• Sublime Core Feed
Medium Severity

Service abuse: Free provider with SendGrid routing

Labels

Credential Phishing
Free email provider
Evasion
Header analysis
Sender analysis

Description

Message From header includes a free email provider domain but is routed through SendGrid infrastructure, indicating potential service abuse for delivery evasion.

References

No references.

Sublime Security
Created Jan 8th, 2026 • Last updated Jan 8th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.domain.domain in $free_email_providers
and any(headers.domains, .root_domain == "sendgrid.net")
and not any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == "benign"
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
            .name == "Bounce Back and Delivery Failure Notifications"
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started