SendGrid Support Phishing Campaign Uses Compromised Account to Bypass Defenses
Phishing Campaign Impersonates SendGrid Support, Leverages Compromised Account for High Authenticity
Related Entities
Products & Tech
Full Report
Executive Summary
A new and deceptive phishing campaign is targeting users of the SendGrid email delivery service. Attackers are sending emails that convincingly impersonate official SendGrid support notifications. The campaign's effectiveness is significantly enhanced because the attackers are distributing the emails via a compromised SendGrid account, lending the messages a high degree of authenticity and allowing them to bypass security filters. The emails lure victims with a warning about "insufficient account permissions" and direct them to a credential harvesting site to steal their logins.
Threat Overview
The attack begins with an email sent to a SendGrid user, claiming that their messages are being rejected due to a permissions issue. The email contains an "Open Dashboard" button and urges the user to click it to restore service. The use of a compromised, legitimate SendGrid account for distribution is a key element of this campaign. It leverages SendGrid's own trusted infrastructure, making the emails difficult for both users and automated systems to identify as malicious.
Upon clicking the link, the victim is redirected to a phishing website hosted at personalsglogin[.]com. This site is a close replica of the real SendGrid login portal. Once a user enters their username and password, the site presents a fake error message. This is a common tactic designed to make the user believe they mistyped their password and encourage them to re-enter it, increasing the attackers' chances of capturing the correct credentials.
Technical Analysis
The campaign relies on social engineering and infrastructure abuse.
- Social Engineering: The lure creates a sense of urgency by claiming a critical service (email delivery) is failing. The "insufficient permissions" message is plausible and prompts immediate action.
- Infrastructure Abuse: By using a compromised SendGrid account, the attackers gain:
- High Deliverability: The emails are sent from a reputable source, bypassing many spam and phishing filters.
- Authenticity: The email headers and sending infrastructure appear legitimate.
- Phishing Site: The domain
personalsglogin[.]comwas recently registered specifically for this campaign, a common indicator of malicious intent.
This attack maps to the following MITRE ATT&CK techniques:
T1566.002 - Spearphishing Link: The core of the attack is delivering a malicious link via email.T1598.001 - Phishing for Information: The ultimate goal is to trick users into revealing their credentials.T1078 - Valid Accounts: The attackers are using a compromised SendGrid account to launch their campaign, and their goal is to obtain more valid accounts.
Impact Assessment
A successful attack could have several negative consequences for a victim organization:
- Account Takeover: Attackers gain control of the organization's SendGrid account.
- Further Phishing Campaigns: The compromised account can be used to send more phishing emails, targeting the organization's own customers and partners, leading to reputational damage.
- Data Exfiltration: Attackers could potentially access sensitive information within the SendGrid account, such as email lists and analytics.
- Financial Loss: If the SendGrid account is used for transactional emails, attackers could disrupt business operations.
IOCs — Directly from Articles
personalsglogin[.]comCyber Observables — Hunting Hints
Security teams should be aware of the following patterns:
sendgrid.com or its subdomains.Detection & Response
- URL Filtering: Block the known phishing domain
personalsglogin[.]comat the network perimeter (firewall, web proxy). - User Education: Alert users, especially those who manage the SendGrid account, to this specific campaign. Remind them to be suspicious of unsolicited emails requiring urgent action and to always verify the URL before entering credentials.
- Account Monitoring: Monitor SendGrid account activity for suspicious logins (e.g., from unusual geographic locations or IP addresses) or unauthorized configuration changes.
Mitigation
- Multi-Factor Authentication (MFA): The single most effective defense is to enable MFA on all SendGrid accounts. This prevents an attacker from accessing the account even if they successfully steal the password. This aligns with D3FEND's Multi-factor Authentication (D3-MFA) technique.
- Hover-to-Verify: Train users to hover their mouse over links in emails to see the actual destination URL before clicking.
- Bookmark Legitimate Sites: Encourage users to access sensitive sites like the SendGrid dashboard via bookmarks rather than email links.
Timeline of Events
MITRE ATT&CK Mitigations
User Training
Training users to identify phishing attempts, such as verifying URLs before clicking, is a critical defense.
Multi-factor Authentication
MFA is the most effective control to prevent account takeover even if credentials are stolen.
Restrict Web-Based Content
Using URL filtering and web proxies to block access to known malicious domains prevents users from reaching the phishing site.
D3FEND Defensive Countermeasures
The most critical defense against this credential harvesting campaign is to enforce multi-factor authentication (MFA) on all SendGrid accounts. Even if an attacker successfully tricks a user into providing their username and password, MFA will prevent them from gaining access to the account. Organizations should prioritize enabling phishing-resistant MFA, such as FIDO2 security keys or authenticator apps, over less secure methods like SMS.
Deploy an email security gateway that performs robust URL analysis on all inbound emails. This includes checking URLs against threat intelligence feeds for known phishing domains like personalsglogin[.]com. The system should also use dynamic analysis to 'click' on links in a sandbox environment to inspect the destination page for phishing kits or credential harvesting forms. This automated analysis can block malicious emails before they reach a user's inbox, serving as a vital technical control to backstop user awareness.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.