Spam: BlackBaud infrastructure abuse
Malvertising campaign has been observed abusing a compromised account with BlackBaud. These campaigns have been leveraging brands like Disney+, Netflix, Paramount+, Peacock, UPS, and impersonating the likeness of Elon Musk.
Sublime rule (View on GitHub)
1name: "Spam: BlackBaud infrastructure abuse"
2description: "Malvertising campaign has been observed abusing a compromised account with BlackBaud. These campaigns have been leveraging brands like Disney+, Netflix, Paramount+, Peacock, UPS, and impersonating the likeness of Elon Musk."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and regex.imatch(sender.email.email, 'communications[a-z]{4,}@.+')
8 and any(headers.hops, any(.fields, strings.ilike(.name, "x-campaignid")))
9 and any(headers.domains, strings.contains(.domain, "blackbaud.com"))
10 and regex.imatch(subject.subject, 'RE\s?:.*')
11 and (
12 length(headers.references) == 0
13 or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
14 )
15 and any(body.links, .display_text is null)
16attack_types:
17 - "Spam"
18tactics_and_techniques:
19 - "Evasion"
20 - "Impersonation: Brand"
21 - "Image as content"
22 - "Social engineering"
23detection_methods:
24 - "Content analysis"
25 - "Header analysis"
26id: "3db46591-0bab-5ea3-afad-76c6a44eea94"