Security News > 2021 > March > Hacked SendGrid accounts used in phishing attacks to steal logins

A phishing campaign targeting users of Outlook Web Access and Office 365 services collected thousands of credentials relying on trusted domains such as SendGrid.

Using Zoom invites as a lure and an extensive list of email addresses, the operators of the phishing campaign delivered messages from hacked accounts on the SendGrid cloud-based email delivery platform.

Researchers at WMC Global, makers of the PhishFeed real-time phishing intelligence service, capitalized on some mistakes of the threat actor that allowed them to analyze how the credentials moved from the phishing site into the hands of the operator.

Earlier operations used compromised SendGrid accounts to deliver the phishing emails and then moved to MailGun, a developer-centric email service with APIs that allows sending, receiving, and tracking messages.

WMC Global says that the latest email campaigns were noisy enough to attract attention but the tactics, techniques, and procedures observed point to other campaigns that used different phishing themes.

In their technical analysis today, the WMC Global Threat Intelligence Team also released a set of indicators of compromise that include locations for storing media files used in the campaigns, hashes, and a long list of phishing sites.

News URL

https://www.bleepingcomputer.com/news/security/hacked-sendgrid-accounts-used-in-phishing-attacks-to-steal-logins/