diff --git a/detection-rules/brand_impersonation_sendgrid.yml b/detection-rules/brand_impersonation_sendgrid.yml index a9307b031a1..fe7308bd5b1 100644 --- a/detection-rules/brand_impersonation_sendgrid.yml +++ b/detection-rules/brand_impersonation_sendgrid.yml @@ -46,6 +46,42 @@ source: | ) ) ) + // SendGrid content from non-SendGrid marketing platforms + or ( + sender.email.domain.root_domain in ( + "selfcast.com", + "mailchimp.com", + "constantcontact.com", + "hubspot.com", + "klaviyo.com", + "mailgun.com" + ) + and ( + ( + ( + strings.icontains(body.current_thread.text, "sendgrid") + or strings.icontains(subject.subject, "sendgrid") + ) + and 3 of ( + strings.icontains(body.current_thread.text, "webhook"), + strings.icontains(body.current_thread.text, "endpoint"), + strings.icontains(body.current_thread.text, "api"), + strings.icontains(body.current_thread.text, "delivery"), + strings.icontains(body.current_thread.text, "event notification") + ) + ) + and ( + // Look for SendGrid-related content with non-SendGrid tracking links + any(body.links, + strings.icontains(.href_url.url, "selfcast.com") + or ( + .display_url.url is not null + and strings.icontains(.display_url.url, "sendgrid.com") + ) + ) + ) + ) + ) ) and ( // Content analysis using ML/NLU @@ -54,7 +90,8 @@ source: | "Security and Authentication", "Secure Message", "Reminders and Notifications", - "Software and App Updates" + "Software and App Updates", + "Customer Service and Support" ) and .confidence in ("medium", "high") ) @@ -63,7 +100,8 @@ source: | "Security and Authentication", "Secure Message", "Reminders and Notifications", - "Software and App Updates" + "Software and App Updates", + "Customer Service and Support" ) and .confidence in ("medium", "high") )