Phishing emails often spoof a company and include its logos and branding, but one of the red flags that allow these emails to be identified by users is the email address used in the campaign is set up on a domain unrelated to the brand being spoofed. For instance, a phishing email spoofing FedEx is sent from a Gmail account. Oftentimes, a display name is created that makes the email appear to come from a genuine account used by the spoofed company – FedEx customer service for instance – but a quick check will reveal the actual email address used, allowing users to identify the phishing attack.

However, these checks sometimes fail, as highlighted by a recent phishing campaign that impersonated the logistics company DHL and the software cryptocurrency wallet provider, MetaMask that targeted customers of the domain registrar Namecheap. The emails originated from the legitimate customer communication platform SendGrid, which Namecheap uses for sending marketing communications and renewal notices to customers. Namecheap responded quickly when the attack was identified and disabled the accounts, but not in time to prevent many phishing emails from being sent.

The emails spoofing DHL included the DHL Express logo and warned recipients that their parcel was not able to be delivered because the sender did not pay the necessary delivery fees, as such, the parcel has been retained at the delivery depot and will not be released until the delivery fees are paid.

The MetaMask emails purported to be a Know Your Customer verification request, which required the recipient to verify their identity to prevent their account from being suspended. If the verification is not completed, the emails claimed, users would be unable to withdraw or transfer funds without interruption.

In both cases, the emails included a link that the users were required to click to complete the request – a Namecheap.com marketing link that redirected users to a phishing page on an unrelated domain. This was not a data breach at Namecheap, but at the third-party system the company uses for sending emails – SendGrid. It is currently unclear how SendGrid was hijacked to send the phishing emails.

Phishing emails may be sent from legitimate company email accounts, either an account at the actual company being spoofed or other well-known services such as SendGrid. In the summer of 2022, a phishing campaign was conducted targeting customers of the hardware cryptocurrency wallet Trezor, following a hack at the email marketing platform MailChimp.

Anti-Phishing Demo
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo

Phishing attacks such as these can sneak past email defenses and are harder for employees to identify, which is why businesses need to adopt a defense-in-depth approach. Email security solutions will block the majority of spam and phishing emails, but no email security solution will block all malicious messages. In addition to an advanced email security solution such as SpamTitan – which incorporates multiple layers of protection and machine learning mechanisms to block novel phishing attacks – businesses should invest in security awareness training for employees and should provide the training continually throughout the year. Through comprehensive training, employees can be taught more than just the basics and can learn how to recognize and avoid sophisticated phishing attacks.

A web filter is also recommended for blocking access to the malicious URLs that are used to harvest sensitive information. A web filter augments the spam filter by providing time-of-click protection against malicious links in emails and also protects against non-email methods used to drive traffic to phishing sites, such as malvertising, smishing, and vishing attacks.

If you want to improve protection against phishing, call TitanHQ to find out more about improving the depth of your security protections through spam filtering, security awareness training, and web filtering.

Jennifer Marsh

With a background in software engineering, Jennifer Marsh has a passion for hacking and researching the latest cybersecurity trends. Jennifer has contributed to TechCrunch, Microsoft, IBM, Adobe, CloudLinux, and IBM. When Jennifer is not programming for her latest personal development project or researching the latest cybersecurity trends, she spends time fostering Corgis.