Service abuse: Trello board invitation with VIP impersonation

calendar Feb 3, 2026  ·
Share on: linkedin copy

Detects fraudulent Trello board invitations that impersonate organization VIPs by using organization domain names in board titles and including notes purportedly from legitimate company executives.

Sublime rule (View on GitHub)

 1name: "Service abuse: Trello board invitation with VIP impersonation"
 2description: "Detects fraudulent Trello board invitations that impersonate organization VIPs by using organization domain names in board titles and including notes purportedly from legitimate company executives."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "trello.com"
 8  // inspect the hops for two observed patterns
 9  and any(headers.hops,
10          any(.fields,
11              // X-Msys-Api with campaign_id
12              (
13                .name =~ "X-Msys-Api"
14                and strings.icontains(.value, 'campaign_id":"invite_board_')
15              )
16              // X-Atl-Po-Triggerid with trello and invite board
17              or (
18                .name == "Feedback-Id"
19                and strings.icontains(.value, 'trello')
20                and regex.icontains(.value, 'invite[_-]board')
21              )
22          )
23  )
24  
25  // inspect the body for two observed patterns
26  and (
27    // org_sld as the start of the board name with the org_vip as the sender
28    any(html.xpath(body.html, '//h2').nodes,
29        // org vip
30        any($org_vips, strings.icontains(..display_text, .display_name))
31        // org sld as the board name
32        and any($org_slds,
33                strings.icontains(..display_text,
34                                  strings.concat('invited you to their board ', .)
35                )
36        )
37    )
38    // pattern of the first name ending in `From` after the org_vip display name
39    or any(html.xpath(body.html,
40                      '//div[img[@class="trello-member-avatar"]]/parent::div'
41           ).nodes,
42           strings.starts_with(.display_text, 'A note from ')
43           and strings.iends_with(.display_text, 'From')
44           and any($org_vips, strings.icontains(..display_text, .display_name))
45    )
46  )  
47attack_types:
48  - "Credential Phishing"
49tactics_and_techniques:
50  - "Impersonation: VIP"
51  - "Social engineering"
52detection_methods:
53  - "Content analysis"
54  - "Header analysis"
55  - "HTML analysis"
56  - "Sender analysis"
57id: "fedfc94b-4a33-57e0-a891-1af92aec6ddb"
to-top