TL;DR A finance department employee at a mid-size healthcare education institution received what appeared to be a legitimate SendGrid account notification. The email used pixel-perfect Twilio SendGrid branding and warned that API send functionality needed restoration. Its single call-to-action button routed through a real SendGrid click-tracking URL on ct[.]sendgrid[.]net, a domain most allowlists trust implicitly. The envelope-from domain belonged to a compromised U.S. window manufacturer, the only visible authentication mismatch. This attack demonstrates how legitimate email infrastructure can serve as the redirect layer in a credential harvest, eliminating the need for attacker-controlled redirectors entirely.
Severity: High Brand Impersonation Credential Harvesting MITRE: T1584.001 MITRE: T1566.002 MITRE: T1036.005 MITRE: T1056.003
The display name said "SendGrid." The branding was flawless. The footer carried a proper Twilio copyright. But the envelope-from told a different story: noreply@quakerwindows[.]com, a U.S. window manufacturer with no connection to email infrastructure.
A finance department employee at a mid-size healthcare education institution received this message during normal business hours. It warned that the organization's /api/v3/send functionality needed immediate restoration and prompted the recipient to "Update Account Settings" through a single, prominent button. For anyone who manages transactional email, that language reads as operationally urgent.
The Redirect That Wasn't Malicious (Until It Was)
Here is where this attack earns its distinction. The CTA button didn't point to a freshly registered domain or a compromised WordPress site. It pointed to hxxps://u14325645[.]ct[.]sendgrid[.]net/ls/click?..., a legitimate SendGrid click-tracking URL hosted on real SendGrid infrastructure.
SendGrid click tracking works by rewriting links in outbound email so that every click routes through ct[.]sendgrid[.]net before redirecting to the final destination. Marketers use it to measure engagement. Attackers use it to launder malicious URLs through infrastructure that Secure Email Gateways (SEGs) trust by default.
The distinction matters. A gateway evaluating this CTA sees a sendgrid[.]net domain, a valid TLS certificate, and a redirect service operated by Twilio. Most reputation engines score it clean. The actual credential harvesting page sits behind that redirect, invisible to any filter that stops at the first hop.
A 1x1 tracking pixel from the same ct.sendgrid[.]net domain confirmed delivery and open status, giving the attacker real-time intelligence on which recipients engaged.
Why the Envelope Told the Truth
The email's only authentication mismatch was the one most recipients never see. The envelope-from domain, quakerwindows[.]com, is a legitimate U.S. manufacturer. The attacker likely compromised the domain's sending credentials or exploited an open relay, then used it to send pixel-perfect SendGrid branding to targets who had no business relationship with a window company.
The display name read "SendGrid." The From header may have reinforced the same branding. But email authentication (SPF, DKIM, DMARC) evaluated the actual envelope domain, not the cosmetic one. If the compromised domain had a permissive or absent DMARC policy, the message could land in the inbox without triggering a hard fail.
This is a textbook case of T1584.001 (Compromise Infrastructure: Domains). The attacker didn't register a new domain. They borrowed one that already had sending history and reputation.
What the Gateway Can't Solve Alone
Traditional email gateways evaluate links at delivery time. If the first-hop domain (in this case, ct.sendgrid[.]net) has a clean reputation, the link passes. The gateway has no mechanism to follow the redirect chain in real time and evaluate the final landing page, especially when that landing page is gated, geofenced, or delayed in deployment.
According to the 2026 Verizon Data Breach Investigations Report, 39% of confirmed breaches involve credentials across the full kill chain. Credential harvesting pages hidden behind trusted redirectors are a primary enabler of that statistic.
See Your Risk: Calculate how many threats your SEG is missing
This is precisely where behavioral analysis changes the outcome. The envelope-from mismatch, the generic "Hi there" greeting, and the first-time sender pattern collectively flagged this message. Across the IRONSCALES platform, Themis evaluates these behavioral signals in combination rather than relying on any single indicator. The link didn't need to be resolved to its final destination for the message to be quarantined. The behavioral fingerprint was enough.
The Allowlist Problem
Many organizations allowlist sendgrid[.]net and its subdomains because their own marketing, product notification, and transactional email systems depend on SendGrid delivery. That creates a structural blind spot. An attacker who routes their CTA through SendGrid click tracking inherits that trust without owning any SendGrid account themselves.
The same pattern applies to any email infrastructure provider that offers click-tracking or open-tracking. If the tracking domain is allowlisted, every redirected link that passes through it is pre-approved. The attacker doesn't need to build redirect infrastructure at all. The ESP's own platform provides it.
Community-sourced threat intelligence from 35,000+ security professionals across the IRONSCALES network helps close this gap. When one organization flags a campaign abusing SendGrid tracking URLs, that signal propagates to every other customer before the same lure reaches their mailboxes. Individual allowlists can't match the speed of a shared detection network.
MITRE ATT&CK Mapping
| Technique ID | Name | Application |
|---|
| T1584.001 | Compromise Infrastructure: Domains | Compromised quakerwindows[.]com used as sending domain |
| T1566.002 | Phishing: Spearphishing Link | Single CTA button linking to credential harvest via redirect |
| T1036.005 | Masquerading: Match Legitimate Name | Display name "SendGrid" with full Twilio branding |
| T1056.003 | Input Capture: Web Portal Capture | Final landing page designed to harvest API credentials |
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Envelope-from domain | quakerwindows[.]com | Compromised sending domain (legitimate U.S. manufacturer) |
| Display name | SendGrid | Impersonated brand |
| Click-tracking URL | hxxps://u14325645[.]ct[.]sendgrid[.]net/ls/click?... | Legitimate SendGrid infrastructure abused as redirect |
| Tracking pixel | ct[.]sendgrid[.]net (1x1 pixel) | Open tracking via SendGrid infrastructure |
| Footer text | "2026 Twilio SendGrid" | Pixel-perfect brand impersonation in copyright line |
What Your Team Should Do This Week
- Audit your SendGrid allowlists. If
sendgrid[.]net or ct[.]sendgrid[.]net appears on a blanket allowlist, you are pre-approving every redirect that routes through SendGrid click tracking, including ones controlled by threat actors. Scope allowlists to specific SendGrid subaccounts your organization owns.
- Prioritize envelope-from visibility. Configure your gateway or ICES platform to surface envelope-from mismatches in message headers or quarantine summaries. The display name said "SendGrid." The envelope said
quakerwindows[.]com. That gap is the detection signal.
- Train on infrastructure impersonation, not just brand impersonation. Most phishing awareness programs teach users to spot fake logos and misspelled domains. This attack had neither. The logos were real. The redirect domain was real. Train teams to verify whether an email's request makes sense for their role before clicking any CTA, regardless of how the branding looks.
- Implement behavioral detection alongside static filtering. Sender reputation, first-time sender flags, greeting analysis, and envelope-from mismatch detection catch what URL reputation alone cannot. Static filters that stop at the first hop will pass this attack every time.
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
