Detection rules › Sublime MQL
Service abuse: Sendgrid credential theft with personalized request targeting single recipient
Detects messages sent through Sendgrid from new sender domains that contain credential theft language with high confidence. The message targets a single recipient whose email address appears in both the message body and link display text, indicating personalization tactics commonly used in targeted attacks.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering |
Event coverage
Rule body MQL
type.inbound
// a single recipient
and length(recipients.to) == 1
// the domain is a first time sender
and profile.by_sender_domain().prevalence == "new"
// sent from sendgrid
and any(headers.domains, .root_domain == "sendgrid.net")
// cred_theft intent
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
// a request is within the display_text
and any(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
),
any(body.links, .display_text == ..text)
)
// the rcpt email address is in the body of the message, accounting for display_url, which also might include it
and (
// number of occurances the rcpt email occurs in the body
strings.count(body.current_thread.text, recipients.to[0].email.email) >
// length of the filtered links to those that contain the email
length(filter(body.links,
strings.contains(.display_url.url, recipients.to[0].email.email)
)
)
)
and not (
strings.icontains(body.current_thread.text,
strings.concat('This message was generated automatically for ',
recipients.to[0].email.email
)
)
or strings.icontains(body.current_thread.text,
strings.concat('This email was sent to ',
recipients.to[0].email.email
)
)
)
Detection logic
Scope: inbound message.
Detects messages sent through Sendgrid from new sender domains that contain credential theft language with high confidence. The message targets a single recipient whose email address appears in both the message body and link display text, indicating personalization tactics commonly used in targeted attacks.
- inbound message
- length(recipients.to) is 1
- profile.by_sender_domain().prevalence is 'new'
any of
headers.domainswhere:- .root_domain is 'sendgrid.net'
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence is not 'low'
any of
filter(...)where:any of
body.linkswhere:- .display_text is .text
- strings.count(body.current_thread.text) > length(filter(body.links, strings.contains(.display_url.url, recipients.to[0].email.email)))
none of:
- strings.icontains(body.current_thread.text)
- strings.icontains(body.current_thread.text)
Inspects: body.current_thread.text, body.links, body.links[].display_text, body.links[].display_url.url, headers.domains, headers.domains[].root_domain, recipients.to, recipients.to[0].email.email, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender_domain, strings.concat, strings.contains, strings.count, strings.icontains.
Indicators matched (3)
| Field | Match | Value |
|---|---|---|
headers.domains[].root_domain | equals | sendgrid.net |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | request |