"The fundamental issue is that SendGrid’s business model depends on making it easy for legitimate businesses to send email at scale."
I disagree with this conclusion, if not only because other email service providers don't have this issue.
It wouldn't surprise me if something was broken with SendGrid's internal infrastructure. I used to be a SendGrid customer until my deliverability started being affected by this issue. SendGrid took weeks to reply to my customer service messages about resolving this, even though I was a paying customer and was renting private IP addresses from them to send mail.
I finally gave up and closed my SendGrid account in July 2021. Despite this, they continued to send me monthly invoices until May 2022. Multiple SendGrid representatives promised that they had resolved the issue, but it wasn't until one CSR added me to SendGrid's global suppression list that they finally stopped.
If the attackers in this case are cleverly exploiting anything, I would bet on aggressive grey patterns like that more than I would US culture wars. Noticing that a company has policies that let you hide in plain sight means that you're paying close attention. Knowing what issues are hot button culture flamewars means you can access literally any American news outlet.
>closed my SendGrid account ....continued to send me monthly invoices
I used to run IT for a medium company. The amount of times I saw this with various SaaS companies was troubling. We had hundreds of services some as small as a single manager that demanded X and company wide tools. It was frequently a several months long hassle to get them to stop billing us when we cut ties with them. I wish I kept personal records now it was a minority but definitely in the 15%'ish range.
Making a custom rule for a specific sender feels like fighting a fire with a glass of water.
It's better to focus on more systematic solutions. There exist a lot of them, SPF, DKIM, Recipient mail filtering (Your mail provider).
The screenshotted emails don't even do anything tricky like spoofing the sender address, it looks like "Sent from no-reply@theraoffice.com". If it spoofed the domain it would have been caught by SPF/DKIM.
Most of the time the user doesn't need to do much, you can just be weary of sender domains, and report the email as phishing and help blacklist that specific IP address/domain. Similar to how in medicine sometimes the physician tells you to drink water and rest, no medicine needed, just let the immune system do its thing.
As explained in the article, the scammers are using compromised Sendgrid domains to send the phishing emails. This means the emails are going to pass SPF/DKIM. Those domains are apparently owned by legitimate businesses which are actual Sendgrid customers. The phishers just compromised their account and API credentials
SendGrid's platform doesn't need to be the sender of these emails at all. It's just classic phishing, the emails can pass SPF, DKIM and DMARC as all of these rely on DNS resource records to be created on the RFC5321.MailFrom and/or RFC5322.From domain. Which is under control of the spammer. It's not pretending to be from sendgrid.com, if it was then these measures would help.
Yes, as the article says, they seem to be using Sendgrid to phish Sendgrid customers because the UX is "xyz.com delivered by sendgrid.com", hoping that this is seen as legitimacy by the recipient.
None of the examples in the article exhibit the 'via' UX. They were all sent with an aligned RFC5321.MailFrom and RFC5322.From (i.e. domain name used in both of those values is the same), those not matching is the most common reason to have the 'via' displayed [0]. They do have display names which pretend to be SendGrid.
Correct, I think the confusion might arise because of the self replicating nature of this attack when the target domain is an MTA.
I can't pinpoint it exactly, but it might be a combination of the replication cycle of the attack being recursive and very short if the target is an MTA. But it may also be because the fact that sendgrid clients are sendgrid clients is public information.
Kind of how like meta companies are overrepresented in their medium, in a stock exchange banks are overrerpresented, lots of websites about building websites, lots of road ads are about placing road ads.
There's some confusion here, there is a secondary compromise, but it's not very relevant.
The actual origin of the email: theraoffice.com
The fake origin of the email: SendGrid
There is a mismatch there, easy to detect. SendGrid was not compromised, and nothing was sent in the name of sendgrid or whatever.
Now the domain theraoffice might have been registered by an attacker, warmed up with some small fake traffic, and aged. Or it might have been compromised.
The previous email could have used sendgrid or mailchimp or google workspace, that's not very relevant. The SPF and DKIM would always pass, because SPF and DKIM verifies that the owner of theraoffice.com is the one sending the emails.
There might be a connection with SendGrid, but it's not at all accurately explained in the article, it may be as simple as SendGrid being a common phishing target of attackers just because they can get access to more email infrastructure for magnifying their reach, like a self-replicating virus.
For popular senders: sort-of: in your incoming mail server, substring-match the display name of the sender against popular brands, and ensure the actual domain matches.
This works remarkably well for proper brands (FedEx et al), but breaks down when the brand name regularly occurs in "normal" names, the sending brand sends mail from all over the place, or "innocuous" impersonation takes place all the time.
Like, somehow, From: "VODAFONE" <shipping-update@dpd.co.uk> is a 100% legit sender (assuming SPF and DKIM verification pass), despite both Vodafone and DPD being pretty common impersonation targets. You'd think they'd know better, but alas.
I often go one step futher by appending a short random identifier, `{service}.{id}@{domain}`, to make it harder to guess (in case someone learned of my email address policy).
at least hotmail, gmail, apple's various mail, though with apple just using hide my email is that whole idea fully and beautifully automated for normies
Some sites (hulu maybe? iirc) strip off the + and treat it as a bare email, with dedupe checks and all that.
Spammers won't respect the + either, they will clean their list of any +tags before sending.
The best I've actually come across is to abuse gmails period policy. I haven't seen sites dedupe this or perform any other checks or manipulation.
If you have enough letters in your alias you can treat the possible period locations as binary. For example, pests@ would have 4 edible spots, so I could make 16 different dot addresses: pests@, pest.s@, pes.ts@, pes.t.s@, pe.sts@, pe.st.s@, [...], p.e.s.t.s@
Then you can just remember/record the decimal ID you used per site.
> Spammers won't respect the + either, they will clean their list of any +tags before sending.
That's the entire point, if you get an email from the site but it doesn't include your +servicename tag then you immediately can immediately tell it's a phishing attempt or spam. If the tag is there it's not a 100% guarantee that it's legit, but absence of the tag is a big red flag.
>Use <service>@<yourdomain> as your email address when signing up, and check the To header when receiving emails.
The user of the webservice specifies a unique email per webservice; knowledge of that unique email address serves as a hint that the email came from someone that has discovered that email address, i.e. the webservice itself.
