What are common phishing issues with Sendgrid and Mailgun and how are they addressed?

Key findings

• Platform exploitation: Attackers can compromise legitimate SendGrid or Mailgun accounts to send out phishing emails, leveraging the ESP's reputation for higher deliverability.
• Invoice replication: A common tactic observed involves replicating invoices (e.g., SparkPost invoices) to trick recipients into clicking malicious links or providing credentials.
• Persistent attacks: Phishing efforts against these platforms are often ongoing, with threat actors continuously adapting to bypass security measures as they are implemented.
• Quick response: Both SendGrid and Mailgun have dedicated abuse teams that respond to reports, often suspending compromised accounts rapidly.

Key considerations

• Robust security practices: ESPs must continuously update their security protocols, including API key management, multi-factor authentication, and anomaly detection.
• Sender education: Users of these platforms need to implement strong authentication methods for their accounts and be vigilant about their own email security. Ensuring you know how to identify phishing emails is critical.
• Proactive monitoring: Regularly monitor your email sending activity for unusual patterns and utilize tools to check your domain's blocklist status.
• Incident response: Promptly report any suspected phishing activity to the respective abuse desks (e.g., abuse@sendgrid.com and abuse@mailgun.com). These teams are equipped to investigate and suspend malicious accounts.

Key opinions

• Reputation impact: Phishing originating from an ESP can degrade the platform's overall reputation, potentially affecting the deliverability of all users.
• Vigilance needed: Marketers must be constantly on the lookout for suspicious activity, both within their own accounts and in emails they receive that appear to be from legitimate services.
• Proactive engagement: It is important to report phishing attempts to ESPs promptly to aid in their mitigation efforts and protect the wider email community.
• Authentication importance: Proper implementation of email authentication protocols (SPF, DKIM, DMARC) is crucial to prevent spoofing and ensure legitimate emails are recognized.

Key considerations

• Monitoring sending patterns: Regularly check your ESP dashboards for unusual sending volumes or sudden spikes, which could indicate a compromised account.
• Secure account practices: Use strong, unique passwords and enable two-factor authentication (2FA) on your SendGrid and Mailgun accounts.
• Email authentication: Ensure your domain's SPF, DKIM, and DMARC records are correctly configured to protect against spoofing. Mailgun provides guidance on recognizing phishing, including checking authentication.
• Internal education: Educate your marketing and IT teams on how to spot and report phishing attempts.

Key opinions

• Shared problem: Phishing issues with major ESPs are a known, industry-wide challenge, not unique to SendGrid or Mailgun.
• Abuse desk efficiency: The responsiveness of an ESP's abuse desk (e.g., Mailgun and SendGrid's monitored abuse inboxes) is critical for timely mitigation.
• Adaptable attackers: Phishers are highly adaptive, constantly evolving their methods to circumvent new security controls implemented by ESPs.
• Collaborative effort: Combating phishing requires a collaborative effort between ESPs, security researchers, and end-users reporting suspicious activity.

Key considerations

• Continuous security audits: ESPs must regularly audit their systems for vulnerabilities that phishers could exploit, particularly in account creation and API access.
• Behavioral analytics: Implementing advanced behavioral analytics can help identify anomalous sending patterns that indicate a compromised account, even if traditional security measures are bypassed.
• Enforce DMARC: Encouraging and assisting clients to move to a DMARC policy of quarantine or reject can significantly reduce spoofing. Learn more about why emails get phishing warnings.
• Threat intelligence sharing: ESPs and security experts often share threat intelligence to quickly disseminate information about new phishing tactics and compromised accounts, as highlighted by BleepingComputer's reporting on hacked SendGrid accounts.

Key findings

• Authentication guidelines: Documentation heavily promotes proper SPF, DKIM, and DMARC setup to prevent email spoofing and ensure message authenticity.
• API key security: Both ESPs provide detailed instructions on securing API keys, which are often targets for account compromise.
• Abuse reporting: Official channels (e.g., abuse@ mailboxes, dedicated forms) are provided for reporting suspicious activity and phishing attempts.
• Security features: Features like IP access management, event webhooks for real-time monitoring, and subuser management are available to enhance account security.

Key considerations

• User responsibility: While ESPs provide tools, the ultimate responsibility for securing accounts and implementing authentication lies with the user. Learn more about best practices for email domain authentication.
• Regular updates: Documentation is regularly updated to reflect new security measures and best practices, requiring users to stay informed.
• Event notifications: Utilize event webhooks or similar features to receive real-time notifications about unusual sending activity or bounce rates, which could indicate a phishing issue. For example, SendGrid's resources cover various email scams.
• Incident response guidelines: Familiarize yourself with the ESP's guidelines on what to do if your account is compromised or you identify phishing originating from their platform.