← Back to Explore
sublimehighRule
Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail
Detects inbound messages from hungerrush.com domain that contain SendGrid tracking pixels and reference redacted ProtonMail addresses, indicating potential abuse of legitimate services for suspicious targeting.
Detection Query
type.inbound
and sender.email.domain.root_domain == "hungerrush.com"
// html contains sendgrid open tracking pixel
and strings.icontains(body.html.raw, 'sendgrid.net/wf/open')
// body contains "redacted" proton email address
and regex.icontains(body.current_thread.text, '(?:\*\*|protonmail\.com)')
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail"
description: "Detects inbound messages from hungerrush.com domain that contain SendGrid tracking pixels and reference redacted ProtonMail addresses, indicating potential abuse of legitimate services for suspicious targeting."
type: "rule"
severity: "high"
source: |
type.inbound
and sender.email.domain.root_domain == "hungerrush.com"
// html contains sendgrid open tracking pixel
and strings.icontains(body.html.raw, 'sendgrid.net/wf/open')
// body contains "redacted" proton email address
and regex.icontains(body.current_thread.text, '(?:\*\*|protonmail\.com)')
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Sender analysis"
- "HTML analysis"
- "Content analysis"
id: "73f62e74-2bbf-5adc-a48b-969fd1b29243"