Right, so 99% of the time that’s a spammer that is going to use that discovered email. I updated my message to specify other illegitimate sources to cover that less than 1%
It seems like Twilio has a conflict of interest that prevents them from offering WebAuthn, as that would be a tacit admission that their SMS and Authy products are not actually that secure.
rich irony that twilio numbers don't qualify to receive SMS codes when senders check if it's a virtual number (the regulated aka important ones do check)
Having a friendly name listed in the From field is part of the problem. SPF, DKIM, and DMARC make it possible to control who can send as your domain, if the receiver cares to check. If you have strict SPF and DMARC rules, most receivers will drop or not accept emails that fail the rules. But you can't control using your brand from unaffiliated domains.
Would you even open an email from noreply@drummond.com if that's what showed up in the message list?
On mobile it's worse. Gmail (Android) doesn't even show the From address at all when you open an email. For some emails, I can tap the sender icon and see the address, for others I have to find the hit reply (but if DMARC et al doesn't validate a Reply-To address) or go find a computer and see the message there.
SendGrid phishing emails are some of the best phishing emails. I get emails that there's elevated error rates on an API (`/v1/send`). Looks very legit, good design, reasonable call to action, some urgency which makes me want to click. They know from MX records I send email with Sendgrid, so it's well targeted. Easy catch when I see the domain, but other than that it's the best I've seen in years.
> The political sophistication on display here (BLM, LGBTQ+ rights, ICE, even the Spanish language switch playing on immigration anxieties) suggests someone with a deep understanding of American cultural fault lines.
We've been getting similar phishing emails claiming to be from SendGrid, except they're along the lines of "we're adding a rainbow banner to the footer of all emails to show LGBT support, click here to opt out".
It's especially funny because SendGrid isn't even one of our vendors.
I’m more troubled by the fact these emails are hitting my sendgrid only email address.
Is this related to the breach that SendGrid said didn’t happen? I set my account up in 2021 for reasons I don’t recall and it’s since been deleted/deactivated by them.
First thought... Why would ICE need donations? I then realized how unrecognizable scams have become to me now. Older people are going to be in a worse position.
Donating to reduce the government debt is such a wildly dumb thing to exist. The US is currency sovereign! It has no risk of default on any debt denominated in USD!
The only reason a site like this exists is for politicians to distract from the fact that the budget of a nation with currency sovereignty does not actually have to raise revenues with taxes in order to spend money on services (and thus, be an excuse to cut services).
> The only reason a site like this exists is for politicians to distract from the fact that the budget of a nation with currency sovereignty does not actually have to raise revenues with taxes in order to spend money on services (and thus, be an excuse to cut services).
This is not a mainstream view. This _is_ a view of MMT, which is rejected by the majority of current economists, and this context is probably important to people seeing this when it’s just presented as a well known fact
> In a 2019 survey of top U.S. economists not a single respondent agreed with the basic aspects of MMT
Yeah donating for the debt is equivalent to literally burning money. The us’s biggest debt buyer is the US fed reserve. Bonds offered to foreign buyers absorbs loose worldwide cash. The supply of dollars is always less than demand because petroleum must be traded in dollars. And demand exceeds supply because IMF loans are denominated in dollars, plus interest, meaning that demand perpetually keeps going up because the interest keeps rising, simply because the clock ticks.
So what is the point of the debt? To convince govt should not be too big nor suck up to many of the worldwide human capital resources.
relatedly, my wife received polititexts destined to her conservative father. The latest was actually genius IMO, in that it stated "Dear STEVEN, due to inactivity, your registration will be changed to DEMOCRAT in 20 minutes unless you navigate to this link." It, I assume, redirected to some support page to donate to the US conservative party or its affiliates. The social engineering is getting more effective
I don't know if the fact that it fully slipped into the absurd or the fact that it probably still worked on people is sadder.
I do love the idea of voter registration oscillating back and fourth at 20 minutes intervals forever. Would make voting in the primaries way more exciting as the voter base kept flipping.
To me as a Canadian, the absurd part is that ordinary people are expected to have "registered" with a party (as opposed to registering with the independent organization that runs elections, like we do; they automate getting most of the voter roll from Revenue Canada, but this requires your explicit consent on the tax form).
I've never once registered with a party in the US. I always check "independent" on my voter registration. But I'm in a state with open primaries, so I can still vote in one or the other primary, even though I'm not registered with the party.
What's the purpose of a primary election? It's to select a party's candidate for a general election. It's not very obvious that this should even be a democratic process, but if it is, why shouldn't party members be the ones selecting their own candidates?
I envision that it does not matter, because this is a tactic that would 1) be available to all, and 2) it gives up your vote for someone of your own party, thereby weakening your own position. It's self regulating.
Can't they do that now? If I think my chosen primary guy is winning in a landslide I could just register for another party I don't like and vote for someone who I think is easier to beat.
You would still forfeit the ability to vote in your primary though. I do think there are people that do this, but most people want to vote in their primary regardless of whether it's a landslide.
Yeah it's the latter. The US does not have party membership the way that, say, the UK does. In many states, it's open primary. In Colorado, for instance, I get mailed Democratic and Republican primary ballots and can vote by mailing in either one. I think you get neither counted if you mail in both, but I have no idea; I've never tried it.
The last time anyone tried to poison a presidential election by promoting a weaker candidate on the other side in the US, it was the Democrats boosting Trump in 2016. It did not work out.
For an alternate example, in Illinois you choose one at primary election time and only get that one. This year the options are Democrat, Republican, Libertarian, and Non-Partisan (which means only the referendums, not the elections).
This would kind of be the same as us (I'm Canadian too) registering with the NDP so we can vote for the next leader. But the level of lying on display here is just insane.
> I don't know if the fact that it fully slipped into the absurd or the fact that it probably still worked on people is sadder.
The thing is that that one plays on propaganda that people have already been conditioned to accept.
Very probably this person's father believes that the Democrats (a) control the state-operated voter registration system, and (b) manipulate it to their advantage. He believes that because he's been sent that message through a vast number of channels for many years. He would think it was absolutely in character for his registered party to be changed, and would probably think that would somehow affect how his vote was actually counted.
It's no more absurd than the idea that busloads of illegal aliens are showing up to vote "somewhere". Or whatever other idiotic lies they've been telling forever.
This isn't even close to the most ridiculous emotional manipulation techniques American conservative fundraising uses to target old people who might not be in full possession of their faculties. It's some of the scummiest stuff possible.
Inevitably some people are going to be away from their phones when they receive that, so I wonder what they think when they continue getting needy messages from Republicans after that!
I can't think of one email I received from sendgrid I would consider legitimate. Anytime I receive an email distributed by sendgrid I have found it actually had no value to me. Sometimes it's from a business I have dealt with but I never wanted or was interested in the content.
