For the past several months, I’ve been receiving and then ignoring a steady stream of concerning emails from Sendgrid, the popular email delivery service owned by Twilio that I use for sending emails from Breadwinner. I’d see some weird API error notification, login to my SendGrid account, check everything is working properly, and then delete the email. I didn’t pay too close attention to them until I saw a couple very strange ones.
Today, I received this one implying SendGrid was going to be adding a “Support ICE” button to all emails sent through their platform:
If you’ve been paying any attention at all to US politics, you’ll know how insidiuously provocative this would be if it were a real email.
But it isn’t. It’s a phishing email. If you use SendGrid, or have ever used it, you might be getting these too.
This phishing campaign is a fascinating example of how sophisticated social engineering has become. Instead of Nigerian 419 scams, hackers have evolved to carefully craft messages sent to professionals that are designed to exploit the American political consciousness.
The opt-out buttons are the trap.
The Attack
Here’s how it works: hackers compromise SendGrid customer accounts (through credential stuffing, password reuse, the usual methods). Once they have access, they can send emails through SendGrid’s infrastructure, which means the emails pass all the standard authentication checks (SPF, DKIM) that your spam filter uses to determine legitimacy. The emails look real because, technically, they are real SendGrid emails sent via SendGrid’s platform and via a customer’s reputation – they’re just sent by the wrong people and wrong domains.
They’re likely using a list of SendGrid customers so they can target this to only people who have used the service before.
Security researchers at Netcraft dubbed this “Phishception” back in 2024: attackers using SendGrid to phish SendGrid users, creating a self-perpetuating cycle where each compromised account can be used to compromise more accounts.
This has been going on for years. Brian Krebs wrote about it in 2020. And yet here we are.
The Lures
What’s changed, or at least what I’ve noticed recently, is the political sophistication of the bait. The attackers aren’t just sending “your account is suspended” emails (though they do that too). They’re sending messages designed to provoke a strong emotional reaction that compels you to click.
Here are some I’ve received:
The LGBT Pride Footer
From: [email protected]
This one claims SendGrid’s CEO “James Mitchell” (not a real person) came out as gay, and to show support, SendGrid is adding a pride-themed footer to all emails. “We understand this may not be right for everyone,” it helpfully notes, offering a “Manage Preferences” button.
Note the opt-out. If you support LGBTQ+ rights, you might ignore this. But if you don’t? You’re clicking that button immediately.
The Black Lives Matter Theme
From: [email protected]
For “one week,” all emails will feature a commemorative theme honoring George Floyd and the Black Lives Matter movement. This change applies “platform-wide to all users.”
Again: “If you prefer not to participate, you can opt out below.”
Note the sender domain: nellions.co.ke, a Kenyan domain. This is a compromised SendGrid customer account being used to send phishing emails to American targets about American political issues.
The ICE Support Initiative
From: [email protected]
This one arrived just this morning. SendGrid is supposedly adding a “Support ICE” donation button to the footer of every email sent through their platform, “in response to recent events” and “as part of our commitment to supporting U.S. Immigration and Customs Enforcement.”
The timing here is notable: these hackers are reading the news.
The Spanish Language Switch
From: [email protected]
And then there’s this one, which is just absurd: “Your language preference has been successfully changed to Spanish. All emails sent via the API will now be formatted in Spanish.”
This one is less politically charged and more “wait, what? I didn’t do that” – just enough anxiety to get you to click.
The Classic Account Termination
From: [email protected]
And of course, they still do the classics: “Your account has been terminated for misusing sending guidelines.”
The Pattern
Look closely at those sender addresses again at the top of the Gmail message:
- drummond.com
- nellions.co.ke
- theraoffice.com
- nutritionsociety.org
- myplace.co
None of these are sendgrid.com. They’re all legitimate businesses whose SendGrid accounts have been compromised. When these emails hit your inbox, they pass authentication because they really were sent through SendGrid, just not by SendGrid.
Who’s Behind This?
The political sophistication on display here (BLM, LGBTQ+ rights, ICE, even the Spanish language switch playing on immigration anxieties) suggests someone with a deep understanding of American cultural fault lines.
We know that state actors have invested heavily in understanding and exploiting these divisions. Russian active measures campaigns have been documented doing exactly this kind of work: identifying wedge issues and creating content designed to inflame both sides. North Korea has demonstrated similar sophistication in their social engineering operations by targeting academics and foreign policy experts.
I’m not saying this is a state actor necessarily – the economic value of exploiting SendGrid’s formidable email infrastructure is most likely the appeal here. Similarly, this could just as easily be a domestic operation run by someone who’s extremely online and knows which culture war buttons to push. But I think the skill set required (technical ability to compromise accounts at scale plus cultural fluency in American politics) is notable.
Can This Be Fixed?
Honestly? I don’t know.
SendGrid has known about this problem for years. Twilio (SendGrid’s parent company) has talked about requiring two-factor authentication for all customers, but implementation has been slow. The fundamental issue is that SendGrid’s business model depends on making it easy for legitimate businesses to send email at scale. Anything that adds friction for good actors also adds friction for bad actors, but the bad actors are more motivated to work around it.
Meanwhile, the attackers only need one thing: access to SendGrid customer accounts. As long as people reuse passwords and don’t enable 2FA, there will be a steady supply of compromised accounts. It’s a bit of a hydra problem: cut off one head, another grows behind it.
Protecting Yourself
If you’re a SendGrid customer: enable two-factor authentication immediately. Use a unique password. Check your account for unauthorized API keys or sender identities.
If you’re just receiving these emails: don’t click anything. The links go to fake SendGrid login pages that will steal your credentials in real-time as they actually validate your password against SendGrid’s API and even capture your 2FA codes.
A Filter Hack
For Gmail users, you can create a filter to automatically delete SendGrid impersonation emails that don’t come from legitimate SendGrid domains:
- Go to Settings → Filters and Blocked Addresses → Create new filter
- In the “From” field, enter:
-from:sendgrid.com -from:twilio.com - In the “Has the words” field, enter:
sendgrid - Click “Create filter” and select “Delete it”
This will catch emails that mention SendGrid but aren’t actually from SendGrid. It’s not perfect, but it helps.
Have You Gotten These?
I’m curious what other variations are out there. If you’ve received SendGrid phishing emails (especially weird or politically-charged ones) leave a comment or reach out. The more examples we document, the easier it is for people to recognize these when they land in their inbox.
And if you work at Twilio/SendGrid and want to explain what’s being done about this: I’m all ears.