The email arrived with a single display name: "SendGrid." The subject line read: "Your /v3/mail/send endpoint has been paused." For anyone whose business depends on transactional email delivery, that is a high-urgency message. The single call to action button read "Open Account Preferences."
The sending address was noreply@eduvem[.]com. SendGrid had nothing to do with it.
Display name impersonation is one of the most effective low-complexity phishing techniques available. Every major email client renders the visible sender name in large text and reduces the actual From address to a secondary field that requires an extra tap or hover to inspect. On mobile, the From address is often hidden entirely behind the display name unless the recipient explicitly expands the sender information.
This attack exploited that rendering asymmetry precisely. The display name "SendGrid" carried brand recognition and implied authority. The actual sending domain, eduvem[.]com, is a Brazilian education technology platform with no connection to Twilio SendGrid. The domain was registered in 2013 and currently uses Namecheap privacy protection, hosted on Google Cloud infrastructure at IP 35[.]215[.]125[.]13.
What made this message technically notable was not just the display name mismatch. The authentication posture of eduvem[.]com was in active disarray:
p=none, meaning no enforcement action would be applied to failures. Reporting was directed to a third-party DMARC reporting provider (Brevo).The combination of a PermError SPF result, absent DKIM, and a non-enforcing DMARC policy created a technically ambiguous authentication outcome. Gateways that require a clean pass before triggering analysis may treat PermError as neutral, allowing the message to advance without raising flags.
The single CTA in the email pointed to a URL hosted under u26063703[.]ct[.]sendgrid[.]net, a genuine SendGrid click-tracking subdomain. This is a deliberate evasion technique with a specific mechanism: at delivery time, when an email gateway or URL scanner evaluates the link, the destination URL is the click-tracking endpoint on sendgrid.net. That domain carries legitimate reputation. The scanner sees a known-good domain and returns a clean result.
The actual redirect destination was only revealed after a click event, well after delivery-time scanning was complete. This is the fundamental limitation of credential harvesting attacks that chain through legitimate redirect infrastructure. The threat exists at click time, not at delivery time, and most gateway-layer scanning cannot reach past the redirect.
The open-tracking pixel was similarly hosted on sendgrid.net, reinforcing the appearance of a genuine SendGrid notification at every layer a scanner might inspect.
An external-sender warning banner was present at the top of the message. This is a standard configuration in many Microsoft 365 and Google Workspace deployments: any message originating outside the organization receives a yellow or red banner noting that the sender is external.
External-sender banners are a useful friction layer, but they are not a detection mechanism for email spoofing. A genuine SendGrid account notification would also come from an external sender and would also carry an external-sender banner. The banner tells the recipient nothing about whether the sender is legitimate. In this case, it may have actually reduced suspicion: the banner appeared, the recipient noted it, and nothing else stood out visually to prompt further investigation.
See Your Risk: Calculate how many threats your SEG is missing
Themis, the Adaptive AI engine, flagged this message on a combination of signals that static authentication analysis could not access. The display name did not match any known SendGrid sending domain. The actual From address had no prior relationship with the recipient organization. The authentication posture of the sending domain was broken (PermError SPF plus absent DKIM). The message contained a single generic CTA with no recipient-specific identifiers, consistent with a mass-distribution phishing template rather than a transactional service notification.
Genuine service interruption notifications from platforms like SendGrid include account-specific identifiers: usernames, account IDs, or partial email addresses. This message had none. The subject line was generic, the body was a template, and the recipient was not identified by name or account reference anywhere in the message. That generic quality, combined with the display name mismatch and broken authentication, produced the behavioral fingerprint that triggered detection.
For defenders: monitoring for display name mismatches against a known-sender registry (particularly for widely impersonated platforms like SendGrid, DocuSign, or Microsoft) is one of the higher-signal detection controls available for this class of attack. Authentication results alone cannot surface it.
| Type | Indicator | Context |
|---|---|---|
| Sending Domain | eduvem[.]com | Brazilian education platform, actual sender |
| Display Name | SendGrid | Impersonated brand; not the actual sender |
| Sending IP | 35[.]215[.]125[.]13 | Google Cloud, hosting eduvem[.]com |
| Click-Tracking URL | u26063703[.]ct[.]sendgrid[.]net | Legitimate SendGrid redirect; conceals final destination |
| Tracking Pixel | sendgrid[.]net (open pixel) | Hosted on genuine SendGrid infrastructure |
| DMARC Reporting | rua@dmarc[.]brevo[.]com | Third-party DMARC reporting destination |
| Subject Line | Your /v3/mail/send endpoint has been paused | Urgency lure referencing SendGrid API endpoint |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Click-tracking redirect conceals credential harvesting destination |
| Impersonation | T1656 | Display name set to "SendGrid" while sending from unrelated domain |
| Attack | What happened |
|---|---|
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |
| When the Sender Domain Is Also the Phishing Kit Host: Dual-Purpose Domain Compromise | An attacker compromised a legitimate manufacturing company domain and used it two ways at once: as the authenticated sending address and as the host for... |
| The Email That Passed Every Security Check (Because Adobe Sent It) | A phishing campaign targeting school district staff used Adobe's own sending infrastructure, real DKIM signatures. |
| When 'Release from Quarantine' Is the Attack | A fake quarantine digest weaponized email security workflows, embedding JWT tokens in 'Allow' and 'Manage' buttons while masking one link's true... |
| AT&T Brand, Third-Party Infrastructure, and a $25 Visa Card That Goes Nowhere Good | An email claiming to be from AT&T Business arrived from a third-party campaign platform that passed SPF, DKIM, and DMARC for its own domain, not AT&T's. |