Do you specifically go out of your way to check who sent every transactional email you receive and take notes on which email sending service your order confirmation was sent by? That would be a very weird thing to do and would be the only way to know that.
I get a flood of these every single day. Because we use SendGrid as a critical part of our product, I have to look for any emails from them pretty closely. It’s gotten impossible to do with all of these phishing attempts. I gotta hand it to them, though, the attempts are excellent.
I received one, though it was for adding a footer honoring MLK. I kinda thought it was odd, but did't think much of it, since I'm apparently not in the group that would be offended in any way. I wonder if the variation they use is random, or in any way location-based to maximize response (I'm in Texas).
I've also received a bunch of API failure phishing emails, as well as some implying we needed to change our auth to Sinch.
I wonder why Gmail and other email providers don't just run an LLM/ML pipeline to detect phishing emails. It seems that matching an email's content with the sender's domain (and possibly analyzing the content behind links) would be enough to show, with high certainty, a warning like "Beware: this looks like a phishing email." Is it too expensive? Too many false positives?
I think you're about 20 years behind the times if you think they don't.
There are a whole lot of problems with it when you start pressing the finer details like you list. For example, just look at the legit emails banks send out. They will tell you not to click links claiming to be your bank, then include links (claiming to be your bank) for more information.
Simply put the rules block too much corporate email because people that write corporate email do lots of dumb things with the email system.
It's true that a lot of established ML techniques were first popularized to fight spam (ie bayesian filtering), but it might also be the case that they're not applying the full might of eg Gemini-3-Pro to every email received. I suspect Gemini-3-Pro would do an effectively perfect job of determining if something is phishing, with negligible values in the false quadrants of the confusion matrix, but it's probably too expensive to use in that way. Which is why things like this can still slip through.
The most essential check is SPF and DKIM which authenticate if the message has come from an authorized server. The problem is that most mail services are too lenient with mismatched sender identification. On one hand, people would be quite vocal about their mail provider sending way too much legitimate (but slightly misconfigured) mail to the spam folder. However it allows situations like to happen where the FROM header, the "From:" address, and the return path are all different.
Most mail systems have several stages of filters, and the first ones (checking authentication) are quite basic. After that, attachments, links, and contents are checked for known malware. Machine learning might kick in after this, if certain criteria are met. Mail security is very complicated and works well except for the times it falls flat on its face like this.
The OP didn’t explain or showed the unsubscribe button compromise trick. Anyone here can shed some light on it?
I always had the habit of clicking on the unsubscribe button whenever I see an unwanted email. And I’d like to know what would happen if I click on malicious unsubscribe link.
Is this a new trend in phishing emails? They appear to be using legitimate domains to bypass spam detection. Usually the domains are associated with legitimate companies who are completely oblivious. I always wondered how this works. Is it a broken contact form somewhere?
One way is to look for companies that have SPF records (or whatever the system is these days) that contain ranges/names of large providers like sendgrid. Then they test sending mails with those large providers names under said system until they get ones that go out, and launch a campaign.
the article talked about how the sendgrid accounts are real, and presume compromised.
I suspect that once the sendgrid account is compromised, they then send out these phishing emails, hoping to compromise _other_ sendgrid accounts to look for password overlap and/or keep the flow going.
Not just SendGrid, I have received very sophisticated phishing emails “from” MailGun as well. I think the advantages of getting into your email channel justify a lot of investment by the bad guys.
> We know that state actors have invested heavily in understanding and exploiting these divisions. Russian active measures campaigns have been documented doing exactly this kind of work: identifying wedge issues and creating content designed to inflame both sides. North Korea has demonstrated similar sophistication in their social engineering operations by targeting academics and foreign policy experts
What about "read Twitter in between bouts of using one susceptible user's API key to spam other users for their API keys" _really_ requires the sophistication of a state-level actor? Statements like this aren't journalism, they're exactly the same kind of manipulation being used by the phishers.
It would be good to hold carriers accountable for fishing and spam. Sendgrid , Twilio and other saas messaging carriers need to do a better job with integrity. I don’t expect them to carry the whole burden, but some negative incentive to promote investment . It could be as simple as enforcing sender pays metering . We all know spam is 60+ % of traffic, so sender pays would drive down spam very quickly
SendGrid and their competitors are already the very definition of “sender pays” for email. “Sender pays” is how they make money. This isn’t a problem of monetary incentives.
The problem is that companies get their SendGrid credentials compromised via password re-use or phishing.
Interesting that politics is a vector for contagion.
When you think about politics is very contagious, politicians infect activists, who infect regular folk that advocate for stuff they don't benefit from, when elections come near, it's flu season.
Double parasite burgers where a new parasite leeches of an existing vector are common in biology as well. Like malaria and mosquitoes.
Philosophically fun, sure, but the article also points out that another vector was "Your language settings have been changed to Spanish", so I don't know if it's as profound as you're making it out to be. Anything that makes us panic can be a vector.
Before anyone launches themselves into the sky: the title is clickbait. This is about phishing attempts that use ICE to persuade you to click. Sendgrid the company is not emailing about supporting ICE. But technically Sendgrid the infrastructure is.
Author here. I quickly thought of the title for the article and shipped it. I agree it's clickbait-y and apologize to SendGrid (and any confused readers) but yes, as you say it's _technically_ correct in a very narrow sense – SendGrid's infrastructure and users are sending these emails, it's just that they're fraudulently associated with SendGrid the company.
In any case, I revised the title to "SendGrid isn’t emailing you about ICE or BLM. It’s a phishing attack."
Maybe someone can edit the title of the submission on HN accordingly?
I think HN should embrace AI to the point of having an alternative AI-generated title next to the original title, to reduce clickbait and reduce the global rage index.
This is an interesting idea, I think clickbait titles are one of many problems with our engagement-based social media tools today. For the sake of experimentation and transparency, here's the suggested titles from ChatGPT 4. They seem to be more descriptive and accurate overall.
---
Possible alternative titles that better match the article’s content:
How Phishers Are Using SendGrid to Target SendGrid Users with Political Bait
– Accurately reflects the mechanism (SendGrid abuse), the audience, and the novel political/social-engineering angle.
SendGrid Account Takeovers Are Fueling a Sophisticated Phishing Ecosystem
– More technical / HN-native framing, avoids culture-war implications.
Phishception: Politically Targeted Phishing Sent Through Compromised SendGrid Accounts
– Highlights the core insight and the self-reinforcing nature of the attack.
There is a chance that the title here was intentionally worded to answer a question people are likely to search for, then actually answer their concerns.
HN would never do that, it would violate the minimalism of the site.
Most people aren't even aware that their posted URLs can be changed or their titles re-edited automatically because the UI doesn't give affordances for anything. You're just expected to notice and edit it out within the edit window (which there also isn't an affordance for.)
I've been thinking about building a browser extension that turns clickbait headlines into factual titles.
"Why is SendGrid emailing me about supporting ICE?" becomes "Phishing Campaign Targets SendGrid Users via Compromised Accounts and Politically Charged Bait"
I think it would be more time than I'd like to commit though.
I tried to vibe code it about a year ago(a firefox extension), worked surprisingly good. Basically for a small set of web sites I frequent, just rewrite titles or remove links all together if a title is a click-bait or ragebait.
I don't like LLMs much, though I also don't really care much either, and I don't trust any models to get the content nuance right. But I'd still welcome it if it helps a little between the tons of clickbait or just straight up incorrect or sensationalist titles.
Maybe one day our knee jerk reactionary outrage will be quelled not by any enlightenment but because we are forced to grow weary of falling prey to phishing attacks.
I'd feel pretty stupid getting worked up about something only to realize that getting worked up about it was used against me.
I'm writing this because for a moment I did get worked up and then had the slow realization it was a phishing attack, slightly before the article got to the point.
Anyways, I think the clickbait is kindof appropriate here because it rather poignantly captures what is going on.
I agree. It can demonstrate the knee-jerk affect in real time for the reader. Someone who reacts strongly to the title of this thread would have experienced a similar reaction if they had received the SendGrid phish email. Never seen clickbait wording actually be appropriate before.
The effectiveness of these techniques will die off over time as young people are increasingly inoculated against them in the same way our generations are generally immune to traditional advertising. The memetics filters get better over time as us geezers are replaced by new models.
That is the expectation but no way to enforce it of course.
What happens a lot, at least for me, is that people will start reading the comments to see if they want to bother reading the link. Then they might start commenting on what's already been said. It's easy to slip into that pattern.
Though you also frequently see top-level comments that appear to be based on the headline alone.
Most people on Hacker News don't bother to read the linked article and either comment based on their impression of the title or whatever random thing happens to be on their mind at the time. Most people who do bother to read the linked article stop as soon as they encounter javascript or formatting or too much whitespace or a minor logical, spelling or grammatical error and then that will likely become the subject of the entire thread.
The number of people who actually read the entire article and then attempt to comment in good faith are few and far between.
The title is genius; it uses the same psychological trick as the phishers are, to point out to us how vulnerable we are. Obviously, for you to know the title is clickbait, you'd've had to click through and read it, which is the exact social engineering vulnerability the author is trying to demonstrate being exploited.
I thank the author for getting me this way, as I would have likely fallen for the unsubscribe trick.
right, so on the topic of "phishing emails designed to elicit enough emotion that you forget to consider the button might be a phish", the headline itself of this blog post is doing the exact same thing, really. The headline should be, "Phishing scams launched through SendGrid exploit deep political sentiments to achieve success" or something like that.
but that would be clear and very boring. nobody would read your blog then. A headline that very obviously implies Sendgrid the company supports ICE, and so much so that they are emailing all their customers about it, clicks galore. Well done.
"The fundamental issue is that SendGrid’s business model depends on making it easy for legitimate businesses to send email at scale."
I disagree with this conclusion, if not only because other email service providers don't have this issue.
It wouldn't surprise me if something was broken with SendGrid's internal infrastructure. I used to be a SendGrid customer until my deliverability started being affected by this issue. SendGrid took weeks to reply to my customer service messages about resolving this, even though I was a paying customer and was renting private IP addresses from them to send mail.
I finally gave up and closed my SendGrid account in July 2021. Despite this, they continued to send me monthly invoices until May 2022. Multiple SendGrid representatives promised that they had resolved the issue, but it wasn't until one CSR added me to SendGrid's global suppression list that they finally stopped.
If the attackers in this case are cleverly exploiting anything, I would bet on aggressive grey patterns like that more than I would US culture wars. Noticing that a company has policies that let you hide in plain sight means that you're paying close attention. Knowing what issues are hot button culture flamewars means you can access literally any American news outlet.
>closed my SendGrid account ....continued to send me monthly invoices
I used to run IT for a medium company. The amount of times I saw this with various SaaS companies was troubling. We had hundreds of services some as small as a single manager that demanded X and company wide tools. It was frequently a several months long hassle to get them to stop billing us when we cut ties with them. I wish I kept personal records now it was a minority but definitely in the 15%'ish range.
If using GSuite then head to the Gmail admin panel and create a compliance rule with 2 regex expressions.
1. Add expressions to: If ALL of the following match the message.
2. Expression 1: Type: Advanced content match Location: Full headers Match type: Matches regex (?im)^from:\sSendGrid(?:\s+\w+)\s*<[^>\r\n]+>+$
3. Expression 2: Type: Advanced content match Location: Sender header Match type: Not matches regex (?i)^[A-Za-z0-9._%+-]+@(sendgrid\.com|twilio\.com)$
Set the rule to reject or quarantine. Users will not see the messages unless the attackers change the From header.
Making a custom rule for a specific sender feels like fighting a fire with a glass of water.
It's better to focus on more systematic solutions. There exist a lot of them, SPF, DKIM, Recipient mail filtering (Your mail provider).
The screenshotted emails don't even do anything tricky like spoofing the sender address, it looks like "Sent from no-reply@theraoffice.com". If it spoofed the domain it would have been caught by SPF/DKIM.
Most of the time the user doesn't need to do much, you can just be weary of sender domains, and report the email as phishing and help blacklist that specific IP address/domain. Similar to how in medicine sometimes the physician tells you to drink water and rest, no medicine needed, just let the immune system do its thing.
As explained in the article, the scammers are using compromised Sendgrid domains to send the phishing emails. This means the emails are going to pass SPF/DKIM. Those domains are apparently owned by legitimate businesses which are actual Sendgrid customers. The phishers just compromised their account and API credentials
SendGrid's platform doesn't need to be the sender of these emails at all. It's just classic phishing, the emails can pass SPF, DKIM and DMARC as all of these rely on DNS resource records to be created on the RFC5321.MailFrom and/or RFC5322.From domain. Which is under control of the spammer. It's not pretending to be from sendgrid.com, if it was then these measures would help.
Yes, as the article says, they seem to be using Sendgrid to phish Sendgrid customers because the UX is "xyz.com delivered by sendgrid.com", hoping that this is seen as legitimacy by the recipient.
