{"id":22426,"date":"2024-02-22T19:57:01","date_gmt":"2024-02-22T15:57:01","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/sendgrid-credentials-phishing\/22426\/"},"modified":"2024-02-22T19:57:04","modified_gmt":"2024-02-22T15:57:04","slug":"sendgrid-credentials-phishing","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/sendgrid-credentials-phishing\/22426\/","title":{"rendered":"Recursive credential phishing for ESPs"},"content":{"rendered":"

Mailing lists that companies use to contact customers have always been an interesting target<\/a> for cyberattacks. They can be used for spamming, phishing, and even more sophisticated scams. If, besides the databases, the attackers can gain access to a legitimate tool for sending bulk emails, this significantly increases the chances of success of any attack. After all, users who have agreed to receive emails and are accustomed to consuming information in this way are more likely to open a familiar newsletter than some unexpected missive. That\u2019s why attackers regularly attempt to seize<\/a> access to companies\u2019 accounts held with email service providers (ESPs). In the latest phishing campaign we\u2019ve uncovered, the attack method has been refined to target credentials on the website of the ESP SendGrid by sending phishing emails directly through the ESP itself.<\/p>\n

Why is phishing through SendGrid more dangerous in this case?<\/h2>\n

\nAmong the tips we usually give in phishing-related posts, we most often recommend taking a close look at the domain of the site in the button or text hyperlink that you\u2019re invited to click or tap. ESPs, as a rule, don\u2019t allow direct links to client websites to be inserted in an email, but rather serve as a kind of redirect \u2014 inside the link the email recipient sees the domain of the ESP, which then redirects them to the site specified by the mail authors when setting up the mailing campaign. Among other things, this is done to collect accurate analytics.<\/p>\n

In this case, the phishing email appears to come from the ESP SendGrid, expressing concern about the customer\u2019s security and highlighting the need to enable two-factor authentication (2FA) to prevent outsiders from taking control of their account. The email explains the benefits of 2FA and provides a link to update the security settings. This leads, as you\u2019ve probably already guessed, to some address in the SendGrid domain (where the settings page would likely be located if the email really was from SendGrid).<\/p>\n

To all email scanners, the phishing looks like a perfectly legitimate email sent from SendGrid\u2019s servers with valid links pointing to the SendGrid domain. The only thing that might alert the recipient is the sender\u2019s address. That\u2019s because ESPs put the real customer\u2019s domain and mailing ID there. Most often, phishers make use of hijacked accounts (ESPs subject new customers to rigorous checks, while old ones who\u2019ve already fired off some bulk emails are considered reliable).<\/p>\n

\"An<\/a>

An email seemingly from SendGrid sent through SendGrid to phish a SendGrid account.<\/p><\/div>\n

Phishing site<\/h2>\n

\nThis is where the attackers\u2019 originality comes to an end. SendGrid redirects the link-clicking victim to a regular phishing site mimicking an account login page. The site domain is \u201csendgreds\u201d, which at first glance looks very similar to \u201csendgrid\u201d.<\/p>\n

\"A<\/a>

A site mimicking the SendGrid login page. Note the domain in the address bar<\/p><\/div>\n

How to stay safe<\/h2>\n

\nSince the email is sent through a legitimate service and shows no typical phishing signs, it may slip through the net of automatic filters. Therefore, to protect company users, we always recommend deploying solutions with advanced anti-phishing technology not only at the mail gateway level<\/a> but on all devices that have access to the internet<\/a>. This will block any attempted redirects to phishing sites.<\/p>\n

And yes, for once it\u2019s worth heeding the attackers\u2019 advice and enabling 2FA. But not through a link in a suspicious email, but in the settings in your account on ESP\u2019s website.<\/p>\n

Update.<\/strong> We contacted Twilio and received the following statement from their spokesperson:\n

Impersonating a site administrator, or other critical function, has proven an effective means of phishing across the industry, and Twilio SendGrid takes abuse of its platform and services very seriously. Twilio detected that bad actors obtained customer account credentials and used our platform to launch phishing attacks; our fraud, compliance and cyber security teams immediately shut down accounts identified and associated with the phishing campaign. We encourage all end users to take a multi-pronged approach<\/a> to combat phishing attacks, including two factor authentication, IP access management, and using domain-based messaging.<\/em><\/p><\/div>\n\n","protected":false},"excerpt":{"rendered":"

Cybercriminals prey on access to mailing tools by sending phishing emails through these same tools. <\/p>\n","protected":false},"author":2598,"featured_media":22428,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[2416,2095,76],"class_list":{"0":"post-22426","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-esp","11":"tag-mail","12":"tag-phishing"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/sendgrid-credentials-phishing\/22426\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/sendgrid-credentials-phishing\/27116\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/sendgrid-credentials-phishing\/29790\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/sendgrid-credentials-phishing\/27292\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/sendgrid-credentials-phishing\/37038\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/sendgrid-credentials-phishing\/50662\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/sendgrid-credentials-phishing\/33298\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/sendgrid-credentials-phishing\/32922\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/phishing\/","name":"phishing"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=22426"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22426\/revisions"}],"predecessor-version":[{"id":22427,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22426\/revisions\/22427"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/22428"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=22426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=22426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=22426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}