MailGuard has intercepted a phishing email sent from a compromised SendGrid account.
Titled “Final Notice”, the email masquerades as a billing alert from the popular email service provider. However, rather than being sent from the company, the email comes from a compromised account using SendGrid's email service.
The email body informs users that their “payment to SendGrid was unsuccessful” and advises them to fix the issue via a link.
Here is what the email looks like:
Unsuspecting recipients who click on the link are redirected to a fake SendGrid-branded login page which is asking for the user’s email address and password. This page is a very faithful reconstruction of a legitimate SendGrid login page, with only minor differences in text styling. It is actually hosted on Google Firebase.
This is a phishing page that is designed to harvest users’ credentials. Once users have “logged in”, they are redirected to a SendGrid support page about how to interpret their invoices.
Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.
Cybercriminals frequently exploit the branding of global companies like SendGrid in their scams, because their good reputation lulls victims into a false sense of security, and with such a large number of users they are an easy and attractive target. Many companies use SendGrid to communicate with their customers via email, or else pay marketing firms to do that on their behalf using SendGrid’s systems. Receiving an email informing them that their “account is marked for removal” from the service is therefore likely to be alarming among companies. They may want to take immediate action in order to minimise disruptions to email communications with their customers. Cybercriminals hope that in their urgency to rectify the issue, users don’t pause to check for the legitimacy of the email and click on the phishing link.
Scams that are initiated from compromised accounts belonging to email service providers like SendGrid are particularly dangerous because the emails are sent from a legitimate account, so they are not likely to be blocked by email security services. It is likely for many organisations to have implemented rules allowing email from SendGrid’s systems to sail through their spam-filtering systems. Cybercriminals know this, and therefore exploit these rules to trick users.
We encourage all users to exercise caution when clicking on any links within emails. If you are not expecting a notification from the sender, do not open the email, download files or click through on the links. Check with the sender first, even if they are known to you.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.