Spam: BlackBaud infrastructure abuse

calendar Jun 5, 2026  ·
Share on: linkedin copy

Malvertising campaign has been observed abusing a compromised account with BlackBaud. These campaigns have been leveraging brands like Disney+, Netflix, Paramount+, Peacock, UPS, and impersonating the likeness of Elon Musk.

Sublime rule (View on GitHub)

 1name: "Spam: BlackBaud infrastructure abuse"
 2description: "Malvertising campaign has been observed abusing a compromised account with BlackBaud. These campaigns have been leveraging brands like Disney+, Netflix, Paramount+, Peacock, UPS, and impersonating the likeness of Elon Musk."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and regex.imatch(sender.email.email, 'communications[a-z]{4,}@.+')
 8  and any(headers.hops, any(.fields, strings.ilike(.name, "x-campaignid")))
 9  and any(headers.domains, strings.contains(.domain, "blackbaud.com"))
10  and regex.imatch(subject.subject, 'RE\s?:.*')
11  and (length(headers.references) == 0 or headers.in_reply_to is null)
12  and any(body.links, .display_text is null)  
13attack_types:
14  - "Spam"
15tactics_and_techniques:
16  - "Evasion"
17  - "Impersonation: Brand"
18  - "Image as content"
19  - "Social engineering"
20detection_methods:
21  - "Content analysis"
22  - "Header analysis"
23id: "3db46591-0bab-5ea3-afad-76c6a44eea94"
to-top