Research Saturday 3.16.24
Ep 321 | 3.16.24

Inside SendGrid's phishy business.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly-evolving cyberspace. Thanks for joining us.

Robert Duncan: This particular attack came to our attention because it combines so many interesting tactics that have been used to [inaudible 00:00:38] the attack, and it's pretty notable in the sense that it's using the infrastructure of the provider itself that it's impersonating.

Dave Bittner: That's Robert Duncan, VP of Product Strategy at Netcraft. The research we're discussing today is titled "Phishception - SendGrid abused to host phishing attacks impersonating itself."

Robert Duncan: And that's a very effective tactic because it makes it really difficult for a victim to tell the difference between a message that they've received or an email that doesn't really originate with that provider but, by all intents and purposes, or for all intents and purposes, that is indistinguishable. It's really hard to tell the difference between the real and the fake. And we walk through this particular attack -- it's got some -- it's got five or six different tactics that it's used that take it beyond the usual phishing attack. It means the attackers have really gone to town. They've taken a lot of time, put in a lot of effort to make the attack (a) difficult to detect for victims, but also difficult to detect for -- for anti -- anti-phishing or cybersecurity companies like ourselves to detect. And -- and that's, kind of, how this came to our attention.

Dave Bittner: Yeah.

Robert Duncan: We -- we find a lot of attacks. We're -- we're doing, kind of, looking at very high volume. We're looking at millions of attacks. This particular attack came to our attention. It's -- it's one of -- of many.

Dave Bittner: Well, let's go through it together here. I mean, I guess we should say at the outset that, kind of at the center of this is this organization or -- or this product called SendGrid. What do we need to know about that?

Robert Duncan: So to -- to kind of set the scene. So SendGrid is a legitimate platform, a email sending platform. It's run by Twilio. They're a large, well-trusted organization. There's nothing about their infrastructure that's criminal controlled. It -- it really is legitimate infrastructure that normal companies use to send and receive email. It's a very effective platform, and that also makes it a really effective platform for criminals. So that kind of sets the scene for what SendGrid is. And part of what's pretty notable here is that SendGrid itself is a useful tool for criminals to have. So -- why this is particularly interesting is that they're using the platform. They've compromised the SendGrid user's account, and they're using that compromised account to deliver emails to compromise further SendGrid accounts. So they're kind of -- kind of like a worm. They're building a portfolio of compromised SendGrid accounts in order to then use that infrastructure for bad behavior. So it -- it -- we don't have a direct line of sight into what the credentials are actually being used for. What we can observe is what's being sent and what we receive through our various sources of -- of these types of threat.

Dave Bittner: Hmm. Well, let's walk through it together here. Can you take us through, step by step, what exactly is going on?

Robert Duncan: Where this starts is -- is typical to -- to many phishing campaigns. It's a -- an email with a call to action for the victim to fix something. So, in this case, the example that we've pulled out falsely claims that the payment to SendGrid is being declined and you need to go and immediately click through to renew your account, fix the payment method. And that's the hook. So typically a pretty effective hook. We'd expect many people to be riled up. They -- they want their -- their SendGrid structure to keep working. It's the, kind of, cornerstone of some -- or of many businesses. And so that's -- that's the hook. What happens next is also pretty interesting. So what happens next is the link that the email contains that the fraudster is intending for the victim to click is actually cloaked for the criminal without any effort. So SendGrid's platform allows legitimate users to use their click-tracking feature which allows them to see how many times users have clicked on links and be able to track which email recipients have clicked on links. But what that means is it simultaneously makes it really difficult for a victim to -- maybe a potential victim at this point -- to see the difference between a legitimate link and a link that goes somewhere untoward. What we can kind of see here, what we -- where we're doubling down on this is you're expecting this link to go to somewhere in SendGrid's domain portfolio. That's perfectly legitimate. That's what you expect, and that is true. You do go to a link that is on So even a particularly vigilant user is going to be finding it pretty hard to tell the difference between a fake and a real link here.

Dave Bittner: Yeah, I mean, I -- I think about, you know, myself when -- when confronted with these sorts of things, that's -- that's one of the first things I would do is look at what -- what domain is being referenced here. And -- and in this case you've got a message from SendGrid and it looks like the thing I'm clicking on is going to go to SendGrid because it is.

