• Sublime Core Feed
High Severity

Service abuse: SendGrid-formatted link with actor-controlled fragment

Labels

Credential Phishing
Evasion
Social engineering
Content analysis
URL analysis

Description

Detects messages containing SendGrid or SendGrid-like links with base64-encoded zlib-compressed JSON in the URL fragment, indicating potential abuse of legitimate email services for malicious purposes.

References

No references.

Sublime Security
Created Nov 24th, 2025 • Last updated Nov 24th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(body.links) < 10
and any(body.links,
        // SendGrid or SendGrid-like links have been abused
        (
          .href_url.path == "/ls/click"
          or any(.href_url.query_params_decoded['upn'], . is not null)
        )
        // base64-encoded zlib-compressed JSON
        and regex.match(.href_url.fragment, 'eJy.{7}A.*')
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started