Cybercriminals Exploit SendGrid in Latest Assault for En masse Login Details Collection
A sophisticated credential harvesting campaign is currently active, targeting users through a series of deceptive tactics that leverage the trusted SendGrid platform.
The attackers have been identified by Cofense researchers through their Phishing Defense Center. They exploit SendGrid's cloud-based email service platform, strategically exploiting users' trust in the service to make detection challenging for conventional security solutions.
The threat actors abuse open redirect functionality within legitimate domains, constructing complex URL structures that accept arbitrary parameters. These parameters, once decoded, direct victims to credential harvesting pages hosted on IP address 185.208.156.46.
The IP address, as indicated by its association with URLs containing "sendgrid" and linked IPs in cybersecurity reports, belongs to the organization SendGrid. However, the attackers use this infrastructure to host malicious phishing sites, masking their malicious intentions through the use of seemingly legitimate redirect chains.
The phishing emails feature professionally crafted designs and formatting, mimicking legitimate SendGrid communications with spoofed sender addresses. Each variant of the email employs psychological manipulation tactics, including fabricated security alerts and enticing promotional offers, to create a sense of urgency.
Upon clicking the malicious link, users are redirected to landing pages that employ sophisticated visual deception techniques. These landing pages closely replicate SendGrid's legitimate interface design and branding elements, making it difficult for users to distinguish them from the real thing.
The landing pages serve as the final destination for the encoded parameters in the URLs. These parameters obfuscate the final destination, evade URL reputation systems, and provide tracking capabilities for the threat actors. The URLs contain base64-encoded payloads that resolve to phishing sites mimicking SendGrid's login portal.
This approach significantly increases the likelihood of successful credential theft. Users are advised to be vigilant and double-check the authenticity of any emails claiming to be from SendGrid, especially those containing links or asking for sensitive information.
Stay safe online, and remember, if it seems too good to be true, it probably is.
