Service abuse: SendGrid impersonation via Sendgrid from new sender

 1name: "Service abuse: SendGrid impersonation via Sendgrid from new sender"
 2description: "Detects messages impersonating SendGrid from new senders, while routing through legitimate SendGrid infrastructure. This pattern is commonly used to abuse trusted email services for malicious purposes."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // SendGird impersonation patterns
 8  and (
 9    strings.ilike(strings.replace_confusables(sender.display_name), '*sendgrid*')
10    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
11                            'sendgrid'
12    ) <= 1
13    or (
14      strings.ilike(strings.replace_confusables(sender.email.local_part),
15                    '*sendgrid*'
16      )
17      and (
18        sender.display_name is null
19        or strings.ilike(strings.replace_confusables(subject.base), '*sendgrid*')
20      )
21    )
22    or any(ml.logo_detect(file.message_screenshot()).brands,
23           .name == "SendGrid" and .confidence == "high"
24    )
25  )
26  // sent from sendgrid infra
27  and any(headers.domains,
28          strings.icontains(.domain, 'outbound-mail.sendgrid.net')
29  )
30  // not common senders with valid domains
31  // this catches cases where the domain is invalid and senders become common
32  and not (
33    profile.by_sender_email().prevalence == "common" and sender.email.domain.valid
34  )
35  
36  // negate legit sendgrid messages
37  and not (
38    sender.email.domain.domain == "sendgrid.com"
39    and coalesce(headers.auth_summary.dmarc.pass, false)
40  )  
41
42attack_types:
43  - "Credential Phishing"
44tactics_and_techniques:
45  - "Impersonation: Brand"
46  - "Social engineering"
47detection_methods:
48  - "Header analysis"
49  - "Sender analysis"
50id: "aa5d18ca-665a-5817-89d6-d76e29c44580"