Service abuse: SendGrid impersonation via Sendgrid from new sender

name: "Service abuse: SendGrid impersonation via Sendgrid from new sender"
description: "Detects messages impersonating SendGrid from new senders, while routing through legitimate SendGrid infrastructure. This pattern is commonly used to abuse trusted email services for malicious purposes."
type: "rule"
severity: "high"
source: |
  type.inbound
  // SendGird impersonation patterns
  and (
    strings.ilike(strings.replace_confusables(sender.display_name), '*sendgrid*')
    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                            'sendgrid'
    ) <= 1
    or (
      strings.ilike(strings.replace_confusables(sender.email.local_part),
                    '*sendgrid*'
      )
      and (
        sender.display_name is null
        or strings.ilike(strings.replace_confusables(subject.base), '*sendgrid*')
      )
    )
    or any(ml.logo_detect(file.message_screenshot()).brands,
           .name == "SendGrid" and .confidence == "high"
    )
  )
  // sent from sendgrid infra
  and any(headers.domains,
          strings.icontains(.domain, 'outbound-mail.sendgrid.net')
  )
  // not common senders with valid domains
  // this catches cases where the domain is invalid and senders become common
  and not (
    profile.by_sender_email().prevalence == "common" and sender.email.domain.valid
  )
  
  // negate legit sendgrid messages
  and not (
    sender.email.domain.domain == "sendgrid.com"
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "aa5d18ca-665a-5817-89d6-d76e29c44580"