alt Hacker NewsMaking a custom rule for a specific sender feels like fighting a fire with a glass of water.
It's better to focus on more systematic solutions. There exist a lot of them, SPF, DKIM, Recipient mail filtering (Your mail provider).
The screenshotted emails don't even do anything tricky like spoofing the sender address, it looks like "Sent from [email protected]". If it spoofed the domain it would have been caught by SPF/DKIM.
Most of the time the user doesn't need to do much, you can just be weary of sender domains, and report the email as phishing and help blacklist that specific IP address/domain. Similar to how in medicine sometimes the physician tells you to drink water and rest, no medicine needed, just let the immune system do its thing.
Replies
The first rule doesn't match a specific sender. Run it through a re2 regex tester.
As explained in the article, the scammers are using compromised Sendgrid domains to send the phishing emails. This means the emails are going to pass SPF/DKIM. Those domains are apparently owned by legitimate businesses which are actual Sendgrid customers. The phishers just compromised their account and API credentials