Akankasha Dewan 22 October 2020 18:31:03 AEDT 3 MIN READ

Caution: SendGrid spoofed in phishing email sent from a compromised Amazon SES account

Don’t be fooled by this phishing email impersonating popular email service provider, SendGrid.

Using a display name of “Sendgrid Renewal Team”, the email incorporates the company’s logo & branding. In addition, multiple SendGrid support links are provided within the email body (like to the company’s help desk etc.) – elements likely included to boost the email’s credibility. However, the domain used in the email address provided in the “From” field doesn’t belong to SendGrid. The email actually originates from a compromised Amazon SES account.

It informs recipients that their services have “failed to auto-renew and are about to expire”. To rectify the issue, recipients are advised to update their billing information via a link.

Here’s what the email looks like:



Unsuspecting recipients who click on the link are led to a page that instantly redirects them, then leads them to a legitimate-looking copy of the SendGrid login page. This is actually a phishing page hosted on a compromised website.



Once these credentials are entered and submitted, the attacker harvests them for later use, and the user is then redirected to the actual SendGrid login page.

We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.

Cybercriminals frequently exploit the branding of global companies like SendGrid in their scams, because their good reputation lulls victims into a false sense of security, and with such a large number of users they are an easy and attractive target. Many companies use SendGrid to communicate with their customers via email, or else pay marketing firms to do that on their behalf using SendGrid’s systems. Receiving an email informing them that their services are “about to expire” is therefore likely to be alarming among companies. They may want to take immediate action in order to minimise disruptions to email communications with their customers. Cybercriminals hope that in their urgency to rectify the issue, users don’t pause to check for the legitimacy of the email and click on the phishing link.

Cybercriminals have also employed multiple elements to boost the email's credibility. Besides using high-resolution branding & logos belonging to SendGrid (especially in the phishing page), the email also includes multiple support links as part of its "account management" feature - links that are likely expected to be included in legitimate notifications from such a well-established company. Two red flags, however, are present in this scam that should alert users - the inaccurate spelling of SendGrid in the email's display name (i.e. "Sendgrid"), and the fact that the email's sender address doesn't use a domain belonging to the company, as mentioned above.

SendGrid advises users to report any spam emails to its Abuse and Compliance team at abuse@sendgrid.com

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates