The HubSpot Account Suspension That Came From Flodesk

The email announced that the recipient's HubSpot email campaigns had been suspended as of May 29, 2026. Case number #048974-489368. A prominent orange "Verify Your Account" button. The sender line read "HubSpot Team." Three different platforms were involved in building this message, and none of them was HubSpot.

Three Platforms, Zero HubSpot

The From address belonged to an unrelated personal marketing domain, a long-established registration (2009) anonymized here because its owner is a third party whose authenticated sending identity was abused. The message was delivered through Amazon SES at IP 54[.]240[.]64[.]44. SPF, DKIM, and DMARC all passed for that sending domain. Authentication was technically valid but proved nothing about HubSpot.

The email template was built on Flodesk. Preference and unsubscribe links pointed to form.flodesk[.]com and usercontent.flodesk[.]com. The footer displayed a residential street address that does not match HubSpot's headquarters in Cambridge, MA. This was brand impersonation assembled from parts: Amazon SES for delivery, Flodesk for template infrastructure, and HubSpot's visual identity layered on top.

The Redirect That Was Already Gone

The "Verify Your Account" CTA linked to a URL on gkbt4brd.r.us-east-1.awstrack[.]me, an AWS SES click-tracking redirect. The tracking URL pointed to r2.ddlnk[.]net, a redirect domain fronted by Cloudflare with a valid SSL certificate.

At scan time, the ddlnk[.]net URL returned HTTP 404. The page was no longer live. But the domain has documented prior abuse reports, with sibling subdomains appearing in phishing campaigns. Attackers commonly activate credential harvesting pages during campaign delivery and take them offline within hours to avoid being crawled. A 404 at scan time does not mean the page was never serving a fake login page.

Quality Control Failures That Helped Detection

The body used a generic "Dear Customer" greeting with no account-specific identifiers, no organization name, and no email address associated with the claimed account. Content blocks were visibly duplicated in the HTML, a template-assembly error. The combination of urgency language, generic greeting, and duplicated blocks created a detection surface that compensated for the otherwise clean authentication signals.

The recipient tenant's protection system scored the message at SCL:5 and quarantined it before delivery, preventing user interaction with the CTA.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping