From f1310369f0a291428bc2fbb15fe8fea16bfbf019 Mon Sep 17 00:00:00 2001
From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com>
Date: Fri, 31 Oct 2025 12:56:39 -0400
Subject: [PATCH 1/2] Resolve FNs for sengrid impersonation

---
 .../brand_impersonation_sendgrid.yml          | 42 ++++++++++++++++++-
 1 file changed, 40 insertions(+), 2 deletions(-)

diff --git a/detection-rules/brand_impersonation_sendgrid.yml b/detection-rules/brand_impersonation_sendgrid.yml
index a9307b031a1..a1f7648b0ad 100644
--- a/detection-rules/brand_impersonation_sendgrid.yml
+++ b/detection-rules/brand_impersonation_sendgrid.yml
@@ -46,6 +46,42 @@ source: |
         )
       )
     )
+    // NEW: Detect SendGrid content from non-SendGrid marketing platforms
+    or (
+      sender.email.domain.root_domain in (
+        "selfcast.com",
+        "mailchimp.com",
+        "constantcontact.com",
+        "hubspot.com",
+        "klaviyo.com",
+        "mailgun.com"
+      )
+      and (
+        (
+          (
+            strings.icontains(body.current_thread.text, "sendgrid")
+            or strings.icontains(subject.subject, "sendgrid")
+          )
+          and 3 of (
+            strings.icontains(body.current_thread.text, "webhook"),
+            strings.icontains(body.current_thread.text, "endpoint"),
+            strings.icontains(body.current_thread.text, "api"),
+            strings.icontains(body.current_thread.text, "delivery"),
+            strings.icontains(body.current_thread.text, "event notification")
+          )
+        )
+        and (
+          // Look for SendGrid-related content with non-SendGrid tracking links
+          any(body.links,
+              strings.icontains(.href_url.url, "selfcast.com")
+              or (
+                .display_url.url is not null
+                and strings.icontains(.display_url.url, "sendgrid.com")
+              )
+          )
+        )
+      )
+    )
   )
   and (
     // Content analysis using ML/NLU
@@ -54,7 +90,8 @@ source: |
           "Security and Authentication",
           "Secure Message",
           "Reminders and Notifications",
-          "Software and App Updates"
+          "Software and App Updates",
+          "Customer Service and Support"
         )
         and .confidence in ("medium", "high")
     )
@@ -63,7 +100,8 @@ source: |
              "Security and Authentication",
              "Secure Message",
              "Reminders and Notifications",
-             "Software and App Updates"
+             "Software and App Updates",
+             "Customer Service and Support"
            )
            and .confidence in ("medium", "high")
     )

From d12c01e63bb08d835b3fb970eb7c2416c861b739 Mon Sep 17 00:00:00 2001
From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com>
Date: Fri, 31 Oct 2025 13:00:07 -0400
Subject: [PATCH 2/2] Update brand_impersonation_sendgrid.yml

---
 detection-rules/brand_impersonation_sendgrid.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/brand_impersonation_sendgrid.yml b/detection-rules/brand_impersonation_sendgrid.yml
index a1f7648b0ad..fe7308bd5b1 100644
--- a/detection-rules/brand_impersonation_sendgrid.yml
+++ b/detection-rules/brand_impersonation_sendgrid.yml
@@ -46,7 +46,7 @@ source: |
         )
       )
     )
-    // NEW: Detect SendGrid content from non-SendGrid marketing platforms
+    // SendGrid content from non-SendGrid marketing platforms
     or (
       sender.email.domain.root_domain in (
         "selfcast.com",