Cybersecurity researchers at the Cofense Phishing Defense Center (PDC) have uncovered a fresh surge in credential harvesting attacks that leverage the reputable cloud-based email service SendGrid to distribute phishing emails.
Attackers are exploiting SendGrid’s trusted status, commonly used for transactional and marketing communications, to craft messages that evade standard email security gateways.
By spoofing sender addresses and mimicking legitimate SendGrid notifications, these threat actors deliver phishing payloads disguised as authentic alerts, significantly increasing their success rate in compromising user credentials.
Sophisticated Phishing Campaign
The campaign deploys three distinct email themes, each engineered to exploit psychological triggers like urgency, curiosity, and greed.
The first variant features a subject line warning of a “New Login Location,” complete with polished branding, correctly sized logos, and a fabricated suspicious login attempt from a bogus IP address and location.
It reassures recipients with phrases like “If this was you, no further action is needed,” subtly lowering defenses before prompting clicks on a malicious link labeled “access by clicking this link.”
This link, embedded in an open redirect mechanism, funnels users to a counterfeit SendGrid login portal designed for credential theft.
Building on similar spoofing techniques, the second email entices victims with promises of a free upgrade to an “Elite Tier” featuring premium benefits, capitalizing on the allure of exclusive perks.
The body culminates in an “Activate Elite Tier Benefits” prompt containing the harmful link, which again exploits open redirects to mask the phishing site’s true nature.
The third theme escalates panic by claiming an unauthorized change to the user’s phone number, urging immediate action via an “Access Account Settings” link that redirects to the same credential-harvesting domain.
Exploitation of Open Redirects
At the core of this attack chain are abused open redirect vulnerabilities, such as those observed in domains like url6849[.]destinpropertyexpert[.]com/ls/click?, which accept arbitrary URLs as parameters and redirect accordingly.
This tactic cloaks malicious destinations behind trusted domains, bypassing detection and security controls while disguising traffic as legitimate.
Victims clicking these links land on phishing pages, such as hXXps://loginportalsg[.]com, that meticulously replicate SendGrid’s interface but operate under attacker-controlled domains.
Key red flags include non-official URLs, which users must scrutinize before entering credentials.
These phishing emails demonstrate advanced social engineering, combining email alias spoofing, thematic variation, and emotional manipulation to harvest sensitive information.
According to the report, The PDC emphasizes that such campaigns heighten risks of data breaches, reputational damage, and operational disruptions for businesses.
To mitigate, organizations should implement robust email filtering, user awareness training on verifying URLs, and multi-factor authentication. Scheduling a demo with Cofense can provide deeper insights into real-world threat detection and defense strategies.
Indicators of Compromise (IOCs)
| Stage | Type | Details |
|---|---|---|
| Stage 1 | Infection URLs | hXXp://url1390[.]hilllogistics[.]com/ls/click?… (IP: 69.7.174.162) hXXp://url6849[.]destinpropertyexpert[.]com/ls/click?… (IPs: 104.21.85.103, 172.67.204.116) hXXps://u42632394[.]ct[.]sendgrid[.]net/ls/click?… (IPs: 3.220.122.174, 54.158.174.185, 3.231.179.208, 3.20.87.51, 3.20.194.73, 18.224.219.179) |
| Stage 2 | Payload URLs | hXXps://loginportalsg[.]com/ (IP: 185.208.156.46) hXXps://sendgrid[.]aws-us5[.]com/ (IP: 185.208.156.46) |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
