Email Security Blog

Phishing: How to Protect Against Email Attacks Sent from Compromised SendGrid Accounts

Art Chavez September 28, 2020 Phishing
woman checking email

Blocking SendGrid email traffic isn’t a realistic option for most businesses hit by a barrage of phishing attacks emanating from compromised accounts at the Twilio-owned email service provider in recent months.

Instead, Agari leverages a strategic data modeling approach to neutralize the threat while enabling legitimate SendGrid-distributed emails to safely reach employee inboxes. More on that in a moment. But first, let’s look at the challenge–and why it’s causing heartburn for thousands of businesses around the world.

SendGrid is a popular cloud-based platform that businesses use to send 70 billion transactional emails per month–shipping notifications, sign-up confirmations, password resets, email newsletters, nurture tracks, and other automated or campaign-based messages. Customers include Uber, Spotify, Airbnb, and more.

In addition to removing the need to manage servers, SendGrid provides the digital signatures, DMARC authentication, that other companies use to validate that incoming emails have been authorized by SendGrid customers. As a result, the company touts an average 95% deliverability rate.

There’s just one problem. Over the last few months, Agari has seen a rising number of phishing attacks originating from SendGrid infrastructure. And on August 28, reported that an unusually large number of SendGrid customer accounts had been hijacked and used to distribute a massive number of phishing and malware attacks.

That spells big trouble for companies that count on SendGrid to send email messages, of course. But it’s even worse for those that receive them.

Phishing from Trusted Waters

According to Krebs and other sources, a large number of SendGrid customer passwords are for sale on the dark web, with one individual using the handle “Kromatix” offering over 400 compromised SendGrid user accounts.

At this point, it’s unclear whether individual SendGrid logins have been phished in credentials harvesting scams, or if SendGrid itself has been hacked. Whatever the case, it’s a major problem. Regular, run-of-the-mill account takeover (ATO)-based email attacks are notoriously difficult to detect and block on their own. This could be even more challenging.

As Kromatix puts it, “I have a large supply of cracked SendGrid accounts that can be used to generate an API key which you can then plug into your mailer of choice and send massive amounts of emails with ensured delivery.”

What’s more, Krebs points out that links included in emails sent through SendGrid are obfuscated for tracking deliverability, among other things, meaning it’s not at all clear what sites embedded links will bring recipients who click through.

SendGrid Mitigation: Making a Molehill Out of a Mountain

Simply blocking SendGrid-distributed emails isn’t an option for most companies because of the nature of many transactional emails. But for many organizations, ferreting out just the malicious emails sent through SendGrid can be just as unrealistic.

“Trying to filter out bad emails coming from a major email provider that so many legitimate companies rely on can be dicey business,” Krebs writes. “If you filter the emails too aggressively, you end up with an unacceptable number of ‘false positives”–including what may be important, legitimate emails that get unnecessarily flagged or blocked.

But there are ways to do it right. Agari Phishing Defense™, for instance, has always been capable of detecting phishing attacks, business email compromise (BEC) emails, and other advanced email threats, whether from lookalike domains or compromised accounts sending emails from SendGrid or any other infrastructure.

In order to further ratchet up protection in this unprecedented circumstance, we’ve recently implemented additional SendGrid mitigation steps:

  1. Reduced authenticity scores for SendGrid messages sent from low-reputation IP addresses

    Domain reputation and authenticity heuristics were implemented for messages sent from SendGrid IPs with low reputations, increasing the risk score for emails based on originating IP address.

  2. First-time domains required to earn trust

    New domains sending for the first time using SendGrid infrastructure are tagged as untrusted, automatically lowering their trust scores.

The $700 Million Per Month Problem

Agari continues to identify additional opportunities to minimize threats from SendGrid’s infrastructure. And reports indicate SendGrid is implementing additional security precautions to help thwart hackers seeking to distribute fraudulent emails sent through its system.

I’m biased, of course, but in a world where phishing and other advanced email threats lead to $700 million in business losses each month, I believe businesses also need identity-based protections that can shut down attacks no matter the source, and identify and remove latent threats that do make it past first-line defenses.

In my view, the SendGrid situation is just the latest in an ever-growing list of reasons why.

To learn more, read “The Total Economic Impact of Agari Phishing Defense™” from Forrester.

whale underneath man in boat

September 29, 2021 John Wilson

What is Whaling Phishing & How Does it Work?

“Whaling” phishing attacks target the C-suite of a company which creates high risk of extremely…

Agari Blog Image

January 5, 2021 Crane Hassold

How to Run Simulated Phishing Campaigns

Here's how to run a simulated phishing campaign to test and train your employees before…

Remote worker accessing Office 365

November 24, 2020 Armen Najarian

Office 365 Phishing Emails: Prevention, Detection, Response

Office 365 phishing emails come in common patterns. I'll list them here and also cover…

Agari Blog Image

August 5, 2020 Michael Paiko

Phishing & BEC Scams Soar 3000%: Agari H2 2020 Email Fraud and Identity Deception Trends Report

Coronavirus-related phishing attacks and business email compromise (BEC) scams skyrocketed 3,000% from mid-March through early…

Agari Blog Image

June 15, 2020 Armen Najarian

Phishing: With Zero-Day Email Attacks Rising, Are Some Companies Giving Up the Fight?

Amid a troubling rise in zero-day phishing attacks, recent research suggests that some companies may…

mobile image