Small- and medium-sized businesses are being targeted in a phishing campaign that leverages the email service provider (ESP) SendGrid. SendGrid is a legitimate and well-known company that provides a customer communication platform for transactional and marketing email. SendGrid customer accounts are targeted to gain access to company mailing lists which can be used for a variety of email campaigns, such as phishing, spamming, and scams. In this campaign, the phishers compromise companies’ SendGrid accounts and use the ESP itself to send phishing emails. Emails sent through the SendGrid platform are likely to be trusted by email security solutions, especially as the compromised accounts will have been used to send communications in the past. SendGrid may even be whitelisted to ensure that the emails are always delivered to inboxes. SendGrid emails are also likely to be trusted by end users.

In this campaign, the emails use a security-themed lure and inform the recipients that they need to set up 2-factor authentication – a perfectly reasonable request since 2-FA will better protect accounts against unauthorized access. The users are provided with a link that directs them to a malicious website that spoofs the SendGrid login, and if credentials are entered, they are harvested by the scammer. The emails were routinely delivered to inboxes and evaded email security solutions because the SendGrid was trusted.

SendGrid performs stringent checks on new accounts so it is difficult for malicious actors to use SendGrid directly, instead they compromise business SendGrid accounts, often through phishing attacks. Twilio SendGrid detected the malicious activity linked to customer accounts that were being used for phishing, and its fraud, compliance, and cyber security teams immediately shut down accounts. To better protect SendGrid accounts, users are advised to log in to their account and set up 2-factor authentication to prevent compromised credentials from granting access to user accounts.

The campaign demonstrates that even emails from reliable sources may not be what they seem. Many companies provide security awareness training to their employees that teaches cybersecurity best practices and trains employees on how to recognize and avoid phishing. It is important to include these types of emails in training material, as ESPs are being increasingly targeted by cybercriminals due to the effectiveness of campaigns run through an ESP.

With SafeTitan, keeping employees up to date on the latest tactics used by phishers and other cybercriminals is easy. The training content is regularly updated with new phishing templates based on real-world attacks and the latest phishing trends, and phishing simulations can be conducted on employees to test how they respond to phishing attempts outside of the training environment. SafeTitan is the only security awareness training platform that delivers targeted training automatically in response to bad security practices by employees, ensuring training is provided at the moment when it is most likely to be taken on board.

Jennifer Marsh

With a background in software engineering, Jennifer Marsh has a passion for hacking and researching the latest cybersecurity trends. Jennifer has contributed to TechCrunch, Microsoft, IBM, Adobe, CloudLinux, and IBM. When Jennifer is not programming for her latest personal development project or researching the latest cybersecurity trends, she spends time fostering Corgis.