{
	"id": "a51d33a5-7606-401b-b9d9-21dce77a56a8",
	"created_at": "2026-04-06T00:14:17.819332Z",
	"updated_at": "2026-04-10T13:12:54.753609Z",
	"deleted_at": null,
	"sha1_hash": "d4162e4515f7ae98913d5b7624ab6080a6536571",
	"title": "Phishception – SendGrid is abused to host phishing attacks impersonating itself",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 427079,
	"plain_text": "Phishception – SendGrid is abused to host phishing attacks\r\nimpersonating itself\r\nPublished: 2024-02-07 · Archived: 2026-04-05 21:07:22 UTC\r\nNetcraft has recently observed that criminals abused SendGrid’s services to launch a phishing campaign\r\nimpersonating SendGrid itself. The well-known provider, now owned by Twilio, makes sending emails at scale\r\nsimple and flexible. In addition to scale, the promise of high deliverability and feature-rich tools make Sendgrid a\r\nsought-after service for legitimate businesses and a likely target for criminals.\r\nThe campaign observed uses a variety of complex lures, such as claiming the victim’s account has been suspended\r\nwhile its sending practices are reviewed or that the victim’s account is marked for removal due to a recent\r\npayment failure, combined with other SendGrid features to mask the actual destination of any malicious links.\r\nScreenshot of one of the phishing emails seen by Netcraft in the campaign. \r\nThe criminals behind the campaign used SendGrid’s click-tracking feature, with the malicious link masked behind\r\na tracking link hosted by SendGrid. As the actual destination link is encoded in a URL parameter, even technically\r\nsavvy recipients cannot determine its destination without following it.\r\nExamining the email headers reveals that the phishing emails are sent using SendGrid’s infrastructure:\r\nSendGrid advertises an \"industry-leading 99% delivery rate”. With even legitimate companies sometimes\r\nstruggling to deliver emails to users’ inboxes successfully, it is easy to see how using SendGrid for phishing\r\ncampaigns is attractive to criminals.\r\nhttps://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/\r\nPage 1 of 6\n\nOne giveaway indicates that the emails are not legitimate: while the campaign uses SendGrid’s email servers, the\r\n“From:” addresses do not use SendGrid’s domain name. Instead, the emails are sent from a variety of unrelated\r\ndomain names. All the domain names appear to be other SendGrid customers, suggesting criminals use\r\ncompromised SendGrid accounts rather than registering their own.\r\nNetcraft has identified at least nine companies whose accounts have been used in the campaign. These companies\r\nspan a range of industries, including cloud hosting, energy, healthcare, education, property, recruitment, and\r\npublishing.\r\nThe use of compromised SendGrid accounts explains why SendGrid is targeted by the phishing campaign: the\r\ncriminals can use the compromised accounts to compromise further SendGrid accounts in a cycle, providing them\r\nwith a steady supply of fresh SendGrid accounts.\r\nA compromised SendGrid account could also be used to send phishing emails impersonating the compromised\r\ncompany. Companies often authorize SendGrid to send emails on their behalf from their domain name, using SPF\r\nand DKIM policies. The phishing emails would, therefore, pass the checks and appear authentic.  \r\nAfter clicking the tracking link in the email, victims are redirected to JSPen. This code editor allows pages to be\r\nstored entirely within the URL fragment – everything after the hash (#) character:\r\nThe attack is more challenging to detect and block as the URL fragment is not sent to the server and is only used\r\nwithin the victim’s browser. The operator of the JSPen service might not know it is being abused for malicious\r\npurposes.\r\nDecoding the URL fragment reveals a single\r\nCloud services like Azure are attractive to fraudsters due to the availability of free tiers and credits. While Azure\r\nFront Door is not included in Azure’s free tier, Azure does provide new customers with a $200 credit, which can\r\nbe spent on any Azure service.\r\nThe JavaScript file is heavily obfuscated, with variables and functions given meaningless names and all\r\nwhitespace removed:\r\nhttps://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/\r\nPage 2 of 6\n\nScreenshot of part of the obfuscated JavaScript file. \r\nDe-obfuscating the file reveals that the contents of the phishing site are stored within an AES-encrypted string,\r\nwhich is decrypted and written to the web page at runtime. Criminals employ these techniques to make it harder\r\nfor human analysts and automated systems to determine whether a script is malicious.