Hackers Leverage SendGrid in Recent Attack to Harvest Login Credentials

A sophisticated credential harvesting campaign has emerged, exploiting the trusted reputation of SendGrid to deliver phishing emails that successfully bypass traditional email security gateways.

The attack leverages SendGrid’s legitimate cloud-based email service platform to create authentic-looking communications that target unsuspecting users across multiple organizations.

The campaign employs a multi-faceted approach, utilizing three distinct email themes designed to create urgency and manipulate human psychology.

Each variant mimics legitimate SendGrid communications while incorporating spoofed sender addresses to enhance credibility.

The attackers strategically exploit users’ trust in the established email service provider, making detection significantly more challenging for conventional security solutions.

The phishing emails feature professionally crafted designs with appropriately sized logos and polished formatting that closely resembles genuine SendGrid communications.

The campaign’s success lies in its psychological manipulation tactics, including fabricated security alerts about suspicious login attempts from fake IP addresses and enticing promotional offers for premium service tiers.

Cofense researchers identified this campaign through their Phishing Defense Center, noting the sophisticated nature of the social engineering techniques employed.

The threat actors utilize open redirect vulnerabilities to mask their malicious intentions, specifically exploiting domains like url6849[.]destinpropertyexpert[.]com/ls/click? to create seemingly legitimate redirect chains.

This technique allows attackers to leverage the trust associated with legitimate domains while redirecting victims to malicious phishing sites hosted on infrastructure like loginportalsg[.]com.

Technical Analysis of the Redirect Chain Exploitation

The campaign’s most notable technical aspect involves the abuse of open redirect functionality within legitimate domains.

The attackers construct complex URL structures that accept arbitrary parameters, enabling seamless redirection to malicious endpoints.

The redirect mechanism follows this pattern:-

hXXp://url6849[.]destinpropertyexpert[.]com/ls/click?upn=[encoded_parameters]

These URLs contain base64-encoded payloads that ultimately resolve to phishing sites mimicking SendGrid’s login portal.

The encoded parameters serve multiple purposes: obfuscating the final destination, evading URL reputation systems, and providing tracking capabilities for the threat actors.

Once decoded, these parameters direct victims to credential harvesting pages hosted on IP address 185.208.156.46, which serves both loginportalsg[.]com and sendgrid[.]aws-us5[.]com domains.

The landing pages employ sophisticated visual deception techniques, closely replicating SendGrid’s legitimate interface design and branding elements.

This approach significantly increases the likelihood of successful credential theft, as users encounter familiar visual cues that reinforce the perceived legitimacy of the fraudulent login portal.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.