How Scammers Leverage Email Delivery Services like SendGrid and MailChimp in Phishing Attacks

by

Lately, among the myriad phishing attacks we observe and detect via Cyren Inbox Security, attacks that are distributed via email delivery services (like SendGrid, MailChimp, and MailJet) are increasingly common. 

How attackers take advantage of email delivery platforms’features:

  1. Email magnitude – Email delivery services don’t usually limit the total number of mail recipients.  This enables an attacker to send large volumes of targeted emails.
  2. Tracking and personalization – Attackers can visualize and measure the impact of sent emails on the targets, enabling them to launch customized spear phishing attacks afterwards.
  3. Bypassing email filtering capabilities - Attackers distribute phishing URLs that are hosted on legitimate and trustworthy domains that belong to real email delivery platforms. This makes it almost impossible for Microsoft 365 and SEGs to detect and filter the attacks.

Related:  Spear Phishing, Whaling, and Delayed Detonation, Oh My!

Beware of SendGrid

SendGrid is one of the email delivery services most frequently misused by attackers to distribute phishing links.  

A typical phishing URL would consist of a legitimate SendGrid domain along with a unique subdomain.  Together, a targeted query redirects the user directly to the phishing landing page. The use of ‘sendgrid.net’ domain along with the query string allows phishers to evade the existing filtering capabilities and to reach the recipients’ mailboxes en masse. 

Phishing page example: URL in the email body ‘hxxps://u14869500.ct.sendgrid[.]net/ls/click?upn='
through the query opens fake Outlook Web App login page ‘hxxps://dsd-asd-asd.sciuasy98.repl[.]co/’

Between July and August 2020, the phishing attacks sent through SendGrid email delivery service doubled.  Today, SendGrid phishing attacks represent 10% of overall phishing attempts.

However, SendGrid is not the only mail delivery solution used byphishers.  Cyren Inbox Security also detected the same phishing pattern distributed by Mailjet.

The structure of the phishing URL is almost the same:  a random subdomain and unique path hosted on the official ‘mailjet.com’ domain make the phishing link highly evasive. 

Phishing page example: URL in the email body ‘hxxp://xioo1.r.mailjet[.]com/lnk/AU4AAAfJE_AAAAAAAAAAAAQDRD0AAAAAof8AAAAAABTBagBfIalBY0Gf9aKgRk-JnDPhs5US0AAUlUQ/1/TfMa8721bZVD_0s8AxyZcQ/aHR0cHM6Ly93d3cuYmluYmFzcy5jb20vc3VmZi5odG1s# - o365’ redirected to the scam Instagram support page ‘hxxps://instagramtechsupport[.]com/help/copyright.php’

Spoofed login pages for Mailchimp 

Additionally, phishing attacks based on spoofed login pages continue to grow and attempts to steal login credentials of email delivery platform accounts are no exceptions.  

On Saturday, September 05, several employees from different Cyren Inbox Security customer organizations received an email from a fake ‘Mailchimp Account Services’ sender.  The attacker used the look-alike domain < accountservices@mailchinp.co >

Email headers 

In order to ‘verify the account’ the targeted recipient would click on the phishing URL ‘hxxp://login.app.mailchimp.session.id1552443.m-breden[.]de/Login/login.php’ which opened a very believable but fake Mailchimp login page: 

 Phishing Mailchimp login page 

Phishing Mailchimp login page source code 

Detected and Protected by Cyren Inbox Security 

Although these phishing attacks were highly evasive, Cyren Inbox Security was able to scan and automatically detect these suspicious emails.  We successfully removed every copy of these masquerading emails from the employees’ mailboxes. 

Ready to play with Cyren Inbox Security for Microsoft 365?  Start a 30-day trial >

Go back