Service Abuse: GoDaddy infrastructure

calendar Jan 7, 2026  ยท
Share on: linkedin copy

Detects messages from legitimate GoDaddy domains with suspicious indicators. Observed abused for call back phishing and extortion campaigns.

Sublime rule (View on GitHub)

 1name: "Service Abuse: GoDaddy infrastructure"
 2description: "Detects messages from legitimate GoDaddy domains with suspicious indicators. Observed abused for call back phishing and extortion campaigns."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  // legitimate GoDaddy sending infrastructure
 9  and (
10    sender.email.domain.root_domain == "godaddy.com"
11    and headers.auth_summary.dmarc.pass
12  )
13  and any(body.links, .display_text in~ ("Pay Now", "Accept Access"))
14  and (
15    (
16      any(ml.nlu_classifier(body.current_thread.text).intents,
17          .name in~ ("callback_scam", "cred_theft", "extortion")
18          and .confidence == "high"
19      )
20    )
21    // manual extortion indicators
22    or (
23      regex.icontains(sender.display_name,
24                      'big(\s|[[:punct:]])?brother|seeing(\s|[[:punct:]])?eye'
25      )
26      or regex.icontains(body.current_thread.text,
27                         '((I|you).{0,25}(leak|compromise|hack|see|record|expose))|(dirty|little) secret'
28      )
29    )
30    // manual callback phishing indicators
31    or (
32      // phone number in display name or subject
33      any([sender.display_name, subject.base],
34          regex.icontains(.,
35                          '\b\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}\b'
36          )
37      )
38      // references commonly impersonated brands in body
39      or strings.ilike(strings.replace_confusables(body.current_thread.text),
40                       "*Pay?Pal*",
41                       "*Best?Buy*",
42                       "*Geek?Squad*",
43      )
44    )
45    // emojis in link display text
46    or any(body.links,
47           regex.contains(.display_text,
48                          '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
49           )
50    )
51    // links leading to cloudflare R2 or edge services
52    or any(body.links,
53           .href_url.domain.root_domain in~ ("r2.dev", "pages.dev", "workers.dev")
54    )
55  )  
56
57attack_types:
58  - "Callback Phishing"
59  - "Extortion"
60tactics_and_techniques:
61  - "Evasion"
62detection_methods:
63  - "Natural Language Understanding"
64  - "Content analysis"
65id: "8a2dd357-3ecf-5d23-bcd8-d215a5f677dd"
to-top