None of the examples in the article exhibit the 'via' UX. They were all sent with an aligned RFC5321.MailFrom and RFC5322.From (i.e. domain name used in both of those values is the same), those not matching is the most common reason to have the 'via' displayed [0]. They do have display names which pretend to be SendGrid.
0: https://support.google.com/mail/answer/1311182#zippy=%2Ci-ca...
Correct, I think the confusion might arise because of the self replicating nature of this attack when the target domain is an MTA.
I can't pinpoint it exactly, but it might be a combination of the replication cycle of the attack being recursive and very short if the target is an MTA. But it may also be because the fact that sendgrid clients are sendgrid clients is public information.
Kind of how like meta companies are overrepresented in their medium, in a stock exchange banks are overrerpresented, lots of websites about building websites, lots of road ads are about placing road ads.
There's some confusion here, there is a secondary compromise, but it's not very relevant.
The actual origin of the email: theraoffice.com
The fake origin of the email: SendGrid
There is a mismatch there, easy to detect. SendGrid was not compromised, and nothing was sent in the name of sendgrid or whatever.
Now the domain theraoffice might have been registered by an attacker, warmed up with some small fake traffic, and aged. Or it might have been compromised.
The previous email could have used sendgrid or mailchimp or google workspace, that's not very relevant. The SPF and DKIM would always pass, because SPF and DKIM verifies that the owner of theraoffice.com is the one sending the emails.
There might be a connection with SendGrid, but it's not at all accurately explained in the article, it may be as simple as SendGrid being a common phishing target of attackers just because they can get access to more email infrastructure for magnifying their reach, like a self-replicating virus.
The first rule doesn't match a specific sender. Run it through a re2 regex tester.
> Can this be fixed?
For popular senders: sort-of: in your incoming mail server, substring-match the display name of the sender against popular brands, and ensure the actual domain matches.
This works remarkably well for proper brands (FedEx et al), but breaks down when the brand name regularly occurs in "normal" names, the sending brand sends mail from all over the place, or "innocuous" impersonation takes place all the time.
Like, somehow, From: "VODAFONE" <shipping-update@dpd.co.uk> is a 100% legit sender (assuming SPF and DKIM verification pass), despite both Vodafone and DPD being pretty common impersonation targets. You'd think they'd know better, but alas.
So, yeah, room for improvement and such...
Use <service>@<yourdomain> as your email address when signing up, and check the To header when receiving emails.
And/or, long-press or right-click on any link to inspect the linked domain.
I often go one step futher by appending a short random identifier, `{service}.{id}@{domain}`, to make it harder to guess (in case someone learned of my email address policy).
I created a little GTK program to help: https://github.com/LightAndLight/gen-alias
Yes, it’s really <f(service, rand())>.
What fraction of people do you suppose actually have a <yourdomain> to do this with?
Even some highly technically inclined people (like myself) can be entirely ignorant of the process. It's not as if consumer ISPs provide the service.
Sub-addressing (doing tag+handle@domain.com) is supported by many email services but + may be flagged as an illegal character.
at least hotmail, gmail, apple's various mail, though with apple just using hide my email is that whole idea fully and beautifully automated for normies
The process isn’t difficult and worth acquainting yourself with.
If you don't control your own domain fully, almost all email services let you do:
user+servicetag@domain.com
And have it go to user@domain.com with the servicetag still in the To: field. At least, I have never encountered a problem with this.
Some sites (hulu maybe? iirc) strip off the + and treat it as a bare email, with dedupe checks and all that.
Spammers won't respect the + either, they will clean their list of any +tags before sending.
The best I've actually come across is to abuse gmails period policy. I haven't seen sites dedupe this or perform any other checks or manipulation.
If you have enough letters in your alias you can treat the possible period locations as binary. For example, pests@ would have 4 edible spots, so I could make 16 different dot addresses: pests@, pest.s@, pes.ts@, pes.t.s@, pe.sts@, pe.st.s@, [...], p.e.s.t.s@
Then you can just remember/record the decimal ID you used per site.
> Spammers won't respect the + either, they will clean their list of any +tags before sending.
That's the entire point, if you get an email from the site but it doesn't include your +servicename tag then you immediately can immediately tell it's a phishing attempt or spam. If the tag is there it's not a 100% guarantee that it's legit, but absence of the tag is a big red flag.
You can't tell who it came from though, unlike my method at least.
Also, the +tag could get lost though just normal data clean up / normalization.
And then the spammers (or other illegitimate source) just add this to their processing…
^([^@+]+)\+[^@]*(@.*)$
The use case here is using a unique email address to help verify the sender of the email, it's not connected to spam usage.
So you’re suggesting the sender use the + modifier on the from address?
Here's the suggestion:
>Use <service>@<yourdomain> as your email address when signing up, and check the To header when receiving emails.
The user of the webservice specifies a unique email per webservice; knowledge of that unique email address serves as a hint that the email came from someone that has discovered that email address, i.e. the webservice itself.
Right, so 99% of the time that’s a spammer that is going to use that discovered email. I updated my message to specify other illegitimate sources to cover that less than 1%
2FA doesn't stop phishing unless it's WebAuthn. But SendGrid, which is owned by Twilio, only supports 2FA based on SMS or the Authy App (which is also made by Twilio): https://www.twilio.com/docs/sendgrid/ui/account-and-settings...
It seems like Twilio has a conflict of interest that prevents them from offering WebAuthn, as that would be a tacit admission that their SMS and Authy products are not actually that secure.
rich irony that twilio numbers don't qualify to receive SMS codes when senders check if it's a virtual number (the regulated aka important ones do check)
Having a friendly name listed in the From field is part of the problem. SPF, DKIM, and DMARC make it possible to control who can send as your domain, if the receiver cares to check. If you have strict SPF and DMARC rules, most receivers will drop or not accept emails that fail the rules. But you can't control using your brand from unaffiliated domains.
Would you even open an email from noreply@drummond.com if that's what showed up in the message list?
On mobile it's worse. Gmail (Android) doesn't even show the From address at all when you open an email. For some emails, I can tap the sender icon and see the address, for others I have to find the hit reply (but if DMARC et al doesn't validate a Reply-To address) or go find a computer and see the message there.
SendGrid phishing emails are some of the best phishing emails. I get emails that there's elevated error rates on an API (`/v1/send`). Looks very legit, good design, reasonable call to action, some urgency which makes me want to click. They know from MX records I send email with Sendgrid, so it's well targeted. Easy catch when I see the domain, but other than that it's the best I've seen in years.
I've been getting them for weeks and never noticed they were phishing.