Robert Duncan: Yup. Exactly. And it was sent -- and it really was sent from SendGrid. So it's kind of the -- the -- the combination of all those factors means that it's a really convincing attack. And layering on top of that, because SendGrid is an email delivery service -- and a very effective one. I'm not -- I'm not trying to advertise for them but, like, their service is really well used by legitimate companies and criminals alike. It's optimized to get messages into people's inboxes, so you've kind of got everything you need to make a really effective phishing campaign.

Dave Bittner: Hmm.

Robert Duncan: The one thing to note is that there are a couple of signals that -- that something's a bit weird. So the "From" address that is used in these attacks does not match SendGrid's own infrastructure. It matches one of their compromised customers. So it's pretty easy to see that this is a, kind of, worm style behavior. You're seeing one customer get compromised and then, using that one customer's account, you can then see how the criminal group can expand on that network of -- of compromised accounts by targeting all users.

Dave Bittner: So suppose someone clicks on this link, this link that's taking advantage of their click-tracking, what happens next?

Robert Duncan: So, again, another interesting cloaking technique. This -- this attack is actually -- as sort of a side point here -- this attack really does combine a huge number of cloaking techniques. Most phishing attacks that we see do not. Most phishing attacks that we see are relatively simple. If they do use a cloaking technique, they'll -- they'll one or two. This -- this particular attack or group of attacks is using five, six, seven different cloaking techniques. So, to kind of pull back to where -- where we are, so we've clicked the link. You get to the SendGrid click-tracking infrastructure. It redirects you to the actual destination, which in this case is a JavaScript playground called "JSPen." So this is a site that is not necessarily involved in the attack, and what's interesting here is that it uses a URL fragment -- so the bit that follows the hash symbol -- to actually contain the malicious code. And what the -- the JavaScript playground site does is it takes the fragments of that bit of code at the end of the URL and turns that back into something that can be executed as JavaScript. This is particularly interesting because it means that the web server itself, so JSPen, doesn't necessarily have any visibility over what that malicious code is. The fragment of the URL does not get sent to the web server. That's contained purely in the browser, so another interesting cloaking technique is that -- that JSPen may have no idea that this bit of infrastructure is being used for this particular attack. Step number two from this is that the -- the actual bit of code that's in that URL fragment is actually really simple. It's actually referencing a JavaScript file that's hosted on a Microsoft Azure service that is called Azure Front Door, which is a CDN, so similar to something like Amazon CloudFront. So it's another somewhat interesting thing because they've registered a new subdomain, so their subdomain is on a legitimate Microsoft domain. So that's another interesting point.

Dave Bittner: Mm-hmm.

Robert Duncan: But what's kind of interesting here is that often we see criminals using totally free infrastructure like -- things like Cloudflare, GitHub. What's different here is that the Azure Front Door service that's being used is not part of the free tier, so it does cost money, the caveat being that most new customers get a credit balance when they sign up. So it probably isn't costing the criminals any money, and it's potentially a signal that that account itself may be compromised. So it may be a legitimate Azure user has had their compromised.

Dave Bittner: Hmm.

Robert Duncan: Their credit is being used to support this attack. We -- we can't tell externally whether that's true or not.

Dave Bittner: Yeah.

Robert Duncan: But it's an interesting -- another interesting component about this particular attack.

Dave Bittner: We'll be right back. Yeah, I suppose it's possible that there could be -- they could be signing up to this Azure account with a stolen credit card as well and, you know, so that gets them in the door and then they get this $200 credit to -- to use as they see fit. But ultimately when it's time for them to be charged, you know, either it's -- it's on a stolen credit card or doesn't go through, I suppose.

Robert Duncan: Yeah. Exact -- exactly that. So the difference is that it does make it a little bit more challenging for criminals to use --

Dave Bittner: Hmm.

Robert Duncan: -- because they do -- they will need to have a credit card, either somebody's that they've stolen or an account they've stolen. There's no reason that they needed to use this for this attack. They could have used totally free infrastructure if they'd wanted to. So potentially something that gives a signal to any investigation that was happening to this attack that there are a few leads to follow. Like, there will be a stolen credit card somewhere in this -- in this chain.

Dave Bittner: Hmm.

Robert Duncan: So notable in that sense.

Dave Bittner: Yeah. So tell me about this JavaScript file.

Robert Duncan: The next step in the chain. So the actual JavaScript file, again, is using cloaking techniques to disguise the purpose of the file. The reason that the sites like this use this type of obfuscation is to make analysis by cybersecurity companies more challenging. It means that you need to actually execute the JavaScript in order to be able to tell what it does. It makes that analysis much harder -- not impossible, of course, but it -- it's adding steps in -- in the chain to get rid of any people trying to have a quick look at what's going on. People are going to see a load of code and assume that it's meant to be there and -- and it's doing something legitimate whereas, in fact, what it's doing is a -- another cloaking technique. So layering on more cloaking techniques. The actual HTML of the attack itself is encrypted with AES and the -- the obfuscated JavaScript file is the, kind of, decryption code. So I -- I guess the kind of obvious point to note here is that the encryption is effectively pointless. The key is included alongside the encrypted payload but, again, another thing to make cybersecurity companies' lives a little bit more miserable, or make the analysis more expensive. You need to make sure that you've run all of this code through a -- a JavaScript engine to make sure that you can actually see what it does at the end. That's, kind of, step -- I think -- well, I've forgotten where we are. Step number four, five?

Dave Bittner: It's obfuscation all the way down. Right?

Robert Duncan: Exactly. It is -- it is all the way down, and we can keep -- we can keep going. So once we've got to this point, we can actually -- there actually is the HTML. You can see that it is impersonating the Twilio SendGrid login page. That's the, kind of -- once you've got to this point, like, a victim wouldn't have obviously seen all that, that those kind of obfuscation steps, the browser would have hidden that from them. They would have just clicked the link and hit the -- the SendGrid login page. Here, again, this does something pretty interesting. So the kind of bulk standard phishing sites will ask for username, ask for your password, send it off to some PHP script that will either log it in a text file or send an email or send it to a telegram channel behind the scenes. This one is actually pretty interesting again. So another layer is that it, instead of just capturing the details and then saying thank you, goodbye, it actually uses the real SendGrid API to validate the username and password on the fly. So it's kind of acting like a -- the kind of adversary-in-the-middle style approach of -- of attacks where they are actually sending traffic from your browser to the real website on your behalf, and this is a little bit of a twist on that because it's not proxying it directly through a server. It's actually using, kind of, [inaudible 00:15:54] code to do that. So it connects to the real SendGrid API, sends the username and password, and then checks to make sure that it gets back a success response. This is, again, pretty good tactics by the criminal because a common technique for users to see if -- if they've, kind of, hit a phishing site or if they're on the real site is to try some incorrect credentials first and see if they get accepted. If they get accepted, they know the site is fake and it's a phishing site, but they haven't given away their real details. That technique doesn't work here because the username and password are validated in real time against the API. So the site can immediately tell you, hey, username and password were wrong. Try again.

Dave Bittner: Hmm.

Robert Duncan: So then if a victim is using that technique, then they'll, the second time around, give the real username and password. And, again, I think -- where are we? Step five? Step six? It gets deeper. So to steal, say, the multifactor authentication tokens, what happens next is it sends the details so far to a drop site. So this particular drop site had been registered back in November. So we saw that for the first time in November last year. It looks like a default page site if you visit it by itself but, of course, there's a -- a hidden PHP file that's not visible from the front page that receives the -- the, kind of, stolen credentials so far. What happens next on the -- the phishing site is the -- they'll ask you for your two-factor code. And what happens next is the -- instead of sending the two-factor code off to this drop site, it will contact the SendGrid API again, provide the -- the two-factor code, and instead of sending the code itself, it sends back the session token which allows the -- the criminal to then use that token in their own browser to access the victim's account. So, at that point, the -- the attacker is going to have -- one, their attack has succeeded. They've got the -- the stolen credentials that they wanted. They redirect the victim back to the real SendGrid page, and the victim is probably none the wiser.

Dave Bittner: Wow. What is your sense for what they're ultimately after here? Once they've -- they've gotten control of someone's SendGrid account, are they selling that access? Or any -- any indication what they're up to?

