SendGrid isn’t emailing about ICE or BLM – it’s a phishing attack

"The fundamental issue is that SendGrid’s business model depends on making it easy for legitimate businesses to send email at scale."

I disagree with this conclusion, if not only because other email service providers don't have this issue.

It wouldn't surprise me if something was broken with SendGrid's internal infrastructure. I used to be a SendGrid customer until my deliverability started being affected by this issue. SendGrid took weeks to reply to my customer service messages about resolving this, even though I was a paying customer and was renting private IP addresses from them to send mail.

I finally gave up and closed my SendGrid account in July 2021. Despite this, they continued to send me monthly invoices until May 2022. Multiple SendGrid representatives promised that they had resolved the issue, but it wasn't until one CSR added me to SendGrid's global suppression list that they finally stopped.

> Can this be fixed?

For popular senders: sort-of: in your incoming mail server, substring-match the display name of the sender against popular brands, and ensure the actual domain matches.

This works remarkably well for proper brands (FedEx et al), but breaks down when the brand name regularly occurs in "normal" names, the sending brand sends mail from all over the place, or "innocuous" impersonation takes place all the time.

Like, somehow, From: "VODAFONE" <shipping-update@dpd.co.uk> is a 100% legit sender (assuming SPF and DKIM verification pass), despite both Vodafone and DPD being pretty common impersonation targets. You'd think they'd know better, but alas.

So, yeah, room for improvement and such...

If using GSuite then head to the Gmail admin panel and create a compliance rule with 2 regex expressions.

1. Add expressions to: If ALL of the following match the message.

2. Expression 1: Type: Advanced content match Location: Full headers Match type: Matches regex (?im)^from:\sSendGrid(?:\s+\w+)\s*<[^>\r\n]+>+$

3. Expression 2: Type: Advanced content match Location: Sender header Match type: Not matches regex (?i)^[A-Za-z0-9._%+-]+@(sendgrid\.com|twilio\.com)$

Set the rule to reject or quarantine. Users will not see the messages unless the attackers change the From header.

2FA doesn't stop phishing unless it's WebAuthn. But SendGrid, which is owned by Twilio, only supports 2FA based on SMS or the Authy App (which is also made by Twilio): https://www.twilio.com/docs/sendgrid/ui/account-and-settings...

It seems like Twilio has a conflict of interest that prevents them from offering WebAuthn, as that would be a tacit admission that their SMS and Authy products are not actually that secure.

Having a friendly name listed in the From field is part of the problem. SPF, DKIM, and DMARC make it possible to control who can send as your domain, if the receiver cares to check. If you have strict SPF and DMARC rules, most receivers will drop or not accept emails that fail the rules. But you can't control using your brand from unaffiliated domains.

Would you even open an email from noreply@drummond.com if that's what showed up in the message list?

On mobile it's worse. Gmail (Android) doesn't even show the From address at all when you open an email. For some emails, I can tap the sender icon and see the address, for others I have to find the hit reply (but if DMARC et al doesn't validate a Reply-To address) or go find a computer and see the message there.

SendGrid phishing emails are some of the best phishing emails. I get emails that there's elevated error rates on an API (`/v1/send`). Looks very legit, good design, reasonable call to action, some urgency which makes me want to click. They know from MX records I send email with Sendgrid, so it's well targeted. Easy catch when I see the domain, but other than that it's the best I've seen in years.

We've been getting similar phishing emails claiming to be from SendGrid, except they're along the lines of "we're adding a rainbow banner to the footer of all emails to show LGBT support, click here to opt out".

It's especially funny because SendGrid isn't even one of our vendors.

Oh! I’ve seen this phishing attempt as well, I believe it was was Gemini they said they would add an “lgbt” banner unless you changed settings.

First thought... Why would ICE need donations? I then realized how unrecognizable scams have become to me now. Older people are going to be in a worse position.

relatedly, my wife received polititexts destined to her conservative father. The latest was actually genius IMO, in that it stated "Dear STEVEN, due to inactivity, your registration will be changed to DEMOCRAT in 20 minutes unless you navigate to this link." It, I assume, redirected to some support page to donate to the US conservative party or its affiliates. The social engineering is getting more effective

I have been receiving 2-3 of these variations per day. Have been reporting them as phishing in our GSuite account, but they just keep coming.

