Thanks for this Hans-Martin, This was definitely phish. Compromised account. The account was actioned very quickly after the mail got out.
For what it's worth, 2FA *is* required now but as you probably know it is not a silver bullet for preventing abuse. When customers expose their API key(s) to the open web, stuff happens. Luke On Thu, Jul 8, 2021 at 10:46 PM Hans-Martin Mosner via mailop < mailop@mailop.org> wrote: > Am 08.07.21 um 18:14 schrieb Luke via mailop: > > Just so the group is aware, our team is looking into the Zoom traffic. > We aren't sure what they are doing with that > > mail stream, but it doesn't look good. > > > > Both of the accounts reported by Michael have been suspended. > > > > Thanks, everyone. > > > > Luke > > > I have a hunch that some time ago (just before the increased spam via > SendGrid started) there might have been an > unauthorized access to SendGrid customer data which allowed hackers to > bruteforce hashed passwords and use valid > accounts to send spam and fraudulent/phishing mails. The pattern is too > strong to be reasonably explained with singular > security breaches at individual customers. > > SendGrid, if this comes close to the truth (I can only guess), please be > open about it at least in communication to your > customers. If possible, enforce 2FA, watch for logins from unusual IP > addresses, etc. Maybe a complete password reset > for all customers would be in order. > > Repealing spam and fraud from completely bogus sources is a lot of work > for us mail admins already, but when it comes > from presumably authentic sources it becomes incredibly difficult and > prone to false positives. > > Here's a simple example: I have a mail sample in quarantine that comes > from "topbuildersolutions.net", apparently a > SendGrid customer, using your outgoing infrastructure (192.254.122.201), > so it's not a simple impersonation. It purports > to be a payment reminder, with the usual phishing drill of urgency by > threatening account termination. With a From: line > of "SendGrid <notificat...@topbuildersolutions.net>", a SendGrid logo as > embedded png, closing line "The Billing > Operations Team at SendGrid" it looks 100% like phishing to me. > > Is this from you actually? > If yes, why do you send out payment reminders using foreign domains? > If not, why do you let your customers send such mails through your system? > > Your reputation is going down the drain. You should definitely realize > that your reputation is your most valuable asset, > and it's losing value at an incredible rate. > > Cheers, > Hans-Martin > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
