Medium Severity

Service abuse: Task management message sent via SendGrid

Labels

Credential Phishing

Impersonation: Brand

Description

Detects messages impersonating task or productivity applications by using 'todo list' in the subject line or body while utilizing SendGrid infrastructure. The sender claims to be task-related through display name or body content but originates from non-legitimate domains without proper DMARC authentication.

References

No references.

Sublime Security

Created Oct 6th, 2025 • Last updated Oct 6th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// subject contains "todo list"
and (
  regex.icontains(subject.subject, "T[0o][-\\s]*D[o0][-\\s]*L[I1l]ST")
  // or we can check the body for todo list content with high cred_theft intent
  or (
    regex.icontains(body.current_thread.text,
                    "T[0o][-\\s]*D[o0][-\\s]*L[I1l]ST"
    )
    and any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == "cred_theft" and .confidence == "high"
    )
  )
)
// utilizing sendgrid infra
and headers.return_path.domain.domain == "sendgrid.net"
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.