SendGrid Amazon SES compromise leads to phishing email

Email services provider SendGrid has had its service hit by a phishing spoof due to a compromised Amazon SES account.

According to security firm MailGuard, the email purports to come from the 'Sendgrid Renewal Team', using its branding, images and support links.

However, according to MailGuard, the domain used in the email address provided in the “from” field doesn’t belong to SendGrid and comes from a compromised Amazon SES account.

The email informs recipients that their services have “failed to auto-renew and are about to expire”. To rectify the issue, recipients are advised to update their billing information via a link.

Users who click on the link are led to a page that instantly redirects them, then leads them to a legitimate-looking copy of the SendGrid login page, which is a phishing page hosted on a compromised website

If the unsuspecting user submits their credentials, the attacker can harvest them for later use, and the user is then redirected to the actual SendGrid login page.

"Many companies use SendGrid to communicate with their customers via email, or else pay marketing firms to do that on their behalf using SendGrid’s systems," MailGuard said in a blog post.

"Receiving an email informing them that their services are “about to expire” is therefore likely to be alarming among companies. They may want to take immediate action in order to minimise disruptions to email communications with their customers. Cybercriminals hope that in their urgency to rectify the issue, users don’t pause to check for the legitimacy of the email and click on the phishing link."

Although the email has elements such as branding and imagery, MailGuard pointed out that the inaccurate spelling of SendGrid in the email's display name — 'Sendgrid' — and the fact that the email's sender address doesn't use a domain belonging to the company are red flags.