Cofense PDC observed a SendGrid-themed credential harvesting campaign using spoofed sender addresses, three urgency-themed phishing emails, and open-redirect links to lure users to fake SendGrid login pages. The attacks redirect through domains like destinpropertyexpert[.]com and hilllogistics[.]com to landing pages such as loginportalsg[.]com and sendgrid.aws-us5[.]com to capture credentials. #loginportalsg #destinpropertyexpert
Keypoints
- Attackers impersonated SendGrid to leverage its trusted reputation and bypass email security gateways.
- Three distinct phishing themes were used: “New Login Location”, “Activate Elite Tier Benefits”, and “Phone Number Changed” to induce urgency or curiosity.
- Spoofed sender addresses and email alias modification spoofing were employed to make messages appear legitimate.
- Phishing links abuse open redirects (e.g., url6849[.]destinpropertyexpert[.]com/ls/click?) that accept arbitrary target URLs as parameters.
- Redirect chains lead to a cloned SendGrid phishing site hosted at loginportalsg[.]com that harvests credentials.
- Observed infection URLs include hilllogistics[.]com and destinpropertyexpert[.]com redirectors, plus CT SendGrid click URLs and multiple IPs tied to payload hosting.
- Cofense emphasizes verifying URLs and strengthening defenses to reduce the risk of credential theft and related business impacts.
MITRE Techniques
- [T1566] Phishing – Email messages impersonated SendGrid and used urgent themes and spoofed sender addresses to trick users into clicking malicious links (“New Login Location”, “Activate Elite Tier Benefits”, “Phone Number Changed”).
- [T1222] Data from Information Repositories (Credentials in Web Forms) – Malicious landing pages at loginportalsg[.]com captured user credentials via fake SendGrid login forms (“redirect users to a SendGrid phishing site … domain hXXps://loginportalsg[.]com is not a legitimate SendGrid website”).
- [T1553.003] Subvert Trust Controls: Email Alias Spoofing – The threat actor used email alias modification spoofing to make messages appear as if they originated from SendGrid (“email alias modification spoof to make the email appear as if it originated from SendGrid”).
- [T1204.002] User Execution: Malicious Link – Emails contained embedded prompts like “access by clicking this link” and “Activate Elite Tier Benefits” that enticed users to follow links that ultimately delivered the credential phishing page.
- [T1090] Proxy: Open Redirect Abuse – Attackers exploited open redirect behavior on domains such as url6849[.]destinpropertyexpert[.]com/ls/click? to mask final malicious destinations (“the link structure accepts any URL as a parameter, and the server redirects the user to that specified address”).
Indicators of Compromise
- [Domain ] redirectors and phishing hosts – url6849[.]destinpropertyexpert[.]com, url1390[.]hilllogistics[.]com (used as ls/click redirectors).
- [Domain ] phishing landing pages – loginportalsg[.]com, sendgrid[.]aws-us5[.]com (hosts for fake SendGrid login forms).
- [URL ] observed infection/redirect URLs – hXXp://url1390[.]hilllogistics[.]com/ls/click?… , hXXp://url6849[.]destinpropertyexpert[.]com/ls/click?… , hXXps://u42632394[.]ct[.]sendgrid[.]net/ls/click?…
- [IP ] payload/hosting IP addresses – 185.208.156.46 (hosts loginportalsg[.]com and sendgrid.aws-us5[.]com), examples of redirector/relay IPs: 104.21.85.103, 172.67.204.116, and others such as 3.220.122.174, 54.158.174.185 (multiple hosting/relay IPs).
- [Domain ] impersonated service domain – ct[.]sendgrid[.]net (used in click-tracking URLs that were part of the redirect chain).
Read more: https://cofense.com/blog/phishing-in-the-cloud-sendgrid-campaign-exploits-account-security