Service abuse: SendGrid-formatted link with actor-controlled fragment

calendar Nov 24, 2025  ·
Share on: linkedin copy

Detects messages containing SendGrid or SendGrid-like links with base64-encoded zlib-compressed JSON in the URL fragment, indicating potential abuse of legitimate email services for malicious purposes.

Sublime rule (View on GitHub)

 1name: "Service abuse: SendGrid-formatted link with actor-controlled fragment"
 2description: "Detects messages containing SendGrid or SendGrid-like links with base64-encoded zlib-compressed JSON in the URL fragment, indicating potential abuse of legitimate email services for malicious purposes."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(body.links,
 9          // SendGrid or SendGrid-like links have been abused
10          (
11            .href_url.path == "/ls/click"
12            or any(.href_url.query_params_decoded['upn'], . is not null)
13          )
14          // base64-encoded zlib-compressed JSON
15          and regex.match(.href_url.fragment, 'eJy.{7}A.*')
16  )  
17
18attack_types:
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "Evasion"
22  - "Social engineering"
23detection_methods:
24  - "Content analysis"
25  - "URL analysis"
26id: "cb511fe9-ff90-572a-ba6d-15debadf9352"
to-top