun" as a subdomain and are sent via mailgun
53    // these are unlikely to be impersonations
54    (
55      (
56        strings.icontains(sender.email.domain.domain, "mailgun")
57        or strings.icontains(sender.email.local_part, "mailgun")
58      )
59      and (
60        // if mailgun action was in the header.hops very likely not impersonation
61        any(headers.domains, .root_domain in ('mailgun.com', 'mailgun.net'))
62        // but if not and there are 4 or more X-Mailgun headers, likely not impersonation
63        or sum(map(filter(headers.hops, .index < 2),
64                   length(filter(.fields,
65                                 strings.starts_with(.name, "X-Mailgun-")
66                          )
67                   )
68               )
69        ) >= 3
70      )
71    )
72  )
73  // negate highly trusted sender domains unless they fail DMARC authentication
74  and (
75    (
76      sender.email.domain.root_domain in $high_trust_sender_root_domains
77      and not headers.auth_summary.dmarc.pass
78    )
79    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
80  )  
81attack_types:
82  - "Credential Phishing"
83  - "BEC/Fraud"
84tactics_and_techniques:
85  - "Impersonation: Brand"
86detection_methods:
87  - "Sender analysis"
88id: "59cc84e6-e16c-58e7-94ad-78dad315e5ab"
to-top