ESP abuse is a phishing technique where attackers route malicious email campaigns through legitimate email service providers such as SendGrid, MailerLite, Mailgun, Brevo, ActiveCampaign, or Amazon SES. Because these platforms are authorized senders with established infrastructure reputations, phishing messages delivered through them pass SPF, DKIM, and DMARC authentication checks. This creates a fundamental detection problem: the email is technically authentic at the infrastructure level, even though the content is malicious.
Unlike email spoofing, where attackers forge header fields to impersonate a domain they do not control, ESP abuse leverages infrastructure the attacker does legitimately control (at least temporarily). The distinction matters because the standard email authentication stack was designed to detect spoofed senders, not to evaluate whether an authorized sender is acting in good faith.
Attackers gain access to ESP platforms through several methods:
MITRE ATT&CK documents the infrastructure acquisition phase under T1583.006 (Acquire Infrastructure: Web Services), which describes adversaries registering for legitimate web services to support later-stage operations including phishing delivery.
Once the attacker has a working ESP account, the phishing email is composed using the provider's standard tools (templates, drag-and-drop editors, or API calls). The ESP handles delivery, applying its own DKIM signatures and routing through its IP pools. As defined in RFC 7208, the receiving mail server checks the SPF record for the sending domain. Because the ESP's IP addresses are included in that record as authorized senders, the check passes. The same logic applies to DKIM: the ESP signs the message with a valid key, and the signature verifies correctly.
The core challenge with ESP abuse is shared infrastructure. A single ESP may send billions of legitimate marketing emails per month alongside a comparatively small volume of malicious messages. Blocking the ESP's IP ranges or domains would disrupt email delivery for thousands of legitimate businesses.
This creates an asymmetric advantage for attackers. Traditional email security controls that rely on IP reputation, domain age, or sender authentication cannot distinguish between a legitimate marketing campaign and a phishing attack sent through the same platform. The attacker's messages arrive with the same authentication results, the same IP reputation scores, and the same infrastructure trust signals as any other email from that ESP.
ESP providers do operate abuse desks and employ detection systems to identify malicious accounts. However, the response cycle is measured in hours or days, while a phishing campaign can reach its targets in minutes. Attackers routinely burn through ESP accounts, treating them as disposable infrastructure. By the time the provider suspends the account, the campaign has already been delivered.
The growing prevalence of ESP abuse reflects a broader trend in phishing tactics: attackers increasingly route attacks through trusted services and platforms rather than building their own infrastructure. This approach reduces cost, improves deliverability, and shifts the detection burden away from infrastructure-level signals toward content and behavioral analysis.
IRONSCALES detects ESP-routed phishing by analyzing message content and sender behavior patterns rather than relying on infrastructure reputation that ESP abuse deliberately exploits.