[PR #3704] added rule: Service abuse: SendGrid impersonation via Sendgrid from new sender

github-actions[bot] · github-actions[bot] · commit 14656cd2d6d1 · 2025-12-22T17:24:53.000Z
diff --git a/detection-rules/3704_service_abuse_sendgrid_impersonation.yml b/detection-rules/3704_service_abuse_sendgrid_impersonation.yml
@@ -0,0 +1,53 @@
+name: "Service abuse: SendGrid impersonation via Sendgrid from new sender"
+description: "Detects messages impersonating SendGrid from new senders, while routing through legitimate SendGrid infrastructure. This pattern is commonly used to abuse trusted email services for malicious purposes."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  // SendGird impersonation patterns
+  and (
+    strings.ilike(strings.replace_confusables(sender.display_name), '*sendgrid*')
+    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
+                            'sendgrid'
+    ) <= 1
+    or (
+      strings.ilike(strings.replace_confusables(sender.email.local_part),
+                    '*sendgrid*'
+      )
+      and (
+        sender.display_name is null
+        or strings.ilike(strings.replace_confusables(subject.base), '*sendgrid*')
+      )
+    )
+    or any(ml.logo_detect(file.message_screenshot()).brands,
+           .name == "SendGrid" and .confidence == "high"
+    )
+  )
+  // sent from sendgrid infra
+  and any(headers.domains,
+          strings.icontains(.domain, 'outbound-mail.sendgrid.net')
+  )
+  // not common senders with valid domains
+  // this catches cases where the domain is invalid and senders become common
+  and not (
+    profile.by_sender_email().prevalence == "common" and sender.email.domain.valid
+  )
+  
+  // negate legit sendgrid messages
+  and not (
+    sender.email.domain.domain == "sendgrid.com"
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "54311009-9116-555a-9aa2-a3304ae64208"
+og_id: "aa5d18ca-665a-5817-89d6-d76e29c44580"
+testing_pr: 3704
+testing_sha: 5d82bd62b7b09f98673c85d30ef6982164861eb6
