
Summary
This rule detects inbound emails that originate from Mailgun’s sending infrastructure (mg subdomain) and are sent from common bulk sender addresses, where the message body contains unresolved template placeholders like [SOURCEID], known Mailgun campaign/list management links, or references to Mailgun-associated physical addresses. The match conditions require: (1) the inbound message’s type is inbound, (2) the sender’s local-part is one of {info, no-reply, noreply} and the sender’s domain subdomain equals mg, and (3) one of the following: a link in the body pointing to a napp subdomain on the same root domain with a path starting with /campaigns/ or /lists/, or the body current_thread.text contains one of two Mailgun-related physical addresses, or the body current_thread.text contains the literal placeholder “[SOURCEID]”. This indicates automated, bulk distribution with incomplete template rendering or suspicious use of Mailgun infrastructure. The rule labels the activity as Credential Phishing and associates attacks with impersonation (brand wear), evasion, and social engineering, using detection methods such as sender analysis, URL analysis, and content analysis to identify the indicators.
Categories
- Network
- Endpoint
Data Sources
- Network Traffic
Created: 2026-06-30