Cybercriminals Exploit SendGrid to Steal User Credentials in Latest Campaign

A newly observed phishing campaign by Cofense’s Phishing Defense Center (PDC) demonstrates how cybercriminals are exploiting the reputable SendGrid email platform to deliver credential harvesting attacks at scale.

By leveraging SendGrid, trusted for transactional and marketing communications, attackers achieve high delivery rates and evade standard security gateways.

This campaign creatively employs multiple email themes, each designed to foster trust and urgency, thereby increasing the chance of user compromise.

Sophisticated Phishing Leverages Legitimate Infrastructure

The attack stands out for its professional email appearance, accurate branding, and use of spoofed sender addresses to impersonate SendGrid.

All three email variants feature urgent subject lines, such as “New Login Location” to incite curiosity or concern, “Elite Tier Promotion” to entice users with perks, and “Phone Number Changed” to panic recipients into taking immediate action.

They contain reassuring messaging, such as “no further action is needed if this was you,” to lower recipients’ guards before directing them to malicious links.

Multi-Themed Tactics and Open Redirect Abuse

The first attack vector impersonates a new login alert, describing a fictitious access attempt from a specific IP address and location. Subtle social engineering techniques are employed through a tone of reassurance and an urgent call-to-action, prompting users to “access by clicking this link.”

The second email manipulates emotional triggers by offering users a “free Elite Tier” upgrade, also embedding a malicious link via the prompt “Activate Elite Tier Benefits.”

The third variant falsely notifies users of a supposed change to their account phone number, pushing them to click an “Access Account Settings” link urgently.

A critical technical enabler underlying all variants is the abuse of open redirect URLs, particularly those like url6849.destinpropertyexpert[.]com/ls/click? that allow attackers to append arbitrary destinations.

This enables phishing emails to disguise their true intensions by appearing to relay through trusted domains, circumventing both user scrutiny and automated filtering controls.

Upon link activation, victims are redirected through these open redirectors to phishing pages that closely replicate genuine SendGrid login portals.

Notably, these spoof sites (e.g., loginportalsg[.]com, sendgrid.aws-us5[.]com) are visually polished and difficult to distinguish from legitimate pages. However, the domains themselves are not part of SendGrid’s official web infrastructure, and vigilance in checking URLs is crucial.

Defense Recommendations and Observed Attack Infrastructure

Cofense’s monitoring highlights how layered deception, brand impersonation, and infrastructure abuse converge in modern phishing.

Infection-stage servers include url1390.hilllogistics[.]com, url6849.destinpropertyexpert[.]com, and file drops on loginportalsg[.]com and sendgrid.aws-us5[.]com, spanning multiple IP addresses for redundancy and evasion.

Security professionals are urged to update blocklists to include these domains/IPs and raise user awareness regarding the campaign’s tactics.

Emphasis should also be placed on identifying open redirect weaknesses within legitimate email service infrastructure, as such flaws amplify both the success and scale of credential harvesting operations.

Continued vigilance and real-time intelligence from platforms like the Cofense PDC remain essential in defending against these emergent, high-fidelity threats.

Stage 2 – Observed Payload URL(s):	Payload IP(s):
hXXps://loginportalsg[.]com/	185.208.156.46
hXXps://sendgrid[.]aws-us5[.]com/	185.208.156.46

The post Cybercriminals Exploit SendGrid to Steal User Credentials in Latest Campaign appeared first on Cyber Security News.