Spam: BlackBaud infrastructure abuse

calendar Jan 17, 2024  ·
Share on: linkedin copy

Malvertising campaign has been observed abusing a compromised account with BlackBaud. These campaigns have been leveraging brands like Disney+, Netflix, Paramount+, Peacock, UPS, and impersonating the likeness of Elon Musk.

Sublime rule (View on GitHub)

 1name: "Spam: BlackBaud infrastructure abuse"
 2description: "Malvertising campaign has been observed abusing a compromised account with BlackBaud. These campaigns have been leveraging brands like Disney+, Netflix, Paramount+, Peacock, UPS, and impersonating the likeness of Elon Musk."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and regex.imatch(sender.email.email, 'communications[a-z]{4,}@.+')
 8  and any(headers.hops, any(.fields, strings.ilike(.name, "x-campaignid")))
 9  and any(headers.domains, strings.contains(.domain, "blackbaud.com"))
10  and regex.imatch(subject.subject, 'RE\s?:.*')
11  and (
12    length(headers.references) == 0
13    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
14  )
15  and any(body.links, .display_text is null)  
16attack_types:
17  - "Spam"
18tactics_and_techniques:
19  - "Evasion"
20  - "Impersonation: Brand"
21  - "Image as content"
22  - "Social engineering"
23detection_methods:
24  - "Content analysis"
25  - "Header analysis"
26id: "3db46591-0bab-5ea3-afad-76c6a44eea94"
to-top