Robert Duncan: It's a great question. We don't know. So we can conjecture as to what we think is happening. So there's definitely an element of then using it to find more SendGrid credentials. So sending it to other SendGrid users, using that account to -- to do that. What's also likely, based on the -- the types of reports that we get from the, kind of, anti-phishing community is that it's very likely that those SendGrid accounts are being used to send other malicious links. So that could be more phishing targeting somebody else. Could be malware. SendGrid is, like, a very useful service. It's -- it's a useful service to legitimate companies. It's a useful service to criminals. So it's a great way to get into victims' inboxes. SendGrid spends a lot of time optimizing their platform so that they can do that. And so it's a really attractive service for a criminal to have on hand. So I expect that it's (a) going to be used to expand this particular criminal group's access to more SendGrid credentials, and then, you know, possibly, it could be being resold on underground forums or used directly to then send out more malicious content. We see --

Dave Bittner: Yeah.

Robert Duncan: -- quite a lot of different SendGrid accounts and URL shorteners in the reports that we get, so it's -- it's very likely that that's -- that's kind of the next step.

Dave Bittner: Again, asking for your conjecture here. Any sense for why they might be going to the amount of trouble that they are? Because, as you said, you know, most phishing organizations -- most phishing campaigns, they may use some of this, but this is throwing everything at it.

Robert Duncan: Yeah. Again, a really good question. So one may point to the -- the value of the SendGrid credentials, that they're worth spending this much effort to -- to do. A second element is that, as we've seen with other phishing campaigns, once a particular group or particularly savvy author has written, say, a phishing kit in order to be able to, kind of, automate deploying more sites to do the same thing, once that's happened once, the actual incremental cost is pretty small to deploy new ones. The actual technical skill you might need is actually pretty low for the, kind of, the foot soldiers, as it were, in the -- kind of, in the group. So it's likely that that -- that type of dynamic is playing out. We can't say for certain whether that's true or not for this particular case, but it's definitely a pattern that we see across different -- different genres of attack where there's, like, a particularly savvy group or particularly savvy subset of the -- the criminal group and they then have either affiliate networks or selling access to kits in order to do so. So I think that -- on one hand, I think your -- your question is well put in that why would they go to this much trouble?

Dave Bittner: Hmm.

Robert Duncan: The, kind of, counterpoint to that is -- once one person has gone to that much trouble, it's really easy to replicate.

Dave Bittner: I see. If I'm a -- a SendGrid customer, what are your recommendations? What sort of things can I put in place to protect myself here?

Robert Duncan: Well, I think all the -- all the standard precautions still apply. So, as I said earlier, this was actually a really tricky thing to tell the difference on the actual email that was received. There were a couple of signals. So the "From" address was wrong, so it wasn't being portrayed as being sent by SendGrid itself. So this is the "From" address that's actually displayed to users. So there -- there was a signal in there that something was a little bit weird. But I -- I think this is the really tricky one. Where this is something that's known to the anti-phishing community, using antivirus tools, anti-phishing extensions, can help and a -- a really good thing to do. Of course, those rely on the attack already being -- being known. So there's a variety of different things to do. So you want to use your normal security precautions and be very cautious, as always, on the internet. You have to be on your toes at all times. It's -- it's a tricky thing to say and ask people to do, to be constantly on guard, and it's an unfortunate reality of -- of where we are that there's a lot of fraud, there's a lot of trickery, and people are out there to and steal your credentials, steal your money, and -- and do bad stuff.

Dave Bittner: Yeah. I mean, I -- I guess this campaign starts off with something that has to do with payment. Right? And so I guess that, in itself, should be a signal for greater vigilance.

Robert Duncan: Yeah. That's -- that's right. So usual advice is you've received an email or -- or a message that's saying do something immediately. Good thing to do is actually take a few seconds, think about it, and think, okay, well, if my SendGrid account -- you know, if the payment has failed, that's okay. I'm going to go to the real SendGrid website. I'm going to log in to my profile there and validate that that's actually true. So going through your -- your bookmarks, going through websites you've been to before, the same thing applies for thinking about, like, un -- unsolicited phone calls. The exact same approach works there, too. So you want to be thinking about hanging up and phoning back the number on the back of the card. The equivalent for email is -- is the same thing. So ignore the email. Go to the provider's website and -- and try to find the alert from that direction.

Dave Bittner: Our thanks to Robert Duncan from Netcraft for joining us. The research is titled "Phishception - SendGrid abused to host phishing attacks impersonating itself." We'll have a link in the show notes. The CyberWire "Research Saturday" podcast is a production of N2K Networks. N2K's strategic workforce intelligence optimizes the value of your biggest investment -- your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Stokes. Our mixer is Elliott Peltzman. Our Executive Producers are Jennifer Eiben and Brandon Karpf. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.