← Back to Explore
sublimemediumRule
Service abuse: Sendgrid credential theft with personalized request targeting single recipient
Detects messages sent through Sendgrid from new sender domains that contain credential theft language with high confidence. The message targets a single recipient whose email address appears in both the message body and link display text, indicating personalization tactics commonly used in targeted attacks.
Detection Query
type.inbound
// a single recipient
and length(recipients.to) == 1
// the domain is a first time sender
and profile.by_sender_domain().prevalence == "new"
// sent from sendgrid
and any(headers.domains, .root_domain == "sendgrid.net")
// cred_theft intent
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
// a request is within the display_text
and any(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
),
any(body.links, .display_text == ..text)
)
// the rcpt email address is in the body of the message, accounting for display_url, which also might include it
and (
// number of occurances the rcpt email occurs in the body
strings.count(body.current_thread.text, recipients.to[0].email.email) >
// length of the filtered links to those that contain the email
length(filter(body.links,
strings.contains(.display_url.url, recipients.to[0].email.email)
)
)
)
and not (
strings.icontains(body.current_thread.text,
strings.concat('This message was generated automatically for ',
recipients.to[0].email.email
)
)
or strings.icontains(body.current_thread.text,
strings.concat('This email was sent to ',
recipients.to[0].email.email
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: Sendgrid credential theft with personalized request targeting single recipient"
description: "Detects messages sent through Sendgrid from new sender domains that contain credential theft language with high confidence. The message targets a single recipient whose email address appears in both the message body and link display text, indicating personalization tactics commonly used in targeted attacks."
type: "rule"
severity: "medium"
source: |
type.inbound
// a single recipient
and length(recipients.to) == 1
// the domain is a first time sender
and profile.by_sender_domain().prevalence == "new"
// sent from sendgrid
and any(headers.domains, .root_domain == "sendgrid.net")
// cred_theft intent
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
// a request is within the display_text
and any(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
),
any(body.links, .display_text == ..text)
)
// the rcpt email address is in the body of the message, accounting for display_url, which also might include it
and (
// number of occurances the rcpt email occurs in the body
strings.count(body.current_thread.text, recipients.to[0].email.email) >
// length of the filtered links to those that contain the email
length(filter(body.links,
strings.contains(.display_url.url, recipients.to[0].email.email)
)
)
)
and not (
strings.icontains(body.current_thread.text,
strings.concat('This message was generated automatically for ',
recipients.to[0].email.email
)
)
or strings.icontains(body.current_thread.text,
strings.concat('This email was sent to ',
recipients.to[0].email.email
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "Content analysis"
id: "b9680da1-5fc8-5c11-9fd0-a2789a589bac"