From 76e562001e72563d58a225ed1f6bd86fb2bff43b Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Fri, 19 Dec 2025 09:26:33 -0600
Subject: [PATCH 1/3] Create service_abuse_sendgrid_free_email_provider.yml

---
 ...ice_abuse_sendgrid_free_email_provider.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 detection-rules/service_abuse_sendgrid_free_email_provider.yml

diff --git a/detection-rules/service_abuse_sendgrid_free_email_provider.yml b/detection-rules/service_abuse_sendgrid_free_email_provider.yml
new file mode 100644
index 00000000000..7a746ba8d73
--- /dev/null
+++ b/detection-rules/service_abuse_sendgrid_free_email_provider.yml
@@ -0,0 +1,19 @@
+name: "Service abuse: Free provider with SendGrid routing"
+description: "Message From header includes a free email provider domain but is routed through SendGrid infrastructure, indicating potential service abuse for delivery evasion."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and sender.email.domain.domain in $free_email_providers
+  and any(headers.domains, .root_domain == "sendgrid.net")
+  
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free email provider"
+  - "Evasion"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"

From 59685433b44b114d69e1406f94845d79b32e01a8 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Fri, 19 Dec 2025 15:30:02 +0000
Subject: [PATCH 2/3] Auto add rule ID

---
 detection-rules/service_abuse_sendgrid_free_email_provider.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/service_abuse_sendgrid_free_email_provider.yml b/detection-rules/service_abuse_sendgrid_free_email_provider.yml
index 7a746ba8d73..e77ae92cc63 100644
--- a/detection-rules/service_abuse_sendgrid_free_email_provider.yml
+++ b/detection-rules/service_abuse_sendgrid_free_email_provider.yml
@@ -17,3 +17,4 @@ tactics_and_techniques:
 detection_methods:
   - "Header analysis"
   - "Sender analysis"
+id: "3079cacb-2ab9-533a-bced-59545bd54d63"

From aa0c9002c2b3782342e837e4d5cb569cd6157657 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Tue, 23 Dec 2025 12:38:58 -0600
Subject: [PATCH 3/3] Update service_abuse_sendgrid_free_email_provider.yml

---
 .../service_abuse_sendgrid_free_email_provider.yml          | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/detection-rules/service_abuse_sendgrid_free_email_provider.yml b/detection-rules/service_abuse_sendgrid_free_email_provider.yml
index e77ae92cc63..24e4335b0fb 100644
--- a/detection-rules/service_abuse_sendgrid_free_email_provider.yml
+++ b/detection-rules/service_abuse_sendgrid_free_email_provider.yml
@@ -6,6 +6,12 @@ source: |
   type.inbound
   and sender.email.domain.domain in $free_email_providers
   and any(headers.domains, .root_domain == "sendgrid.net")
+  and not any(ml.nlu_classifier(body.current_thread.text).intents,
+              .name == "benign"
+  )
+  and not any(ml.nlu_classifier(body.current_thread.text).topics,
+              .name == "Bounce Back and Delivery Failure Notifications"
+  )
   
 tags:
   - "Attack surface reduction"