From 5d82bd62b7b09f98673c85d30ef6982164861eb6 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Mon, 22 Dec 2025 11:16:20 -0600
Subject: [PATCH] Update service_abuse_sendgrid_impersonation.yml

---
 .../service_abuse_sendgrid_impersonation.yml    | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/detection-rules/service_abuse_sendgrid_impersonation.yml b/detection-rules/service_abuse_sendgrid_impersonation.yml
index 719447375cd..3a7240e0d02 100644
--- a/detection-rules/service_abuse_sendgrid_impersonation.yml
+++ b/detection-rules/service_abuse_sendgrid_impersonation.yml
@@ -16,9 +16,7 @@ source: |
       )
       and (
         sender.display_name is null
-        or strings.ilike(strings.replace_confusables(subject.base),
-                         '*sendgrid*'
-        )
+        or strings.ilike(strings.replace_confusables(subject.base), '*sendgrid*')
       )
     )
     or any(ml.logo_detect(file.message_screenshot()).brands,
@@ -29,13 +27,16 @@ source: |
   and any(headers.domains,
           strings.icontains(.domain, 'outbound-mail.sendgrid.net')
   )
-  // new senders only
-  and profile.by_sender_email().prevalence == "new"
-
+  // not common senders with valid domains
+  // this catches cases where the domain is invalid and senders become common
+  and not (
+    profile.by_sender_email().prevalence == "common" and sender.email.domain.valid
+  )
+  
   // negate legit sendgrid messages
   and not (
-      sender.email.domain.domain == "sendgrid.com"
-      and coalesce(headers.auth_summary.dmarc.pass, false)
+    sender.email.domain.domain == "sendgrid.com"
+    and coalesce(headers.auth_summary.dmarc.pass, false)
   )
 
 attack_types: