PSA: Ongoing Viral SendGrid Phishing Attack

Be very suspicious of any email that claims to come from SendGrid. An ongoing attack is leveraging realistic phony administrative and marketing emails to effect self-propagating account takeovers.

They aren’t actually hard to spot if you’re vigilant about checking the sender address before reading any email, but otherwise the attack is insidiously clever:

1. The sender domains may not be sendgrid.com, but they are established domains from other compromised organizations, which helps avoid the spam filter. They’re often respectable enough that I could easily imagine an intelligent human deciding it must be some sort of SendGrid affiliate.

2. At least in my case, the attacker correctly sent the email to sendgrid@cyph.com, which is the address of my startup’s SendGrid account.

3. The email design and content are spot on, or at least close enough to be plausible.

4. All the links are valid SendGrid tracking links which redirect to the phishing site. It’s similar to how Google Sites (sites.google.com) and Microsoft Customer Voice (customervoice.microsoft.com) have been used to impersonate those respective companies.

I first noticed this in mid-November and thought it was mildly interesting. Then I got another yesterday, and three more this morning, so it seems to be spreading more rapidly as more people fall victim.

If you operate a SendGrid account, make sure everyone with access is aware of this, log in to check your Teammates list for unknown users, enable multi-factor authentication (MFA) if not already done, and monitor for unusual activity just to be safe.