Blocking SendGrid email traffic isn't a realistic option for most businesses hit by a barrage of phishing attacks emanating from compromised accounts at the Twilio-owned email service provider in recent months.
Instead, Agari leverages a strategic data modeling approach to neutralize the threat while enabling legitimate SendGrid-distributed emails to safely reach employee inboxes. More on that in a moment. But first, let's look at the challenge–and why it's causing heartburn for thousands of businesses around the world.
SendGrid is a popular cloud-based platform that businesses use to send 70 billion transactional emails per month–shipping notifications, sign-up confirmations, password resets, email newsletters, nurture tracks, and other automated or campaign-based messages. Customers include Uber, Spotify, Airbnb, and more.
In addition to removing the need to manage servers, SendGrid provides the digital signatures, DMARC authentication, that other companies use to validate that incoming emails have been authorized by SendGrid customers. As a result, the company touts an average 95% deliverability rate.
There's just one problem. Over the last few months, Agari has seen a rising number of phishing attacks originating from SendGrid infrastructure. And on August 28, KrebsonSecurity.com reported that an unusually large number of SendGrid customer accounts had been hijacked and used to distribute a massive number of phishing and malware attacks.
That spells big trouble for companies that count on SendGrid to send email messages, of course. But it's even worse for those that receive them.
Phishing from Trusted Waters
According to Krebs and other sources, a large number of SendGrid customer passwords are for sale on the dark web, with one individual using the handle "Kromatix" offering over 400 compromised SendGrid user accounts.
At this point, it's unclear whether individual SendGrid logins have been phished in credentials harvesting scams, or if SendGrid itself has been hacked. Whatever the case, it's a major problem. Regular, run-of-the-mill account takeover (ATO)-based email attacks are notoriously difficult to detect and block on their own. This could be even more challenging.
As Kromatix puts it, "I have a large supply of cracked SendGrid accounts that can be used to generate an API key which you can then plug into your mailer of choice and send massive amounts of emails with ensured delivery."
What's more, Krebs points out that links included in emails sent through SendGrid are obfuscated for tracking deliverability, among other things, meaning it's not at all clear what sites embedded links will bring recipients who click through.
SendGrid Mitigation: Making a Molehill Out of a Mountain
Simply blocking SendGrid-distributed emails isn't an option for most companies because of the nature of many transactional emails. But for many organizations, ferreting out just the malicious emails sent through SendGrid can be just as unrealistic.
"Trying to filter out bad emails coming from a major email provider that so many legitimate companies rely on can be dicey business," Krebs writes. "If you filter the emails too aggressively, you end up with an unacceptable number of 'false positives"–including what may be important, legitimate emails that get unnecessarily flagged or blocked.
But there are ways to do it right. Agari Phishing Defense, for instance, has always been capable of detecting phishing attacks, business email compromise (BEC) emails, and other advanced email threats, whether from lookalike domains or compromised accounts sending emails from SendGrid or any other infrastructure.
In order to further ratchet up protection in this unprecedented circumstance, we’ve recently implemented additional SendGrid mitigation steps:
- Reduced authenticity scores for SendGrid messages sent from low-reputation IP addresses
Domain reputation and authenticity heuristics were implemented for messages sent from SendGrid IPs with low reputations, increasing the risk score for emails based on originating IP address.
- First-time domains required to earn trust
New domains sending for the first time using SendGrid infrastructure are tagged as untrusted, automatically lowering their trust scores.
The $700 Million Per Month Problem
Agari continues to identify additional opportunities to minimize threats from SendGrid's infrastructure. And reports indicate SendGrid is implementing additional security precautions to help thwart hackers seeking to distribute fraudulent emails sent through its system.
I'm biased, of course, but in a world where phishing and other advanced email threats lead to $700 million in business losses each month, I believe businesses also need identity-based protections that can shut down attacks no matter the source, and identify and remove latent threats that do make it past first-line defenses.
In my view, the SendGrid situation is just the latest in an ever-growing list of reasons why.