I disagree with this conclusion, if not only because other email service providers don't have this issue.
It wouldn't surprise me if something was broken with SendGrid's internal infrastructure. I used to be a SendGrid customer until my deliverability started being affected by this issue. SendGrid took weeks to reply to my customer service messages about resolving this, even though I was a paying customer and was renting private IP addresses from them to send mail.
I finally gave up and closed my SendGrid account in July 2021. Despite this, they continued to send me monthly invoices until May 2022. Multiple SendGrid representatives promised that they had resolved the issue, but it wasn't until one CSR added me to SendGrid's global suppression list that they finally stopped.
I used to run IT for a medium company. The amount of times I saw this with various SaaS companies was troubling. We had hundreds of services some as small as a single manager that demanded X and company wide tools. It was frequently a several months long hassle to get them to stop billing us when we cut ties with them. I wish I kept personal records now it was a minority but definitely in the 15%'ish range.
For popular senders: sort-of: in your incoming mail server, substring-match the display name of the sender against popular brands, and ensure the actual domain matches.
This works remarkably well for proper brands (FedEx et al), but breaks down when the brand name regularly occurs in "normal" names, the sending brand sends mail from all over the place, or "innocuous" impersonation takes place all the time.
Like, somehow, From: "VODAFONE" <shipping-update@dpd.co.uk> is a 100% legit sender (assuming SPF and DKIM verification pass), despite both Vodafone and DPD being pretty common impersonation targets. You'd think they'd know better, but alas.
So, yeah, room for improvement and such...
And/or, long-press or right-click on any link to inspect the linked domain.
I created a little GTK program to help: https://github.com/LightAndLight/gen-alias
Even some highly technically inclined people (like myself) can be entirely ignorant of the process. It's not as if consumer ISPs provide the service.
user+servicetag@domain.com
And have it go to user@domain.com with the servicetag still in the To: field. At least, I have never encountered a problem with this.
1. Add expressions to: If ALL of the following match the message.
2. Expression 1: Type: Advanced content match Location: Full headers Match type: Matches regex (?im)^from:\sSendGrid(?:\s+\w+)\s*<[^>\r\n]+>+$
3. Expression 2: Type: Advanced content match Location: Sender header Match type: Not matches regex (?i)^[A-Za-z0-9._%+-]+@(sendgrid\.com|twilio\.com)$
Set the rule to reject or quarantine. Users will not see the messages unless the attackers change the From header.
It's better to focus on more systematic solutions. There exist a lot of them, SPF, DKIM, Recipient mail filtering (Your mail provider).
The screenshotted emails don't even do anything tricky like spoofing the sender address, it looks like "Sent from no-reply@theraoffice.com". If it spoofed the domain it would have been caught by SPF/DKIM.
Most of the time the user doesn't need to do much, you can just be weary of sender domains, and report the email as phishing and help blacklist that specific IP address/domain. Similar to how in medicine sometimes the physician tells you to drink water and rest, no medicine needed, just let the immune system do its thing.
It seems like Twilio has a conflict of interest that prevents them from offering WebAuthn, as that would be a tacit admission that their SMS and Authy products are not actually that secure.
Would you even open an email from noreply@drummond.com if that's what showed up in the message list?
On mobile it's worse. Gmail (Android) doesn't even show the From address at all when you open an email. For some emails, I can tap the sender icon and see the address, for others I have to find the hit reply (but if DMARC et al doesn't validate a Reply-To address) or go find a computer and see the message there.
I only used a SendGrid account briefly, as a potential backup to my current outgoing transaction mail provider. Sent exactly 5 test emails I think.
The ICE one this morning gave me pause, but only about 2s before I deleted it and moved on with my busy day of reading HN posts.
It's especially funny because SendGrid isn't even one of our vendors.
The only reason a site like this exists is for politicians to distract from the fact that the budget of a nation with currency sovereignty does not actually have to raise revenues with taxes in order to spend money on services (and thus, be an excuse to cut services).
I do love the idea of voter registration oscillating back and fourth at 20 minutes intervals forever. Would make voting in the primaries way more exciting as the voter base kept flipping.
The thing is that that one plays on propaganda that people have already been conditioned to accept.
Very probably this person's father believes that the Democrats (a) control the state-operated voter registration system, and (b) manipulate it to their advantage. He believes that because he's been sent that message through a vast number of channels for many years. He would think it was absolutely in character for his registered party to be changed, and would probably think that would somehow affect how his vote was actually counted.
It's no more absurd than the idea that busloads of illegal aliens are showing up to vote "somewhere". Or whatever other idiotic lies they've been telling forever.
