Recursive credential phishing for ESPs

Cybercriminals prey on access to mailing tools by sending phishing emails through these same tools.

Credential phishing targets ESPs through ESPs

Mailing lists that companies use to contact customers have always been an interesting target for cyberattacks. They can be used for spamming, phishing, and even more sophisticated scams. If, besides the databases, the attackers can gain access to a legitimate tool for sending bulk emails, this significantly increases the chances of success of any attack. After all, users who have agreed to receive emails and are accustomed to consuming information in this way are more likely to open a familiar newsletter than some unexpected missive. That’s why attackers regularly attempt to seize access to companies’ accounts held with email service providers (ESPs). In the latest phishing campaign we’ve uncovered, the attack method has been refined to target credentials on the website of the ESP SendGrid by sending phishing emails directly through the ESP itself.

Why is phishing through SendGrid more dangerous in this case?

Among the tips we usually give in phishing-related posts, we most often recommend taking a close look at the domain of the site in the button or text hyperlink that you’re invited to click or tap. ESPs, as a rule, don’t allow direct links to client websites to be inserted in an email, but rather serve as a kind of redirect — inside the link the email recipient sees the domain of the ESP, which then redirects them to the site specified by the mail authors when setting up the mailing campaign. Among other things, this is done to collect accurate analytics.

In this case, the phishing email appears to come from the ESP SendGrid, expressing concern about the customer’s security and highlighting the need to enable two-factor authentication (2FA) to prevent outsiders from taking control of their account. The email explains the benefits of 2FA and provides a link to update the security settings. This leads, as you’ve probably already guessed, to some address in the SendGrid domain (where the settings page would likely be located if the email really was from SendGrid).

To all email scanners, the phishing looks like a perfectly legitimate email sent from SendGrid’s servers with valid links pointing to the SendGrid domain. The only thing that might alert the recipient is the sender’s address. That’s because ESPs put the real customer’s domain and mailing ID there. Most often, phishers make use of hijacked accounts (ESPs subject new customers to rigorous checks, while old ones who’ve already fired off some bulk emails are considered reliable).

An email seemingly from SendGrid

An email seemingly from SendGrid sent through SendGrid to phish a SendGrid account.

Phishing site

This is where the attackers’ originality comes to an end. SendGrid redirects the link-clicking victim to a regular phishing site mimicking an account login page. The site domain is “sendgreds”, which at first glance looks very similar to “sendgrid”.

A site mimicking the SendGrid login page

A site mimicking the SendGrid login page. Note the domain in the address bar

How to stay safe

Since the email is sent through a legitimate service and shows no typical phishing signs, it may slip through the net of automatic filters. Therefore, to protect company users, we always recommend deploying solutions with advanced anti-phishing technology not only at the mail gateway level but on all devices that have access to the internet. This will block any attempted redirects to phishing sites.

And yes, for once it’s worth heeding the attackers’ advice and enabling 2FA. But not through a link in a suspicious email, but in the settings in your account on ESP’s website.

Update. We contacted Twilio and received the following statement from their spokesperson:

Impersonating a site administrator, or other critical function, has proven an effective means of phishing across the industry, and Twilio SendGrid takes abuse of its platform and services very seriously. Twilio detected that bad actors obtained customer account credentials and used our platform to launch phishing attacks; our fraud, compliance and cyber security teams immediately shut down accounts identified and associated with the phishing campaign. We encourage all end users to take a multi-pronged approach to combat phishing attacks, including two factor authentication, IP access management, and using domain-based messaging.