Salesforce Sites Redirect Chain Phishing Uses SendGrid Wrapper and Bot Verification Protection
Attack Overview
Step 1: Partner Portal Access Downgrade Notification
The attacker sends a deceptive email impersonating a business platform with urgent access-related messaging.
- Email claims recipient's access to sensitive business assets has been temporarily revoked due to policy violations.
- Message references "Partner Portal Access Downgrade" to create urgency and legitimacy.
- Content lists specific detected activities including sharing sensitive assets and not following least privilege principles.
Step 2: SendGrid Link Wrapper Conceals Destination
The phishing link is concealed using a trusted email service domain to bypass reputation filters.
- Link is wrapped in ct.sendgrid[.]net domain, commonly used by legitimate SaaS platforms.
- SendGrid wrapper masks the final destination from link reputation filters and detection systems.
- Obfuscated link structure allows email to bypass traditional security scanning.
Step 3: Multi-Layer Redirect Through Salesforce Sites
The attack uses Salesforce Sites as an intermediate redirector with additional protection mechanisms before delivering the final phishing page.
- Intermediate redirector hosted on *.my.salesforce-sites[.]com, a legitimate Salesforce platform feature.
- JavaScript delays and obscures the final phishing destination to evade analysis.
- Cloudflare Turnstile verification adds legitimacy while limiting automated link crawling and URL analysis.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Phishing link wrapped in trusted ct.sendgrid[.]net domain masks destination and bypasses link reputation filters.
- Intermediate redirector hosted on legitimate Salesforce Sites platform provides trusted hosting infrastructure.
- Cloudflare Turnstile functionality limits automated link crawling and URL analysis features, increasing difficulty for automated detection.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Behavioral AI flagging never-before-seen senders, unusual email content, and URLs as anomalies for novel attack detection.
- Detection of redirect chains and suspicious URL workflows despite clean-appearing infrastructure.
- Natural language processing identifying impersonation attempts regardless of link legitimacy appearance.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.