Medium Severity

Service abuse: Trello board invitation with VIP impersonation

Labels

Credential Phishing

Impersonation: VIP

Description

Detects fraudulent Trello board invitations that impersonate organization VIPs by using organization domain names in board titles and including notes purportedly from legitimate company executives.

References

No references.

Sublime Security

Created Sep 17th, 2025 • Last updated Sep 17th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and sender.email.domain.root_domain == "trello.com"
and any(headers.hops,
        any(.fields,
            .name =~ "X-Msys-Api"
            and strings.icontains(.value, 'campaign_id":"invite_board_')
        )
)

// inspect the body for two observed patterns
and (
    // org_sld as the start of the board name with the org_vip as the sender
  any(html.xpath(body.html, '//h2').nodes,
      // org vip
      any($org_vips, strings.icontains(..display_text, .display_name))
      // org sld as the board name
      and any($org_slds,
              strings.icontains(..display_text,
                                strings.concat('invited you to their board ', .)
              )
      )
  )
  // pattern of the first name ending in `From` after the org_vip display name
  or any(html.xpath(body.html,
                    '//div[img[@class="trello-member-avatar"]]/parent::div'
         ).nodes,
         strings.starts_with(.display_text, 'A note from ')
         and strings.iends_with(.display_text, 'From')
         and any($org_vips, strings.icontains(..display_text, .display_name))
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.