How Scammers Leverage Email Delivery Services like SendGrid and MailChimp in Phishing Attacks

How Scammers Leverage Email Delivery Services like SendGrid and MailChimp in Phishing Attacks

Lately, among the myriad phishing attacks we observe and detect via Cyren Inbox Security, attacks that are distributed via email delivery services (like SendGrid, MailChimp, and MailJet) are increasingly common. 


How attackers take advantage of email delivery platforms’features:


  • Email magnitude – Email delivery services don’t usually limit the total number of mail recipients.  This enables an attacker to send large volumes of targeted emails.

  • Tracking and personalization – Attackers can visualize and measure the impact of sent emails on the targets, enabling them to launch customized spear phishing attacks afterwards.

  • Bypassing email filtering capabilities - Attackers distribute phishing URLs that are hosted on legitimate and trustworthy domains that belong to real email delivery platforms. This makes it almost impossible for Microsoft 365 and SEGs to detect and filter the attacks.

  • Related:  Spear Phishing, Whaling, and Delayed Detonation, Oh My!


    Beware of SendGrid


    SendGrid is one of the email delivery services most frequently misused by attackers to distribute phishing links.  


    A typical phishing URL would consist of a legitimate SendGrid domain along with a unique subdomain.  Together, a targeted query redirects the user directly to the phishing landing page. The use of ‘sendgrid.net’ domain along with the query string allows phishers to evade the existing filtering capabilities and to reach the recipients’ mailboxes en masse. 



    Phishing page example: URL in the email body ‘hxxps://u14869500.ct.sendgrid[.]net/ls/click?upn='through the query opens fake Outlook Web App login page ‘hxxps://dsd-asd-asd.sciuasy98.repl[.]co/’