• Sublime Core Feed
High Severity

Vendor Compromise: GovDelivery Message With Suspicious Link

Labels

Credential Phishing
Malware/Ransomware
Free subdomain host
IPFS
Social engineering
Evasion
Impersonation: Brand
Natural Language Understanding
URL analysis
Whois

Description

Detects messages from GovDelivery that contain links to non-government domains, URL shorteners, newly registered domains, or domains with suspicious redirects. GovDelivery is a digital communications system that lets government agencies send updates via email, text, and social media. We have observed compromised American municipal and county GovDelivery delivering phishing emails.

References

No references.

Sublime Security
Created May 5th, 2025 • Last updated Jun 4th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  sender.email.domain.domain == "public.govdelivery.com"
  or any(headers.domains, .root_domain == "govdelivery.com")
)
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
and length(body.links) < 10
and any(body.links,
        any(filter(regex.extract(.href_url.path, '/CL0/(?P<url>.*?)/1/'),
                   strings.parse_url(.named_groups["url"]).domain.root_domain not in (
                     "google.com",
                     "govdelivery.com",
                     "granicus.com",
                     "legistar1.com" // domain owned by granicus
                   )
                   and strings.parse_url(.named_groups["url"]).domain.tld not in (
                     "gov"
                   )
            ),
            // this is inside the filtered results to avoid flagging this condition on known link domains, as listed above
            strings.parse_url(.named_groups["url"]).domain.domain in $url_shorteners
            or strings.parse_url(.named_groups["url"]).domain.root_domain in $url_shorteners
            or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
            or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
            or network.whois(strings.parse_url(.named_groups["url"]).domain).days_old < 30
            or any(ml.link_analysis(strings.parse_url(.named_groups["url"])).redirect_history,
                   network.whois(.domain).days_old < 30
                   or strings.icontains(.domain.domain, "ipfs")
                   or regex.icontains(.query_params, '[\.-/]ipfs[\.-/]')
            )
            // page redirects to common website, observed when evasion happens
            or (
              length(ml.link_analysis(strings.parse_url(.named_groups["url"])).redirect_history
              ) > 1
              and ml.link_analysis(strings.parse_url(.named_groups["url"])).effective_url.domain.root_domain in $tranco_10k
            )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started