A group of attackers have compromised accounts on the SendGrid email delivery platform and are using them to launch phishing attacks against other SendGrid customers. The campaign is likely an attempt to collect credentials for a mass email service with a good reputation that would help attackers bypass spam filters in other attacks.
“The campaign observed uses a variety of complex lures, such as claiming the victim’s account has been suspended while its sending practices are reviewed or that the victim’s account is marked for removal due to a recent payment failure, combined with other SendGrid features to mask the actual destination of any malicious links,” researchers from threat intelligence firm Netcraft said in a new report.
SendGrid is a cloud-based email delivery platform owned by Twilio. It helps companies run email marketing campaigns at scale with a high deliverability rate and analytics. The company claims to have over 80,000 customers including popular brands like Uber, Spotify, AirBnB, and Yelp. “With even legitimate companies sometimes struggling to deliver emails to users’ inboxes successfully, it is easy to see how using SendGrid for phishing campaigns is attractive to criminals,” the Netcraft researchers said.
Phishing links masked by click-tracking feature
The phishing emails masquerading as SendGrind notifications were sent through the SendGrind SMTP servers, but the email addresses in their From field were from other domains, not sendgrid.com. That’s because the attackers used the domain names that the compromised SendGrid customers had configured to be able to send email through the platform for their own campaigns.
Netcraft observed at least nine such domains belonging to companies from a range of industries including cloud hosting, energy, healthcare, education, property, recruitment, and publishing. Because those domains had been configured to use SendGrid for email delivery, the phishing emails passed all the usual anti-spoofing security features like DKIM and SPF as those domains had the correct DNS policies set up. “The use of compromised SendGrid accounts explains why SendGrid is targeted by the phishing campaign: The criminals can use the compromised accounts to compromise further SendGrid accounts in a cycle, providing them with a steady supply of fresh SendGrid accounts,” the Netcraft researchers said.
Aside from the suspicious addresses in the From field, there is little else to make the rogue emails appear not authentic to a recipient. The link behind the button included in the email is masked using SendGrid’s click-tracking feature. This means the URL points to a script hosted on sendgrid.net, which then performs a redirect to the phishing page set up by the attackers. However, the URL of the phishing page is passed to the SendGrid script as an encoded parameter so it’s not visible to the user as clear text when hovering over the button.