I can't think of one email I received from sendgrid I would consider legitimate. Anytime I receive an email distributed by sendgrid I have found it actually had no value to me. Sometimes it's from a business I have dealt with but I never wanted or was interested in the content.

I’m more troubled by the fact these emails are hitting my sendgrid only email address.

Is this related to the breach that SendGrid said didn’t happen? I set my account up in 2021 for reasons I don’t recall and it’s since been deleted/deactivated by them.

> The political sophistication on display here (BLM, LGBTQ+ rights, ICE, even the Spanish language switch playing on immigration anxieties) suggests someone with a deep understanding of American cultural fault lines.

Or an AI.

I received one, though it was for adding a footer honoring MLK. I kinda thought it was odd, but did't think much of it, since I'm apparently not in the group that would be offended in any way. I wonder if the variation they use is random, or in any way location-based to maximize response (I'm in Texas).

I've also received a bunch of API failure phishing emails, as well as some implying we needed to change our auth to Sinch.

It would be good to hold carriers accountable for fishing and spam. Sendgrid , Twilio and other saas messaging carriers need to do a better job with integrity. I don’t expect them to carry the whole burden, but some negative incentive to promote investment . It could be as simple as enforcing sender pays metering . We all know spam is 60+ % of traffic, so sender pays would drive down spam very quickly

I wonder why Gmail and other email providers don't just run an LLM/ML pipeline to detect phishing emails. It seems that matching an email's content with the sender's domain (and possibly analyzing the content behind links) would be enough to show, with high certainty, a warning like "Beware: this looks like a phishing email." Is it too expensive? Too many false positives?

I've been getting a lot of these, and forwarding them (along with the raw source of the email headers) to abuse@sendgrid.com with some success.

I get a flood of these every single day. Because we use SendGrid as a critical part of our product, I have to look for any emails from them pretty closely. It’s gotten impossible to do with all of these phishing attempts. I gotta hand it to them, though, the attempts are excellent.

The OP didn’t explain or showed the unsubscribe button compromise trick. Anyone here can shed some light on it?

I always had the habit of clicking on the unsubscribe button whenever I see an unwanted email. And I’d like to know what would happen if I click on malicious unsubscribe link.

Is this a new trend in phishing emails? They appear to be using legitimate domains to bypass spam detection. Usually the domains are associated with legitimate companies who are completely oblivious. I always wondered how this works. Is it a broken contact form somewhere?

Is this an education problem? Should the general public be more diligent in checking the sender domain of the emails they read?

Is this a UX issue? Should email clients highlight and emphasize the sender domain more than their display name?

Not just SendGrid, I have received very sophisticated phishing emails “from” MailGun as well. I think the advantages of getting into your email channel justify a lot of investment by the bad guys.

Interesting that politics is a vector for contagion.

When you think about politics is very contagious, politicians infect activists, who infect regular folk that advocate for stuff they don't benefit from, when elections come near, it's flu season.

Double parasite burgers where a new parasite leeches of an existing vector are common in biology as well. Like malaria and mosquitoes.

Before you reach for your wallets, remember -

It might be 50 days by an (admittedly very cool) bus, but it's only 84 days in foot!

* Consult your Google Maps and a sense of humor if it sounds to good to be true!

This speculative nonsense adds nothing:

> We know that state actors have invested heavily in understanding and exploiting these divisions. Russian active measures campaigns have been documented doing exactly this kind of work: identifying wedge issues and creating content designed to inflame both sides. North Korea has demonstrated similar sophistication in their social engineering operations by targeting academics and foreign policy experts

What about "read Twitter in between bouts of using one susceptible user's API key to spam other users for their API keys" _really_ requires the sophistication of a state-level actor? Statements like this aren't journalism, they're exactly the same kind of manipulation being used by the phishers.

So the modern Gestapo is so deeply unpopular it is being used for phishing attacks - no one (normal) wants to be seen anywhere near it. Amazing.

In the 1920s and 30s they had mailing campaigns recruiting to join the SA. Same principle.

That’s some devious shit. I can just imagine someone furiously clicking the button in a rage

Before anyone launches themselves into the sky: the title is clickbait. This is about phishing attempts that use ICE to persuade you to click. Sendgrid the company is not emailing about supporting ICE. But technically Sendgrid the infrastructure is.