I only used a SendGrid account briefly, as a potential backup to my current outgoing transaction mail provider. Sent exactly 5 test emails I think.
The ICE one this morning gave me pause, but only about 2s before I deleted it and moved on with my busy day of reading HN posts.
That would seem to imply they weren't checking MX as I presume you have removed Sendgrid from your SPF allowed senders policy by now.
> The political sophistication on display here (BLM, LGBTQ+ rights, ICE, even the Spanish language switch playing on immigration anxieties) suggests someone with a deep understanding of American cultural fault lines.
Or an AI.
We've been getting similar phishing emails claiming to be from SendGrid, except they're along the lines of "we're adding a rainbow banner to the footer of all emails to show LGBT support, click here to opt out".
It's especially funny because SendGrid isn't even one of our vendors.
That example is in TFA.
right but nobody clicked the button on that one
Oh! I’ve seen this phishing attempt as well, I believe it was was Gemini they said they would add an “lgbt” banner unless you changed settings.
I’m more troubled by the fact these emails are hitting my sendgrid only email address.
Is this related to the breach that SendGrid said didn’t happen? I set my account up in 2021 for reasons I don’t recall and it’s since been deleted/deactivated by them.
First thought... Why would ICE need donations? I then realized how unrecognizable scams have become to me now. Older people are going to be in a worse position.
You can donate to reduce the national debt, so it's not that far out of the realm of possibility that federal agencies would solicit donations, too.
https://www.pay.gov/public/form/start/23779454
Donating to reduce the government debt is such a wildly dumb thing to exist. The US is currency sovereign! It has no risk of default on any debt denominated in USD!
The only reason a site like this exists is for politicians to distract from the fact that the budget of a nation with currency sovereignty does not actually have to raise revenues with taxes in order to spend money on services (and thus, be an excuse to cut services).
> The only reason a site like this exists is for politicians to distract from the fact that the budget of a nation with currency sovereignty does not actually have to raise revenues with taxes in order to spend money on services (and thus, be an excuse to cut services).
This is not a mainstream view. This _is_ a view of MMT, which is rejected by the majority of current economists, and this context is probably important to people seeing this when it’s just presented as a well known fact
> In a 2019 survey of top U.S. economists not a single respondent agreed with the basic aspects of MMT
https://en.wikipedia.org/wiki/Modern_Monetary_Theory
Yeah donating for the debt is equivalent to literally burning money. The us’s biggest debt buyer is the US fed reserve. Bonds offered to foreign buyers absorbs loose worldwide cash. The supply of dollars is always less than demand because petroleum must be traded in dollars. And demand exceeds supply because IMF loans are denominated in dollars, plus interest, meaning that demand perpetually keeps going up because the interest keeps rising, simply because the clock ticks.
So what is the point of the debt? To convince govt should not be too big nor suck up to many of the worldwide human capital resources.
relatedly, my wife received polititexts destined to her conservative father. The latest was actually genius IMO, in that it stated "Dear STEVEN, due to inactivity, your registration will be changed to DEMOCRAT in 20 minutes unless you navigate to this link." It, I assume, redirected to some support page to donate to the US conservative party or its affiliates. The social engineering is getting more effective
I don't know if the fact that it fully slipped into the absurd or the fact that it probably still worked on people is sadder.
I do love the idea of voter registration oscillating back and fourth at 20 minutes intervals forever. Would make voting in the primaries way more exciting as the voter base kept flipping.
To me as a Canadian, the absurd part is that ordinary people are expected to have "registered" with a party (as opposed to registering with the independent organization that runs elections, like we do; they automate getting most of the voter roll from Revenue Canada, but this requires your explicit consent on the tax form).
I've never once registered with a party in the US. I always check "independent" on my voter registration. But I'm in a state with open primaries, so I can still vote in one or the other primary, even though I'm not registered with the party.
This is just for primaries, you register to vote with the state as well.
In Canada, those votes happen independently as decided (deemed necessary) internally by the party, and public participation is much less common.
Still absurd that "free" "democratic" elections are allowed to require party membership, even for the primary.
What's the purpose of a primary election? It's to select a party's candidate for a general election. It's not very obvious that this should even be a democratic process, but if it is, why shouldn't party members be the ones selecting their own candidates?
How do you envision this working without the "opposing party" poisoning the vote to get a weaker opponent?
I envision that it does not matter, because this is a tactic that would 1) be available to all, and 2) it gives up your vote for someone of your own party, thereby weakening your own position. It's self regulating.
Can't they do that now? If I think my chosen primary guy is winning in a landslide I could just register for another party I don't like and vote for someone who I think is easier to beat.
You would still forfeit the ability to vote in your primary though. I do think there are people that do this, but most people want to vote in their primary regardless of whether it's a landslide.
Is actual party membership required?
Or, in effect, are you just required to claim either that you're more of a cat person, or that you're more of a dog person?
Yeah it's the latter. The US does not have party membership the way that, say, the UK does. In many states, it's open primary. In Colorado, for instance, I get mailed Democratic and Republican primary ballots and can vote by mailing in either one. I think you get neither counted if you mail in both, but I have no idea; I've never tried it.
The last time anyone tried to poison a presidential election by promoting a weaker candidate on the other side in the US, it was the Democrats boosting Trump in 2016. It did not work out.
For an alternate example, in Illinois you choose one at primary election time and only get that one. This year the options are Democrat, Republican, Libertarian, and Non-Partisan (which means only the referendums, not the elections).
This would kind of be the same as us (I'm Canadian too) registering with the NDP so we can vote for the next leader. But the level of lying on display here is just insane.
> I don't know if the fact that it fully slipped into the absurd or the fact that it probably still worked on people is sadder.
The thing is that that one plays on propaganda that people have already been conditioned to accept.
Very probably this person's father believes that the Democrats (a) control the state-operated voter registration system, and (b) manipulate it to their advantage. He believes that because he's been sent that message through a vast number of channels for many years. He would think it was absolutely in character for his registered party to be changed, and would probably think that would somehow affect how his vote was actually counted.
It's no more absurd than the idea that busloads of illegal aliens are showing up to vote "somewhere". Or whatever other idiotic lies they've been telling forever.
This isn't even close to the most ridiculous emotional manipulation techniques American conservative fundraising uses to target old people who might not be in full possession of their faculties. It's some of the scummiest stuff possible.
Inevitably some people are going to be away from their phones when they receive that, so I wonder what they think when they continue getting needy messages from Republicans after that!
I have been receiving 2-3 of these variations per day. Have been reporting them as phishing in our GSuite account, but they just keep coming.
