TL;DR A message styled as an official Twilio SendGrid notification, warning that 'single sender verification' had expired, was delivered through a legitimate SendGrid-delegated subdomain with full SPF/DKIM/DMARC pass. The CTA button linked to sendgrid-verify[.]com, a lookalike domain registered just three days before the campaign by an obscure registrar, hiding behind Cloudflare with no published email authentication. The entire attack depends on the trust recipients extend to a properly authenticated SendGrid template, misdirecting that trust toward a domain the attacker controlled.
Severity: High Esp-Abuse Credential-Harvesting Phishing MITRE: T1566.001 MITRE: T1598.003 MITRE: T1583.001
The email looked exactly like an official SendGrid notification. The template matched Twilio SendGrid's corporate design, including the footer company address. The subject said "Single sender verification expired." The sending infrastructure was a legitimate SendGrid customer account, with full SPF and DKIM authentication passing for that account's delegated subdomain. The CTA button said "Review sender authentication."
Clicking it would take you to sendgrid-verify[.]com. That domain is not owned by Twilio. It was registered three days before this campaign by an obscure registrar, is fronted by Cloudflare, and carries no email authentication records of its own.
The attack is a clean example of ESP abuse: use the legitimate infrastructure of a trusted sending platform to deliver the phish, then route the credential collection to an attacker-controlled lookalike domain that inherits nothing of the platform's reputation but borrows its visual identity from the email template.
The Sending Account: Legitimate Infrastructure, Compromised or Complicit
The message was sent through a delegated SendGrid subdomain configured for a real technology company, a long-established organization with its own domain registered more than a decade ago (name withheld). The subdomain was properly configured: a CNAME pointed to SendGrid's outbound infrastructure, and the SPF record authorized SendGrid's sending IPs. DKIM signed the message with the sender organization's domain. DMARC passed.
From a technical delivery perspective, this message looked identical to every other legitimate transactional email the same account had ever sent. The authentication result was not a failure. It was a success, from the attacker's standpoint.
The malicious element was the CTA destination embedded in the content. The click-tracking subdomain for the sending account wrapped the link in the organization's own branded redirect infrastructure before forwarding to sendgrid-verify[.]com. That wrapping added one more hop of apparent legitimacy: the first URL the recipient's browser resolved belonged to the sender organization's own domain namespace, not to the attacker.
MITRE ATT&CK T1566.001 covers spearphishing via link. T1598.003 covers phishing for information via service impersonation. T1583.001 covers domain acquisition for attacker infrastructure.
The Lookalike Domain: Three Days Old and No Authentication
sendgrid-verify[.]com was registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar with no apparent connection to Twilio or any legitimate SendGrid-affiliated entity. Registration and first update timestamps both fall within the same day, consistent with a freshly provisioned attacker domain. The registrant identity is fully redacted.
The domain resolves to Cloudflare addresses (104.21.8.216 and 172.67.140.69). No MX records, no TXT records, no DMARC or DKIM published. For a domain claiming to be a SendGrid authentication portal, the absence of any email infrastructure is itself a decisive signal.
Typosquatting works because the visual resemblance between sendgrid-verify[.]com and sendgrid[.]com is close enough to pass a quick glance. Recipients who received what looked like a properly authenticated SendGrid notification, clicked a button inside it, and saw a URL beginning with sendgrid in their browser's address bar had multiple overlapping reasons to believe they were on a legitimate page.
See Your Risk: Calculate how many threats your SEG is missing
Why "Authentication Passed" Is the Attack's Cover Story
This attack is a case study in what happens when authentication is treated as a sufficient proxy for message safety. The sending account's authentication passed not because the attacker defeated any control. They used a real account or real infrastructure, and the controls worked exactly as designed. The authentication confirmed only what it is built to confirm: that the message came from a system the domain owner authorized to send. It confirmed nothing about where the message's links pointed.
IRONSCALES flagged the message through link-destination analysis: the CTA resolved to a domain with no email authentication, registered days before the campaign, through a registrar unconnected to Twilio's vendor ecosystem. That mismatch between the authenticated sending source and the unauthenticated, newly registered landing domain is the signal that surfaces when detection extends past the envelope and into the content.
Credential harvesting operations that leverage ESP infrastructure represent a specific challenge for organizations that rely on allow-lists or authentication-pass as primary inbound trust signals. If a SendGrid-authenticated sender is allowed through because SendGrid is trusted, the landing domain never gets evaluated at delivery time. It is evaluated only after a recipient has already clicked. The effective defense layer is one that inspects link destinations at the time of delivery, compares landing-domain registration age and authentication posture against the sender's claimed identity, and flags divergence before the message reaches the inbox.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sending infrastructure | SendGrid outbound (legitimate ESP) | Attacker used a real SendGrid customer account; full auth pass |
| Sender domain | Long-established technology domain, name withheld | Delegated SendGrid subdomain; compromised or attacker-controlled account |
| CTA destination | hxxps://sendgrid-verify[.]com/?acc=... | Lookalike domain; registered 3 days before campaign; no email auth; Cloudflare-proxied |
| Registrar (landing domain) | NICENIC INTERNATIONAL GROUP CO., LIMITED | No organizational ties to Twilio; fully redacted registrant |
| Authentication result | SPF=pass; DKIM=pass (sender domain); DMARC=pass | Passes all checks; attack exploits ESP trust, not auth failure |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
