35 comments

[ 2.4 ms ] story [ 48.8 ms ] thread
(comment deleted)
Before anyone launches themselves into the sky: the title is clickbait. This is about phishing attempts that use ICE to persuade you to click. Sendgrid the company is not emailing about supporting ICE. But technically Sendgrid the infrastructure is.
Interesting that politics is a vector for contagion.

When you think about politics is very contagious, politicians infect activists, who infect regular folk that advocate for stuff they don't benefit from, when elections come near, it's flu season.

Double parasite burgers where a new parasite leeches of an existing vector are common in biology as well. Like malaria and mosquitoes.

I have been receiving 2-3 of these variations per day. Have been reporting them as phishing in our GSuite account, but they just keep coming.
That’s some devious shit. I can just imagine someone furiously clicking the button in a rage
Having a friendly name listed in the From field is part of the problem. SPF, DKIM, and DMARC make it possible to control who can send as your domain, if the receiver cares to check. If you have strict SPF and DMARC rules, most receivers will drop or not accept emails that fail the rules. But you can't control using your brand from unaffiliated domains.

Would you even open an email from noreply@drummond.com if that's what showed up in the message list?

On mobile it's worse. Gmail (Android) doesn't even show the From address at all when you open an email. For some emails, I can tap the sender icon and see the address, for others I have to find the hit reply (but if DMARC et al doesn't validate a Reply-To address) or go find a computer and see the message there.

> Can this be fixed?

For popular senders: sort-of: in your incoming mail server, substring-match the display name of the sender against popular brands, and ensure the actual domain matches.

This works remarkably well for proper brands (FedEx et al), but breaks down when the brand name regularly occurs in "normal" names, the sending brand sends mail from all over the place, or "innocuous" impersonation takes place all the time.

Like, somehow, From: "VODAFONE" <shipping-update@dpd.co.uk> is a 100% legit sender (assuming SPF and DKIM verification pass), despite both Vodafone and DPD being pretty common impersonation targets. You'd think they'd know better, but alas.

So, yeah, room for improvement and such...

relatedly, my wife received polititexts destined to her conservative father. The latest was actually genius IMO, in that it stated "Dear STEVEN, due to inactivity, your registration will be changed to DEMOCRAT in 20 minutes unless you navigate to this link." It, I assume, redirected to some support page to donate to the US conservative party or its affiliates. The social engineering is getting more effective
First thought... Why would ICE need donations? I then realized how unrecognizable scams have become to me now. Older people are going to be in a worse position.
"The fundamental issue is that SendGrid’s business model depends on making it easy for legitimate businesses to send email at scale."

I disagree with this conclusion, if not only because other email service providers don't have this issue.

It wouldn't surprise me if something was broken with SendGrid's internal infrastructure. I used to be a SendGrid customer until my deliverability started being affected by this issue. SendGrid took weeks to reply to my customer service messages about resolving this, even though I was a paying customer and was renting private IP addresses from them to send mail.

I finally gave up and closed my SendGrid account in July 2021. Despite this, they continued to send me monthly invoices until May 2022. Multiple SendGrid representatives promised that they had resolved the issue, but it wasn't until one CSR added me to SendGrid's global suppression list that they finally stopped.

Oh! I’ve seen this phishing attempt as well, I believe it was was Gemini they said they would add an “lgbt” banner unless you changed settings.
So the modern Gestapo is so deeply unpopular it is being used for phishing attacks - no one (normal) wants to be seen anywhere near it. Amazing.
Is this a new trend in phishing emails? They appear to be using legitimate domains to bypass spam detection. Usually the domains are associated with legitimate companies who are completely oblivious. I always wondered how this works. Is it a broken contact form somewhere?
We've been getting similar phishing emails claiming to be from SendGrid, except they're along the lines of "we're adding a rainbow banner to the footer of all emails to show LGBT support, click here to opt out".

It's especially funny because SendGrid isn't even one of our vendors.

Before you reach for your wallets, remember -

It might be 50 days by an (admittedly very cool) bus, but it's only 84 days in foot!

* Consult your Google Maps and a sense of humor if it sounds to good to be true!

Not just SendGrid, I have received very sophisticated phishing emails “from” MailGun as well. I think the advantages of getting into your email channel justify a lot of investment by the bad guys.
(comment deleted)
In the 1920s and 30s they had mailing campaigns recruiting to join the SA. Same principle.
Is this an education problem? Should the general public be more diligent in checking the sender domain of the emails they read?

Is this a UX issue? Should email clients highlight and emphasize the sender domain more than their display name?

2FA doesn't stop phishing unless it's WebAuthn. But SendGrid, which is owned by Twilio, only supports 2FA based on SMS or the Authy App (which is also made by Twilio): https://www.twilio.com/docs/sendgrid/ui/account-and-settings...

It seems like Twilio has a conflict of interest that prevents them from offering WebAuthn, as that would be a tacit admission that their SMS and Authy products are not actually that secure.

(comment deleted)
I wonder why Gmail and other email providers don't just run an LLM/ML pipeline to detect phishing emails. It seems that matching an email's content with the sender's domain (and possibly analyzing the content behind links) would be enough to show, with high certainty, a warning like "Beware: this looks like a phishing email." Is it too expensive? Too many false positives?
I've been getting a lot of these, and forwarding them (along with the raw source of the email headers) to abuse@sendgrid.com with some success.
I received one, though it was for adding a footer honoring MLK. I kinda thought it was odd, but did't think much of it, since I'm apparently not in the group that would be offended in any way. I wonder if the variation they use is random, or in any way location-based to maximize response (I'm in Texas).

I've also received a bunch of API failure phishing emails, as well as some implying we needed to change our auth to Sinch.