I can't think of one email I received from sendgrid I would consider legitimate. Anytime I receive an email distributed by sendgrid I have found it actually had no value to me. Sometimes it's from a business I have dealt with but I never wanted or was interested in the content.
Do you specifically go out of your way to check who sent every transactional email you receive and take notes on which email sending service your order confirmation was sent by? That would be a very weird thing to do and would be the only way to know that.
Weird? Do you know where you are? We're all nerds here, in many shades of what you label as 'weird'.
True this is HN. I’m being curiosity shamed:). Most of the phishing attempts I get are Gmail.
When I receive email that is not from someone I know or understand why I receive it I check the source.
I don’t like receiving email that are not directly relevant to me.
This does mean that if it’s an order confirmation I wouldn’t check. So I may not know of legitimate emails from sendgrid only the illegitimate.
Same impression. SendGrid, MailChimp, any of those are just enabling spam at the end of the day.
In the same way that all software engineers are building harmful products, yes, sure.
Don't leave Salesforce out.
I get a flood of these every single day. Because we use SendGrid as a critical part of our product, I have to look for any emails from them pretty closely. It’s gotten impossible to do with all of these phishing attempts. I gotta hand it to them, though, the attempts are excellent.
I received one, though it was for adding a footer honoring MLK. I kinda thought it was odd, but did't think much of it, since I'm apparently not in the group that would be offended in any way. I wonder if the variation they use is random, or in any way location-based to maximize response (I'm in Texas).
I've also received a bunch of API failure phishing emails, as well as some implying we needed to change our auth to Sinch.
I think the main motivator is that most people/businesses would not want their transactional emails to include political at all.
I wonder why Gmail and other email providers don't just run an LLM/ML pipeline to detect phishing emails. It seems that matching an email's content with the sender's domain (and possibly analyzing the content behind links) would be enough to show, with high certainty, a warning like "Beware: this looks like a phishing email." Is it too expensive? Too many false positives?
>LLM/ML pipeline to detect phishing emails.
I think you're about 20 years behind the times if you think they don't.
There are a whole lot of problems with it when you start pressing the finer details like you list. For example, just look at the legit emails banks send out. They will tell you not to click links claiming to be your bank, then include links (claiming to be your bank) for more information.
Simply put the rules block too much corporate email because people that write corporate email do lots of dumb things with the email system.
It's true that a lot of established ML techniques were first popularized to fight spam (ie bayesian filtering), but it might also be the case that they're not applying the full might of eg Gemini-3-Pro to every email received. I suspect Gemini-3-Pro would do an effectively perfect job of determining if something is phishing, with negligible values in the false quadrants of the confusion matrix, but it's probably too expensive to use in that way. Which is why things like this can still slip through.
They do - well sort of.
The most essential check is SPF and DKIM which authenticate if the message has come from an authorized server. The problem is that most mail services are too lenient with mismatched sender identification. On one hand, people would be quite vocal about their mail provider sending way too much legitimate (but slightly misconfigured) mail to the spam folder. However it allows situations like to happen where the FROM header, the "From:" address, and the return path are all different.
Most mail systems have several stages of filters, and the first ones (checking authentication) are quite basic. After that, attachments, links, and contents are checked for known malware. Machine learning might kick in after this, if certain criteria are met. Mail security is very complicated and works well except for the times it falls flat on its face like this.
https://en.wikipedia.org/wiki/Sender_Policy_Framework https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
To my understanding, they already do use some form of ML for this and it's part of how things get routed to the spam folder without explicit rules.
I've been getting a lot of these, and forwarding them (along with the raw source of the email headers) to abuse@sendgrid.com with some success.
The OP didn’t explain or showed the unsubscribe button compromise trick. Anyone here can shed some light on it?
I always had the habit of clicking on the unsubscribe button whenever I see an unwanted email. And I’d like to know what would happen if I click on malicious unsubscribe link.
Is this a new trend in phishing emails? They appear to be using legitimate domains to bypass spam detection. Usually the domains are associated with legitimate companies who are completely oblivious. I always wondered how this works. Is it a broken contact form somewhere?
One way is to look for companies that have SPF records (or whatever the system is these days) that contain ranges/names of large providers like sendgrid. Then they test sending mails with those large providers names under said system until they get ones that go out, and launch a campaign.
the article talked about how the sendgrid accounts are real, and presume compromised.
I suspect that once the sendgrid account is compromised, they then send out these phishing emails, hoping to compromise _other_ sendgrid accounts to look for password overlap and/or keep the flow going.
Is this an education problem? Should the general public be more diligent in checking the sender domain of the emails they read?
Is this a UX issue? Should email clients highlight and emphasize the sender domain more than their display name?
> Should the general public be more diligent in checking the sender domain of the emails they read?
yes
Not just SendGrid, I have received very sophisticated phishing emails “from” MailGun as well. I think the advantages of getting into your email channel justify a lot of investment by the bad guys.
This speculative nonsense adds nothing:
> We know that state actors have invested heavily in understanding and exploiting these divisions. Russian active measures campaigns have been documented doing exactly this kind of work: identifying wedge issues and creating content designed to inflame both sides. North Korea has demonstrated similar sophistication in their social engineering operations by targeting academics and foreign policy experts
What about "read Twitter in between bouts of using one susceptible user's API key to spam other users for their API keys" _really_ requires the sophistication of a state-level actor? Statements like this aren't journalism, they're exactly the same kind of manipulation being used by the phishers.
Before you reach for your wallets, remember -
It might be 50 days by an (admittedly very cool) bus, but it's only 84 days in foot!
* Consult your Google Maps and a sense of humor if it sounds to good to be true!
So the modern Gestapo is so deeply unpopular it is being used for phishing attacks - no one (normal) wants to be seen anywhere near it. Amazing.
In the 1920s and 30s they had mailing campaigns recruiting to join the SA. Same principle.
Read the story
It would be good to hold carriers accountable for fishing and spam. Sendgrid , Twilio and other saas messaging carriers need to do a better job with integrity. I don’t expect them to carry the whole burden, but some negative incentive to promote investment . It could be as simple as enforcing sender pays metering . We all know spam is 60+ % of traffic, so sender pays would drive down spam very quickly
SendGrid and their competitors are already the very definition of “sender pays” for email. “Sender pays” is how they make money. This isn’t a problem of monetary incentives.
The problem is that companies get their SendGrid credentials compromised via password re-use or phishing.
I mean the carrier pays the recipient , so Twilio and sendgrid bear some cost
Interesting that politics is a vector for contagion.
