Seeing an interesting phishing campaign that appears to be personalizing components of the message and URL endpoints to potentially get around blacklists and other filters. Unfortunately I can't share the exact example publicly without effectively recreating the email, but here's a summary of what I'm finding.
* Victim email address domain without TLD in the From and Subject headers (i.e., if victim domain was widgetltd.com, "Widgetltd" would be used) * Message contains a link with the local-part of the victim's email address as a subdomain (i.e, if victim's email address was "jane....@widgetltd.com", the attacker host would appear as "jane.doe.badactordomain.xyz"), as well as the full version of the victim's email address base64 encoded as a query string value (using the previous example, http://jane.doe.badactordomain.xyz/?amFuZS5kb2VAd2lkZ2V0bHRkLmNvbQ==/0 ) Potentially interesting, but not necessary distinctive: * Examples I'm seeing have nearly blank message, and an HTML attachment with a JavaScript window.location.href redirect related to the attacker URL. * Attacker is leveraging SendGrid
