I disagree with this conclusion, if not only because other email service providers don't have this issue.
It wouldn't surprise me if something was broken with SendGrid's internal infrastructure. I used to be a SendGrid customer until my deliverability started being affected by this issue. SendGrid took weeks to reply to my customer service messages about resolving this, even though I was a paying customer and was renting private IP addresses from them to send mail.
I finally gave up and closed my SendGrid account in July 2021. Despite this, they continued to send me monthly invoices until May 2022. Multiple SendGrid representatives promised that they had resolved the issue, but it wasn't until one CSR added me to SendGrid's global suppression list that they finally stopped.
I used to run IT for a medium company. The amount of times I saw this with various SaaS companies was troubling. We had hundreds of services some as small as a single manager that demanded X and company wide tools. It was frequently a several months long hassle to get them to stop billing us when we cut ties with them. I wish I kept personal records now it was a minority but definitely in the 15%'ish range.
1. Add expressions to: If ALL of the following match the message.
2. Expression 1: Type: Advanced content match Location: Full headers Match type: Matches regex (?im)^from:\sSendGrid(?:\s+\w+)\s*<[^>\r\n]+>+$
3. Expression 2: Type: Advanced content match Location: Sender header Match type: Not matches regex (?i)^[A-Za-z0-9._%+-]+@(sendgrid\.com|twilio\.com)$
Set the rule to reject or quarantine. Users will not see the messages unless the attackers change the From header.
It's better to focus on more systematic solutions. There exist a lot of them, SPF, DKIM, Recipient mail filtering (Your mail provider).
The screenshotted emails don't even do anything tricky like spoofing the sender address, it looks like "Sent from no-reply@theraoffice.com". If it spoofed the domain it would have been caught by SPF/DKIM.
Most of the time the user doesn't need to do much, you can just be weary of sender domains, and report the email as phishing and help blacklist that specific IP address/domain. Similar to how in medicine sometimes the physician tells you to drink water and rest, no medicine needed, just let the immune system do its thing.
I can't pinpoint it exactly, but it might be a combination of the replication cycle of the attack being recursive and very short if the target is an MTA. But it may also be because the fact that sendgrid clients are sendgrid clients is public information.
Kind of how like meta companies are overrepresented in their medium, in a stock exchange banks are overrerpresented, lots of websites about building websites, lots of road ads are about placing road ads.
The actual origin of the email: theraoffice.com
The fake origin of the email: SendGrid
There is a mismatch there, easy to detect. SendGrid was not compromised, and nothing was sent in the name of sendgrid or whatever.
Now the domain theraoffice might have been registered by an attacker, warmed up with some small fake traffic, and aged. Or it might have been compromised.
The previous email could have used sendgrid or mailchimp or google workspace, that's not very relevant. The SPF and DKIM would always pass, because SPF and DKIM verifies that the owner of theraoffice.com is the one sending the emails.
There might be a connection with SendGrid, but it's not at all accurately explained in the article, it may be as simple as SendGrid being a common phishing target of attackers just because they can get access to more email infrastructure for magnifying their reach, like a self-replicating virus.
For popular senders: sort-of: in your incoming mail server, substring-match the display name of the sender against popular brands, and ensure the actual domain matches.
This works remarkably well for proper brands (FedEx et al), but breaks down when the brand name regularly occurs in "normal" names, the sending brand sends mail from all over the place, or "innocuous" impersonation takes place all the time.
Like, somehow, From: "VODAFONE" <shipping-update@dpd.co.uk> is a 100% legit sender (assuming SPF and DKIM verification pass), despite both Vodafone and DPD being pretty common impersonation targets. You'd think they'd know better, but alas.
So, yeah, room for improvement and such...
And/or, long-press or right-click on any link to inspect the linked domain.
I created a little GTK program to help: https://github.com/LightAndLight/gen-alias
Even some highly technically inclined people (like myself) can be entirely ignorant of the process. It's not as if consumer ISPs provide the service.
user+servicetag@domain.com
And have it go to user@domain.com with the servicetag still in the To: field. At least, I have never encountered a problem with this.