When you think about politics is very contagious, politicians infect activists, who infect regular folk that advocate for stuff they don't benefit from, when elections come near, it's flu season.
Double parasite burgers where a new parasite leeches of an existing vector are common in biology as well. Like malaria and mosquitoes.
Philosophically fun, sure, but the article also points out that another vector was "Your language settings have been changed to Spanish", so I don't know if it's as profound as you're making it out to be. Anything that makes us panic can be a vector.
That’s some devious shit. I can just imagine someone furiously clicking the button in a rage
Before anyone launches themselves into the sky: the title is clickbait. This is about phishing attempts that use ICE to persuade you to click. Sendgrid the company is not emailing about supporting ICE. But technically Sendgrid the infrastructure is.
Author here. I quickly thought of the title for the article and shipped it. I agree it's clickbait-y and apologize to SendGrid (and any confused readers) but yes, as you say it's _technically_ correct in a very narrow sense – SendGrid's infrastructure and users are sending these emails, it's just that they're fraudulently associated with SendGrid the company.
In any case, I revised the title to "SendGrid isn’t emailing you about ICE or BLM. It’s a phishing attack."
Maybe someone can edit the title of the submission on HN accordingly?
Ok we changed the article from https://fredbenenson.com/blog/2026/01/09/why-is-sendgrid-ema... to https://fredbenenson.com/blog/2026/01/09/sendgrid-isnt-email... and the HN title accordingly.
I think HN should embrace AI to the point of having an alternative AI-generated title next to the original title, to reduce clickbait and reduce the global rage index.
This is an interesting idea, I think clickbait titles are one of many problems with our engagement-based social media tools today. For the sake of experimentation and transparency, here's the suggested titles from ChatGPT 4. They seem to be more descriptive and accurate overall.
---
Possible alternative titles that better match the article’s content:
How Phishers Are Using SendGrid to Target SendGrid Users with Political Bait
– Accurately reflects the mechanism (SendGrid abuse), the audience, and the novel political/social-engineering angle.
SendGrid Account Takeovers Are Fueling a Sophisticated Phishing Ecosystem
– More technical / HN-native framing, avoids culture-war implications.
Phishception: Politically Targeted Phishing Sent Through Compromised SendGrid Accounts
– Highlights the core insight and the self-reinforcing nature of the attack.
There is a chance that the title here was intentionally worded to answer a question people are likely to search for, then actually answer their concerns.
Then the "alternative AI-generated title next to the original title" would say so.
HN would never do that, it would violate the minimalism of the site.
Most people aren't even aware that their posted URLs can be changed or their titles re-edited automatically because the UI doesn't give affordances for anything. You're just expected to notice and edit it out within the edit window (which there also isn't an affordance for.)
I've been thinking about building a browser extension that turns clickbait headlines into factual titles.
"Why is SendGrid emailing me about supporting ICE?" becomes "Phishing Campaign Targets SendGrid Users via Compromised Accounts and Politically Charged Bait"
I think it would be more time than I'd like to commit though.
I tried to vibe code it about a year ago(a firefox extension), worked surprisingly good. Basically for a small set of web sites I frequent, just rewrite titles or remove links all together if a title is a click-bait or ragebait.
I don't like LLMs much, though I also don't really care much either, and I don't trust any models to get the content nuance right. But I'd still welcome it if it helps a little between the tons of clickbait or just straight up incorrect or sensationalist titles.
Mods regularly rewrite titles to improve clarity and this is probably a good candidate.
That's a pretty good idea as long as humans could review/approve.
Maybe one day our knee jerk reactionary outrage will be quelled not by any enlightenment but because we are forced to grow weary of falling prey to phishing attacks.
I'd feel pretty stupid getting worked up about something only to realize that getting worked up about it was used against me.
I'm writing this because for a moment I did get worked up and then had the slow realization it was a phishing attack, slightly before the article got to the point.
Anyways, I think the clickbait is kindof appropriate here because it rather poignantly captures what is going on.
I agree. It can demonstrate the knee-jerk affect in real time for the reader. Someone who reacts strongly to the title of this thread would have experienced a similar reaction if they had received the SendGrid phish email. Never seen clickbait wording actually be appropriate before.
When I see stories that make me want to click, I read HN comments first, and 8 times in ten that saves me a from a "won't get fooled again" moment.
There's got to be a way to generalize this for anyone who still cares about the difference between real facts and manipulation.
The effectiveness of these techniques will die off over time as young people are increasingly inoculated against them in the same way our generations are generally immune to traditional advertising. The memetics filters get better over time as us geezers are replaced by new models.
So a completely irresponsible headline. Is the writer confused or do we think they were aware of this distinction?
Also they are using variants of the same scam to target a variety of groups
Rather ironic to complain about phishing attempts with clickbait (which, I largely think of as phishing's kid brother).
You say ironic I say fitting.
I seriously hope HN discourse has the bare minimum of “open the link and read it before commenting”.
Your hope is in conflict with reality.
That is the expectation but no way to enforce it of course.
What happens a lot, at least for me, is that people will start reading the comments to see if they want to bother reading the link. Then they might start commenting on what's already been said. It's easy to slip into that pattern.
Though you also frequently see top-level comments that appear to be based on the headline alone.
I have some bad news for you...
^ Can anyone TL;DR this comment?
Most people on Hacker News don't bother to read the linked article and either comment based on their impression of the title or whatever random thing happens to be on their mind at the time. Most people who do bother to read the linked article stop as soon as they encounter javascript or formatting or too much whitespace or a minor logical, spelling or grammatical error and then that will likely become the subject of the entire thread.
The number of people who actually read the entire article and then attempt to comment in good faith are few and far between.
Yeah I noticed the same thing with other providers. Especially with ones that provide free trials.
The title is genius; it uses the same psychological trick as the phishers are, to point out to us how vulnerable we are. Obviously, for you to know the title is clickbait, you'd've had to click through and read it, which is the exact social engineering vulnerability the author is trying to demonstrate being exploited.
I thank the author for getting me this way, as I would have likely fallen for the unsubscribe trick.
right, so on the topic of "phishing emails designed to elicit enough emotion that you forget to consider the button might be a phish", the headline itself of this blog post is doing the exact same thing, really. The headline should be, "Phishing scams launched through SendGrid exploit deep political sentiments to achieve success" or something like that.
but that would be clear and very boring. nobody would read your blog then. A headline that very obviously implies Sendgrid the company supports ICE, and so much so that they are emailing all their customers about it, clicks galore. Well done.