Service abuse: Fake loan/funding verification lure via Mailgun

Detects inbound messages sent via Mailgun's sending infrastructure (mg subdomain) from common bulk sender addresses, where the body contains unresolved template placeholders like '[SOURCEID]', known Mailgun-associated physical addresses, or links pointing to Mailgun's campaign/list management subdomain (napp) on the same root domain as the sender. These indicators suggest automated bulk distribution with incomplete template rendering or suspicious infrastructure usage.

Sublime rule (View on GitHub)

 1name: "Service abuse: Fake loan/funding verification lure via Mailgun"
 2description: "Detects inbound messages sent via Mailgun's sending infrastructure (mg subdomain) from common bulk sender addresses, where the body contains unresolved template placeholders like '[SOURCEID]', known Mailgun-associated physical addresses, or links pointing to Mailgun's campaign/list management subdomain (napp) on the same root domain as the sender. These indicators suggest automated bulk distribution with incomplete template rendering or suspicious infrastructure usage."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.local_part in~ ("info", "no-reply", "noreply")
 8  and sender.email.domain.subdomain == "mg"
 9  and (
10    any(body.links,
11        .href_url.domain.subdomain == "napp"
12        and .href_url.domain.root_domain == sender.email.domain.root_domain
13        and (
14          strings.istarts_with(.href_url.path, "/campaigns/")
15          or strings.istarts_with(.href_url.path, "/lists/")
16        )
17    )
18    or strings.icontains(body.current_thread.text,
19                         "12603 State Route 143 Suite G",
20                         "4049 US Highway 231 #2002 Wetumpka, AL 36093"
21    )
22    or strings.icontains(body.current_thread.text, "[SOURCEID]")
23  )   
24attack_types:
25  - "Credential Phishing"
26tactics_and_techniques:
27  - "Impersonation: Brand"
28  - "Evasion"
29  - "Social engineering"
30detection_methods:
31  - "Sender analysis"
32  - "URL analysis"
33  - "Content analysis"
34id: "53d13e00-48b7-542d-bb06-8b8d316229a3"
to-top