Spammers won't respect the + either, they will clean their list of any +tags before sending.
The best I've actually come across is to abuse gmails period policy. I haven't seen sites dedupe this or perform any other checks or manipulation.
If you have enough letters in your alias you can treat the possible period locations as binary. For example, pests@ would have 4 edible spots, so I could make 16 different dot addresses: pests@, pest.s@, pes.ts@, pes.t.s@, pe.sts@, pe.st.s@, [...], p.e.s.t.s@
Then you can just remember/record the decimal ID you used per site.
That's the entire point, if you get an email from the site but it doesn't include your +servicename tag then you immediately can immediately tell it's a phishing attempt or spam. If the tag is there it's not a 100% guarantee that it's legit, but absence of the tag is a big red flag.
Also, the +tag could get lost though just normal data clean up / normalization.
^([^@+]+)\+[^@]*(@.*)$
>Use <service>@<yourdomain> as your email address when signing up, and check the To header when receiving emails.
The user of the webservice specifies a unique email per webservice; knowledge of that unique email address serves as a hint that the email came from someone that has discovered that email address, i.e. the webservice itself.
Is this related to the breach that SendGrid said didn’t happen? I set my account up in 2021 for reasons I don’t recall and it’s since been deleted/deactivated by them.
It seems like Twilio has a conflict of interest that prevents them from offering WebAuthn, as that would be a tacit admission that their SMS and Authy products are not actually that secure.
Would you even open an email from noreply@drummond.com if that's what showed up in the message list?
On mobile it's worse. Gmail (Android) doesn't even show the From address at all when you open an email. For some emails, I can tap the sender icon and see the address, for others I have to find the hit reply (but if DMARC et al doesn't validate a Reply-To address) or go find a computer and see the message there.
I only used a SendGrid account briefly, as a potential backup to my current outgoing transaction mail provider. Sent exactly 5 test emails I think.
The ICE one this morning gave me pause, but only about 2s before I deleted it and moved on with my busy day of reading HN posts.
It's especially funny because SendGrid isn't even one of our vendors.
The only reason a site like this exists is for politicians to distract from the fact that the budget of a nation with currency sovereignty does not actually have to raise revenues with taxes in order to spend money on services (and thus, be an excuse to cut services).
So what is the point of the debt? To convince govt should not be too big nor suck up to many of the worldwide human capital resources.
I do love the idea of voter registration oscillating back and fourth at 20 minutes intervals forever. Would make voting in the primaries way more exciting as the voter base kept flipping.
Or, in effect, are you just required to claim either that you're more of a cat person, or that you're more of a dog person?
The last time anyone tried to poison a presidential election by promoting a weaker candidate on the other side in the US, it was the Democrats boosting Trump in 2016. It did not work out.
The thing is that that one plays on propaganda that people have already been conditioned to accept.
Very probably this person's father believes that the Democrats (a) control the state-operated voter registration system, and (b) manipulate it to their advantage. He believes that because he's been sent that message through a vast number of channels for many years. He would think it was absolutely in character for his registered party to be changed, and would probably think that would somehow affect how his vote was actually counted.
It's no more absurd than the idea that busloads of illegal aliens are showing up to vote "somewhere". Or whatever other idiotic lies they've been telling forever.
I don’t like receiving email that are not directly relevant to me.
This does mean that if it’s an order confirmation I wouldn’t check. So I may not know of legitimate emails from sendgrid only the illegitimate.
> We know that state actors have invested heavily in understanding and exploiting these divisions. Russian active measures campaigns have been documented doing exactly this kind of work: identifying wedge issues and creating content designed to inflame both sides. North Korea has demonstrated similar sophistication in their social engineering operations by targeting academics and foreign policy experts
What about "read Twitter in between bouts of using one susceptible user's API key to spam other users for their API keys" _really_ requires the sophistication of a state-level actor? Statements like this aren't journalism, they're exactly the same kind of manipulation being used by the phishers.