\r\nScreenshot of the partially-deobfuscated AES decryption code. The phishing site relies on a CDN-hosted copy of\r\nthe CryptoJS library to provide the AES decryption routine. \r\nThe phishing site itself is a convincing replica of the actual SendGrid login page:\r\nhttps://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/\r\nPage 3 of 6\n\nFake SendGrid login page.\r\nLegitimate SendGrid login page.\r\nAfter entering some credentials, the phishing site requests SendGrid’s API to verify whether the username and\r\npassword are correct or not:\r\nSometimes, a trick to detect simple phishing attempts is to enter an invalid username or password. As primary\r\nphishing sites naively accept any credentials, the lack of an error message reveals the site is fake. However,\r\ncleverer phishing sites like this appear authentic, rejecting invalid login attempts and asking the user to try again.\r\nhttps://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/\r\nPage 4 of 6\n\nBoth JSPen and Azure Front Door only allow users to host static files. The phishing site delivers the stolen\r\ncredentials to a separate drop site - pnp-api[.]com – using AJAX:\r\nWe first saw pnp-api[.]com in our November 2023 survey. Its home page is default page of the Laravel PHP\r\nframework. Its age and lack of content means it is likely that the drop site was purpose-registered by the criminals,\r\nrather than being a compromised site.  \r\npnp-api[.]com was registered at Wild West Domains, a subsidiary of GoDaddy. Measuring ping times from\r\nvarious monitoring locations confirms that Aurologic hosts it in a data center in Frankfurt, Germany.\r\nAfter the victim enters a valid username and password, the phishing site uses SendGrid’s API to request that a\r\ntwo-factor authentication code be sent to the victim’s phone. Then, it displays a copy of SendGrid’s two-factor\r\nauthentication form:\r\nScreenshot of the phishing site’s two-factor authentication form. \r\nThe phishing site also verifies the two-factor authentication code entered by the victim is correct with SendGrid’s\r\nAPI. It continues, prompting the victim to try again if it is incorrect.\r\nAfter the victim enters the correct code, the phishing site makes another request to the drop site. However, it does\r\nnot send the two-factor code to the drop site. Instead, it sends the session token provided by the SendGrid API,\r\ngiving the criminals more time to take over victims’ accounts: while a two-factor authentication code might only\r\nbe valid for a few minutes, the session token is valid for much longer.\r\nFinally, the victim is redirected to SendGrid’s official website, possibly not realizing that their account has been\r\ncompromised.\r\nAt the time of writing, JSPen and the malicious JavaScript file hosted on Azure are no longer available.\r\nNetcraft’s position at the epicenter of the battle against cybercrime allows us to rapidly identify, monitor and react\r\nto new phishing campaigns. Consumers can use Netcraft’s browser extension and apps to protect themselves from\r\nhttps://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/\r\nPage 5 of 6\n\nphishing attacks and other threats. Organizations targeted by phishing can leverage our digital risk protection\r\nservices to ensure that malicious content is blocked and removed quickly and efficiently through our disruption\r\nand takedown platform. Contact us to learn more.\r\nNetcraft researchers contacted SendGrid on February 1 through their abuse reporting mechanisms to inform them\r\nof this attack and subsequent research.\r\nSource: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/\r\nhttps://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/"
	],
	"report_names": [
		"popular-email-platform-used-to-impersonate-itself"
	],
	"threat_actors": [],
	"ts_created_at": 1775434457,
	"ts_updated_at": 1775826774,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d4162e4515f7ae98913d5b7624ab6080a6536571.pdf",
		"text": "https://archive.orkl.eu/d4162e4515f7ae98913d5b7624ab6080a6536571.txt",
		"img": "https://archive.orkl.eu/d4162e4515f7ae98913d5b7624ab6080a6536571.jpg"
	}
}