If you have a Sendgrid (Twilio) account, be aware that for six weeks bad guys have been pwning Sendgrid accounts by spear-phishing Sendgrid admins via previously-compromised Sendgrid accounts.
The emails come from Sendgrid's servers so they are unlikely to go into your spam folder. They pass SPF etc. because they are actual emails from Sendgrid, sent by a compromised customer.
They look pretty realistic.
After a few months' pause, the phishing Sendgrid email fake-alerts have started back up this week. They still look pretty realistic! I almost clicked!
The headers show the phishing email as coming from Sendgrid's servers, because it actually is (this customer of theirs was hacked):
Received: from wrqvtcrk.outbound-mail.sendgrid.net (wrqvtcrk.outbound-mail.sendgrid.net. [149.[redacted]])
by mx.google.com with ESMTPS id 3f1490d57ef6-e75c0f0177esi1110886276.78.2025.05.06.03.09.59
Holy shit, I think this is the most sophisticated hacked-Sendgrid phishing attempt yet. Someone apparently pwned a random server owned by selfcast[.]net and is sending Sendgrid email, aimed at Sendgrid admins, with links pointing to it.
selfcast[.]net appears to be a site for actors, but at first glance could plausibly be an alternate domain for an email-sending site. Nope!
The first link in the email looks valid; only the big tempting button is the phish hook
The Sendgrid phishing network is getting political, telling its would-be victims: we're putting a pride banner on all your outgoing emails, click our phishing link to remove it.
This is a nine-figure ARR company that's had the bad guys phishing their way through its clients for the last ten months. Has anyone even noticed?
(This is not the CEO's name btw)
The bad guys have been crawling around Sendgrid's networks for over a year now, and they have news hounds writing their phishing text. Highly topical.
(Every link in here, even "unsubscribe," is a phish to, presumably, steal the credentials of the next customer)
Jamie McCarthy