← Back to Explore
sublimehighRule
Service abuse: SendGrid-formatted link with actor-controlled fragment
Detects messages containing SendGrid or SendGrid-like links with base64-encoded zlib-compressed JSON in the URL fragment, indicating potential abuse of legitimate email services for malicious purposes.
Detection Query
type.inbound
and length(body.links) < 10
and any(body.links,
// SendGrid or SendGrid-like links have been abused
(
.href_url.path == "/ls/click"
or any(.href_url.query_params_decoded['upn'], . is not null)
)
// base64-encoded zlib-compressed JSON
and regex.match(.href_url.fragment, 'eJy.{7}A.*')
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: SendGrid-formatted link with actor-controlled fragment"
description: "Detects messages containing SendGrid or SendGrid-like links with base64-encoded zlib-compressed JSON in the URL fragment, indicating potential abuse of legitimate email services for malicious purposes."
type: "rule"
severity: "high"
source: |
type.inbound
and length(body.links) < 10
and any(body.links,
// SendGrid or SendGrid-like links have been abused
(
.href_url.path == "/ls/click"
or any(.href_url.query_params_decoded['upn'], . is not null)
)
// base64-encoded zlib-compressed JSON
and regex.match(.href_url.fragment, 'eJy.{7}A.*')
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
- "URL analysis"
id: "cb511fe9-ff90-572a-ba6d-15debadf9352"