This rule flags inbound email traffic where the sender’s root domain is hungerrush.com, combined with content signals that suggest abuse of legitimate services for targeted outreach. Specifically, it detects an inbound message from hungerrush.com and checks for an Open Tracking pixel hosted at sendgrid.net/wf/open within the HTML body, indicating measurement of email opens via SendGrid’s tracking feature. Additionally, it scans the body text for references to ProtonMail addresses, allowing for redacted or explicit domain mentions (protonmail.com or masked forms). The correlation of these signals implies potential misuse of trusted platforms (SendGrid) to facilitate targeted messaging or fraud (BEC-like activity) against ProtonMail users or recipients. The rule uses sender analysis (domain-based), HTML analysis (presence of tracking pixel), and content analysis (regex-based detection of ProtonMail references) to identify suspicious campaigns. Given the combination of a suspicious sender domain, tracking pixel usage, and sensitive recipient targeting, the rule is assigned a high severity. This pattern aligns with evasion techniques that leverage legitimate services to appear legitimate while probing or targeting specific accounts or domains. The detection methods cover the essential data points: Sender metadata, HTML content, and textual content, enabling detection even if parts of the message are obfuscated or redacted to some degree.