Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail

calendar Mar 4, 2026  ·
Share on: linkedin copy

Detects inbound messages from hungerrush.com domain that contain SendGrid tracking pixels and reference redacted ProtonMail addresses, indicating potential abuse of legitimate services for suspicious targeting.

Sublime rule (View on GitHub)

 1name: "Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail"
 2description: "Detects inbound messages from hungerrush.com domain that contain SendGrid tracking pixels and reference redacted ProtonMail addresses, indicating potential abuse of legitimate services for suspicious targeting."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "hungerrush.com"
 8  // html contains sendgrid open tracking pixel
 9  and strings.icontains(body.html.raw, 'sendgrid.net/wf/open')
10  // body contains "redacted" proton email address
11  and regex.icontains(body.current_thread.text, '(?:\*\*|protonmail\.com)')  
12attack_types:
13  - "BEC/Fraud"
14tactics_and_techniques:
15  - "Evasion"
16detection_methods:
17  - "Sender analysis"
18  - "HTML analysis"
19  - "Content analysis"
20id: "73f62e74-2bbf-5adc-a48b-969fd1b29243"
to-top