Medium Severity

Brand Impersonation: SendGrid

Labels

BEC/Fraud
Credential Phishing
Spam
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis

Description

Detects inbound messages that impersonate SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.

References

No references.

Sublime Security
Created Mar 18th, 2025 • Last updated May 28th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  // display name contains sendgrid
  (
    strings.ilike(strings.replace_confusables(sender.display_name),
                  '*sendgrid*'
    )
    // levenshtein distance similar to sendgrid
    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                            'sendgrid'
    ) <= 1
    // no display name, local_part contains sendgrid 
    or (
      strings.ilike(strings.replace_confusables(sender.email.local_part),
                    '*sendgrid*'
      )
      and (
        sender.display_name is null
        or strings.ilike(strings.replace_confusables(subject.subject),
                         '*sendgrid*'
        )
      )
    )
  )
)
and (
  any(beta.ml_topic(body.current_thread.text).topics,
      .name in (
        "Security and Authentication",
        "Secure Message",
        "Reminders and Notifications"
      )
      and .confidence in ("medium", "high")
  )
  or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
         .name in (
           "Security and Authentication",
           "Secure Message",
           "Reminders and Notifications"
         )
         and .confidence in ("medium", "high")
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
  or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
)

// and the sender is not in org_domains or from sendgrid domains and passes auth
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    sender.email.domain.root_domain in ("sendgrid.com")
    and headers.auth_summary.dmarc.pass
  )
)
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started