← Back to Explore
sublimehighRule
Hardbacon infrastructure abuse
Hardbacon is a defunct Canadian budgeting app. Attackers have been observed using their marketing platform to send credential phishing messages.
Detection Query
type.inbound
and sender.email.domain.root_domain in ('hardbacon.com', 'hardbacon.ca')
and headers.mailer == 'Sendinblue'
and headers.auth_summary.dmarc.pass
and headers.auth_summary.spf.pass
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Hardbacon infrastructure abuse"
description: "Hardbacon is a defunct Canadian budgeting app. Attackers have been observed using their marketing platform to send credential phishing messages."
type: "rule"
severity: "high"
source: |
type.inbound
and sender.email.domain.root_domain in ('hardbacon.com', 'hardbacon.ca')
and headers.mailer == 'Sendinblue'
and headers.auth_summary.dmarc.pass
and headers.auth_summary.spf.pass
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Header analysis"
- "Sender analysis"
id: "5330db42-10d2-5671-bcb2-a99449ac24c2"