Description

Detects inbound messages that impersonate SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.

References

No references.

Sublime Security
Created Mar 18th, 2025 • Last updated May 28th, 2025
Source
type.inbound
and (
  // display name contains sendgrid
  (
    strings.ilike(strings.replace_confusables(sender.display_name),
                  '*sendgrid*'
    )
    // levenshtein distance similar to sendgrid
    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                            'sendgrid'
    ) <= 1
    // no display name, local_part contains sendgrid 
    or (
      strings.ilike(strings.replace_confusables(sender.email.local_part),
                    '*sendgrid*'
      )
      and (
        sender.display_name is null
        or strings.ilike(strings.replace_confusables(subject.subject),
                         '*sendgrid*'
        )
      )
    )
  )
)
and (
  any(beta.ml_topic(body.current_thread.text).topics,
      .name in (
        "Security and Authentication",
        "Secure Message",
        "Reminders and Notifications"
      )
      and .confidence in ("medium", "high")
  )
  or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
         .name in (
           "Security and Authentication",
           "Secure Message",
           "Reminders and Notifications"
         )
         and .confidence in ("medium", "high")
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
  or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
)

// and the sender is not in org_domains or from sendgrid domains and passes auth
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    sender.email.domain.root_domain in ("sendgrid.com")
    and headers.auth_summary.dmarc.pass
  )
)
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.