TL;DR Attackers used display-name impersonation to make an email appear to come from SendGrid while sending it from an unrelated domain registered in 2013. The message claimed the recipient's /v3/mail/send API endpoint had been paused, creating urgency to click a SendGrid-branded CTA. SPF records on the actual sending domain were in conflict (invalid configuration), no DKIM selectors were found, and DMARC was set to p=none with reporting directed to a third-party provider. The click-tracking URL concealed the final landing page behind a SendGrid redirect wrapper, preventing URL scanners from seeing the destination.
Severity: Medium Brand Impersonation Credential Harvesting Display Name Impersonation MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1656', 'name': 'Impersonation'} MITRE: {'id': 'T1598.003', 'name': 'Phishing for Information: Spearphishing Link'}
The email arrived with a single display name: "SendGrid." The subject line read: "Your /v3/mail/send endpoint has been paused." For anyone whose business depends on transactional email delivery, that is a high-urgency message. The single call to action button read "Open Account Preferences."
The sending address was noreply@eduvem[.]com. SendGrid had nothing to do with it.
Anatomy of a Display Name Impersonation
Display name impersonation is one of the most effective low-complexity phishing techniques available. Every major email client renders the visible sender name in large text and reduces the actual From address to a secondary field that requires an extra tap or hover to inspect. On mobile, the From address is often hidden entirely behind the display name unless the recipient explicitly expands the sender information.
This attack exploited that rendering asymmetry precisely. The display name "SendGrid" carried brand recognition and implied authority. The actual sending domain, eduvem[.]com, is a Brazilian education technology platform with no connection to Twilio SendGrid. The domain was registered in 2013 and currently uses Namecheap privacy protection, hosted on Google Cloud infrastructure at IP 35[.]215[.]125[.]13.
What made this message technically notable was not just the display name mismatch. The authentication posture of eduvem[.]com was in active disarray:
- SPF: Multiple conflicting SPF records were present, producing an invalid configuration. The result at evaluation time was PermError rather than a clean pass or fail.
- DKIM: No DKIM selectors were discoverable for the domain.
- DMARC: A DMARC record existed but was set to
p=none, meaning no enforcement action would be applied to failures. Reporting was directed to a third-party DMARC reporting provider (Brevo).
The combination of a PermError SPF result, absent DKIM, and a non-enforcing DMARC policy created a technically ambiguous authentication outcome. Gateways that require a clean pass before triggering analysis may treat PermError as neutral, allowing the message to advance without raising flags.
The Click-Tracking Redirect as an Evasion Layer
The single CTA in the email pointed to a URL hosted under u26063703[.]ct[.]sendgrid[.]net, a genuine SendGrid click-tracking subdomain. This is a deliberate evasion technique with a specific mechanism: at delivery time, when an email gateway or URL scanner evaluates the link, the destination URL is the click-tracking endpoint on sendgrid.net. That domain carries legitimate reputation. The scanner sees a known-good domain and returns a clean result.
The actual redirect destination was only revealed after a click event, well after delivery-time scanning was complete. This is the fundamental limitation of credential harvesting attacks that chain through legitimate redirect infrastructure. The threat exists at click time, not at delivery time, and most gateway-layer scanning cannot reach past the redirect.
The open-tracking pixel was similarly hosted on sendgrid.net, reinforcing the appearance of a genuine SendGrid notification at every layer a scanner might inspect.
External Warning Banners Do Not Equal Detection
An external-sender warning banner was present at the top of the message. This is a standard configuration in many Microsoft 365 and Google Workspace deployments: any message originating outside the organization receives a yellow or red banner noting that the sender is external.
External-sender banners are a useful friction layer, but they are not a detection mechanism for email spoofing. A genuine SendGrid account notification would also come from an external sender and would also carry an external-sender banner. The banner tells the recipient nothing about whether the sender is legitimate. In this case, it may have actually reduced suspicion: the banner appeared, the recipient noted it, and nothing else stood out visually to prompt further investigation.
See Your Risk: Calculate how many threats your SEG is missing
What Behavioral Detection Surfaces
Themis, the Adaptive AI engine, flagged this message on a combination of signals that static authentication analysis could not access. The display name did not match any known SendGrid sending domain. The actual From address had no prior relationship with the recipient organization. The authentication posture of the sending domain was broken (PermError SPF plus absent DKIM). The message contained a single generic CTA with no recipient-specific identifiers, consistent with a mass-distribution phishing template rather than a transactional service notification.
Genuine service interruption notifications from platforms like SendGrid include account-specific identifiers: usernames, account IDs, or partial email addresses. This message had none. The subject line was generic, the body was a template, and the recipient was not identified by name or account reference anywhere in the message. That generic quality, combined with the display name mismatch and broken authentication, produced the behavioral fingerprint that triggered detection.
For defenders: monitoring for display name mismatches against a known-sender registry (particularly for widely impersonated platforms like SendGrid, DocuSign, or Microsoft) is one of the higher-signal detection controls available for this class of attack. Authentication results alone cannot surface it.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sending Domain | eduvem[.]com | Brazilian education platform, actual sender |
| Display Name | SendGrid | Impersonated brand; not the actual sender |
| Sending IP | 35[.]215[.]125[.]13 | Google Cloud, hosting eduvem[.]com |
| Click-Tracking URL | u26063703[.]ct[.]sendgrid[.]net | Legitimate SendGrid redirect; conceals final destination |
| Tracking Pixel | sendgrid[.]net (open pixel) | Hosted on genuine SendGrid infrastructure |
| DMARC Reporting | rua@dmarc[.]brevo[.]com | Third-party DMARC reporting destination |
| Subject Line | Your /v3/mail/send endpoint has been paused | Urgency lure referencing SendGrid API endpoint |
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Phishing: Spearphishing Link | T1566.002 | Click-tracking redirect conceals credential harvesting destination |
| Impersonation | T1656 | Display name set to "SendGrid" while sending from unrelated domain |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
