Fake SendGrid Payment Failure Notification Used in Credential Theft Attempt
In this phishing attack, cybercriminals impersonate SendGrid and send the target a payment failure notification. Using a spoofed sender address with the display name “Sendgrid”, the attackers falsely claim that the recipient’s recent payment to SendGrid was unsuccessful and that their account is now marked for removal. To increase the appearance of legitimacy, the perpetrators convincingly impersonate SendGrid’s branding in the email body. The message instructs the recipient to use the embedded link to resolve the issue. However, should they click the button labeled “Fix Now”, they will be directed to a malicious website that appears to be a SendGrid login portal but is actually a phishing page designed to steal login credentials. By mimicking the tone, branding, and urgency of legitimate SendGrid billing communications, the attacker seeks to exploit trust and pressure recipients into taking immediate action without verifying the authenticity of the message.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a domain with an established history, does not include attachments, and replicates the email footer of a trusted organization. Modern, AI-powered email security solutions flag that the sender name does not match the sender’s domain, recognize the sender is unknown to the recipient, and detect links with suspicious domains to correctly identify the email as an attack.
To protect against these types of attacks, users should avoid clicking on links in unsolicited billing notifications and instead verify payment issues directly by logging into SendGrid through the official website. Educating users on phishing tactics and adopting advanced email security technologies are key to preventing these increasingly deceptive attacks.
Phishing attack disguised as a payment failure email
Phishing page designed to appear as SendGrid login portal to lure recipients into providing login credentials
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Domain Age: The email originates from a domain that has been active for a long period of time, adding perceived legitimacy to the sender.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Legitimate-Looking Email Footer: The email includes a footer at the bottom that appears similar to SendGrid’s, lending an air of legitimacy that can bypass traditional security solutions.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.