I don’t like receiving email that are not directly relevant to me.
This does mean that if it’s an order confirmation I wouldn’t check. So I may not know of legitimate emails from sendgrid only the illegitimate.
Is this related to the breach that SendGrid said didn’t happen? I set my account up in 2021 for reasons I don’t recall and it’s since been deleted/deactivated by them.
Or an AI.
I've also received a bunch of API failure phishing emails, as well as some implying we needed to change our auth to Sinch.
The problem is that companies get their SendGrid credentials compromised via password re-use or phishing.
I think you're about 20 years behind the times if you think they don't.
There are a whole lot of problems with it when you start pressing the finer details like you list. For example, just look at the legit emails banks send out. They will tell you not to click links claiming to be your bank, then include links (claiming to be your bank) for more information.
Simply put the rules block too much corporate email because people that write corporate email do lots of dumb things with the email system.
The most essential check is SPF and DKIM which authenticate if the message has come from an authorized server. The problem is that most mail services are too lenient with mismatched sender identification. On one hand, people would be quite vocal about their mail provider sending way too much legitimate (but slightly misconfigured) mail to the spam folder. However it allows situations like to happen where the FROM header, the "From:" address, and the return path are all different.
Most mail systems have several stages of filters, and the first ones (checking authentication) are quite basic. After that, attachments, links, and contents are checked for known malware. Machine learning might kick in after this, if certain criteria are met. Mail security is very complicated and works well except for the times it falls flat on its face like this.
https://en.wikipedia.org/wiki/Sender_Policy_Framework https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
I always had the habit of clicking on the unsubscribe button whenever I see an unwanted email. And I’d like to know what would happen if I click on malicious unsubscribe link.
I suspect that once the sendgrid account is compromised, they then send out these phishing emails, hoping to compromise _other_ sendgrid accounts to look for password overlap and/or keep the flow going.
Is this a UX issue? Should email clients highlight and emphasize the sender domain more than their display name?
yes
When you think about politics is very contagious, politicians infect activists, who infect regular folk that advocate for stuff they don't benefit from, when elections come near, it's flu season.
Double parasite burgers where a new parasite leeches of an existing vector are common in biology as well. Like malaria and mosquitoes.
It might be 50 days by an (admittedly very cool) bus, but it's only 84 days in foot!
* Consult your Google Maps and a sense of humor if it sounds to good to be true!
> We know that state actors have invested heavily in understanding and exploiting these divisions. Russian active measures campaigns have been documented doing exactly this kind of work: identifying wedge issues and creating content designed to inflame both sides. North Korea has demonstrated similar sophistication in their social engineering operations by targeting academics and foreign policy experts
What about "read Twitter in between bouts of using one susceptible user's API key to spam other users for their API keys" _really_ requires the sophistication of a state-level actor? Statements like this aren't journalism, they're exactly the same kind of manipulation being used by the phishers.
In any case, I revised the title to "SendGrid isn’t emailing you about ICE or BLM. It’s a phishing attack."
Maybe someone can edit the title of the submission on HN accordingly?
---
Possible alternative titles that better match the article’s content:
How Phishers Are Using SendGrid to Target SendGrid Users with Political Bait
– Accurately reflects the mechanism (SendGrid abuse), the audience, and the novel political/social-engineering angle.
SendGrid Account Takeovers Are Fueling a Sophisticated Phishing Ecosystem
– More technical / HN-native framing, avoids culture-war implications.
Phishception: Politically Targeted Phishing Sent Through Compromised SendGrid Accounts
– Highlights the core insight and the self-reinforcing nature of the attack.
"Why is SendGrid emailing me about supporting ICE?" becomes "Phishing Campaign Targets SendGrid Users via Compromised Accounts and Politically Charged Bait"
I think it would be more time than I'd like to commit though.
I'd feel pretty stupid getting worked up about something only to realize that getting worked up about it was used against me.
I'm writing this because for a moment I did get worked up and then had the slow realization it was a phishing attack, slightly before the article got to the point.
Anyways, I think the clickbait is kindof appropriate here because it rather poignantly captures what is going on.
I thank the author for getting me this way, as I would have likely fallen for the unsubscribe trick.
What happens a lot, at least for me, is that people will start reading the comments to see if they want to bother reading the link. Then they might start commenting on what's already been said. It's easy to slip into that pattern.
Though you also frequently see top-level comments that appear to be based on the headline alone.
but that would be clear and very boring. nobody would read your blog then. A headline that very obviously implies Sendgrid the company supports ICE, and so much so that they are emailing all their customers about it, clicks galore. Well done.