I've also received a bunch of API failure phishing emails, as well as some implying we needed to change our auth to Sinch.
I always had the habit of clicking on the unsubscribe button whenever I see an unwanted email. And I’d like to know what would happen if I click on malicious unsubscribe link.
The most essential check is SPF and DKIM which authenticate if the message has come from an authorized server. The problem is that most mail services are too lenient with mismatched sender identification. On one hand, people would be quite vocal about their mail provider sending way too much legitimate (but slightly misconfigured) mail to the spam folder. However it allows situations like to happen where the FROM header, the "From:" address, and the return path are all different.
Most mail systems have several stages of filters, and the first ones (checking authentication) are quite basic. After that, attachments, links, and contents are checked for known malware. Machine learning might kick in after this, if certain criteria are met. Mail security is very complicated and works well except for the times it falls flat on its face like this.
https://en.wikipedia.org/wiki/Sender_Policy_Framework https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
I think you're about 20 years behind the times if you think they don't.
There are a whole lot of problems with it when you start pressing the finer details like you list. For example, just look at the legit emails banks send out. They will tell you not to click links claiming to be your bank, then include links (claiming to be your bank) for more information.
Simply put the rules block too much corporate email because people that write corporate email do lots of dumb things with the email system.
I suspect that once the sendgrid account is compromised, they then send out these phishing emails, hoping to compromise _other_ sendgrid accounts to look for password overlap and/or keep the flow going.
Is this a UX issue? Should email clients highlight and emphasize the sender domain more than their display name?
yes
It might be 50 days by an (admittedly very cool) bus, but it's only 84 days in foot!
* Consult your Google Maps and a sense of humor if it sounds to good to be true!
When you think about politics is very contagious, politicians infect activists, who infect regular folk that advocate for stuff they don't benefit from, when elections come near, it's flu season.
Double parasite burgers where a new parasite leeches of an existing vector are common in biology as well. Like malaria and mosquitoes.
In any case, I revised the title to "SendGrid isn’t emailing you about ICE or BLM. It’s a phishing attack."
Maybe someone can edit the title of the submission on HN accordingly?
---
Possible alternative titles that better match the article’s content:
How Phishers Are Using SendGrid to Target SendGrid Users with Political Bait
– Accurately reflects the mechanism (SendGrid abuse), the audience, and the novel political/social-engineering angle.
SendGrid Account Takeovers Are Fueling a Sophisticated Phishing Ecosystem
– More technical / HN-native framing, avoids culture-war implications.
Phishception: Politically Targeted Phishing Sent Through Compromised SendGrid Accounts
– Highlights the core insight and the self-reinforcing nature of the attack.
Most people aren't even aware that their posted URLs can be changed or their titles re-edited automatically because the UI doesn't give affordances for anything. You're just expected to notice and edit it out within the edit window (which there also isn't an affordance for.)
"Why is SendGrid emailing me about supporting ICE?" becomes "Phishing Campaign Targets SendGrid Users via Compromised Accounts and Politically Charged Bait"
I think it would be more time than I'd like to commit though.
I'd feel pretty stupid getting worked up about something only to realize that getting worked up about it was used against me.
I'm writing this because for a moment I did get worked up and then had the slow realization it was a phishing attack, slightly before the article got to the point.
Anyways, I think the clickbait is kindof appropriate here because it rather poignantly captures what is going on.
There's got to be a way to generalize this for anyone who still cares about the difference between real facts and manipulation.
What happens a lot, at least for me, is that people will start reading the comments to see if they want to bother reading the link. Then they might start commenting on what's already been said. It's easy to slip into that pattern.
Though you also frequently see top-level comments that appear to be based on the headline alone.
The number of people who actually read the entire article and then attempt to comment in good faith are few and far between.
I thank the author for getting me this way, as I would have likely fallen for the unsubscribe trick.
but that would be clear and very boring. nobody would read your blog then. A headline that very obviously implies Sendgrid the company supports ICE, and so much so that they are emailing all their customers about it, clicks galore. Well done.