A new phishing campaign targeting small and medium-sized businesses has been exposed by Kaspersky. The attack leverages the email service provider SendGrid to infiltrate client mailing lists and employs stolen credentials to send out phishing emails, making them appear authentic, thus easily tricking recipients.
Cybercriminals often target mailing lists used by companies to reach their customers, presenting opportunities for spamming, phishing, and other sophisticated scams. Access to legitimate tools for sending bulk emails further enhance the success rates of such attacks. Consequently, attackers frequently attempt to compromise companies' accounts with email service providers (ESPs). In its latest research, Kaspersky has discovered a phishing campaign that refines this attack method by harvesting credentials of the SendGrid ESP by sending phishing emails directly through the ESP itself.
By sending phishing emails directly through the ESP, attackers increase the likelihood of success, capitalising on recipients' trust in communications from familiar sources. The phishing emails appear to originate from SendGrid, expressing concern about security and urging recipients to enable two-factor authentication (2FA) to protect their accounts. However, the provided link redirects users to a fraudulent website mimicking the SendGrid login page, where their credentials are harvested.
To all email scanners, the phishing looks like a perfectly legitimate email sent from SendGrid’s servers with valid links pointing to the SendGrid domain. The only thing that may alert the recipient is the sender’s address. That’s because ESPs put the real customer’s domain and mailing ID there. An important sign of fraud is the phishing site's "sendgreds" domain, which closely resembles the legitimate "sendgrid" at first glance, serving as a subtle yet significant warning sign.
What makes this campaign particularly insidious is that the phishing emails bypass traditional security measures. Since they are sent through a legitimate service and contain no obvious signs of phishing, they may evade detection by automatic filters.
“Using a reliable email service provider is important when it comes to your business’ reputation and safety. However, some sneaky scammers learned how to mimic reliable services – so it is crucial to check the emails that you receive properly, and, for better protection, install a reliable cybersecurity solution,” comments Roman Dedenok, a security expert at Kaspersky.
Most often, phishers make use of hijacked accounts, because ESPs subject new customers to rigorous checks, while old ones who have already fired off some bulk emails are considered reliable.