Service abuse: Suspicious Datadog alert

calendar Jun 11, 2026  ยท
Share on: linkedin copy

Message from alert@dtdg.co containing links to URL shorteners or self-service creation platforms.

Sublime rule (View on GitHub)

 1name: "Service abuse: Suspicious Datadog alert"
 2description: "Message from alert@dtdg.co containing links to URL shorteners or self-service creation platforms."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.email == "alert@dtdg.co"
 8  and length(body.current_thread.text) < 1000
 9  and (
10    (
11      any(filter(body.links,
12                 .parser == "hyperlink"
13                 and not any(.href_url.query_params_decoded["domain"],
14                             strings.parse_domain(.).root_domain == "datadoghq.com"
15                 )
16          ),
17          .href_url.domain.root_domain != "datadoghq.com"
18          and .href_url.domain.root_domain != "aka.ms"
19      )
20      and regex.icontains(body.current_thread.text,
21                          'quarantine|held for.{0,10}review|secure message|voice\s?mail'
22      )
23    )
24    or (
25      ml.nlu_classifier(body.current_thread.text).language == "english"
26      and any(ml.nlu_classifier(body.current_thread.text).topics,
27              .confidence == "high"
28              and .name == "Voicemail Call and Missed Call Notifications"
29      )
30    )
31  )  
32attack_types:
33  - "Credential Phishing"
34  - "Malware/Ransomware"
35tactics_and_techniques:
36  - "Evasion"
37  - "Free subdomain host"
38detection_methods:
39  - "Sender analysis"
40  - "URL analysis"
41id: "0808411b-5765-5bef-ad52-5d55bd0f36dd"
to-top