diff --git a/detection-rules/headers_voicemail_sendgrid.yml b/detection-rules/headers_voicemail_sendgrid.yml
new file mode 100644
index 00000000000..b05f2b6d159
--- /dev/null
+++ b/detection-rules/headers_voicemail_sendgrid.yml
@@ -0,0 +1,22 @@
+name: "Sendgrid voicemail phish"
+description: |
+  The message may contain a fake voicemail notification being sent via Sendgrid.
+reference:
+  - "https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/comment-page-1/"
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and headers.return_path.domain.domain == 'sendgrid.net'
+  and strings.ilike(subject.subject, '*voicemail*', '*voice message*')
+  and any(ml.nlu_classifier(body.current_thread.text).intents, .name not in ("benign", "unknown"))
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+id: "21cad89c-55e0-5cf1-8677-bf0242633a82"
+testing_pr: 765
+testing_sha: 5e3e9a5022bf388b9b0259d8dd013e9fd493527f