hmrc

Threat actors are exploiting legitimate SendGrid mailing service to spoof HMRC phishing emails that bypass spam filters.

The known issue has been repeatedly exploited by scammers to evade detection from email security products, yet no concrete solution has been found yet.

Email delivery service abused for spoofing HMRC emails

SendGrid is an email delivery company providing infrastructure for sending out newsletters, promotional emails, and operational business emails such as shipping notifications.  

While SendGrid is itself a legitimate service, threat actors have been abusing some of its features to bypass spam filters and email security products.

A security researcher known as TheAnalyst shared information with BleepingComputer about an ongoing HMRC phishing campaign that uses SendGrid to bypass spam filters.

Spoofed email from HMRC using SendGrid
The spoofed email from HMRC coming from SendGrid appears legitimate to spam filters
Source: Twitter

The actual phishing webpages linked to in the email imitate the HMRC and GOV.UK design.

These pages comprise forms collecting sensitive user information such as:

  • Unique Taxpayer Reference (UTR) number
  • National Insurance Number (NINo)
  • Passport Number and expiry dates
  • Driving license number, with issue and expiry dates
  • Name, date of birth, and address information

The phishing page is hosted on what appears to be a compromised website: https://technicalzia[.]net/tax/

hmrc phishing page sendgrid
Phishing page collects sensitive details including passport and driving license number
Source: BleepingComputer

TheAnalyst told BleepingComputer, that the "legacy" accounts provided by SendGrid made the platform open to abuse by threat actors.

"In this specific case HMRC has a good DMARC record that makes most recipients to just junk them, but when [scammers] spoof other domains that actually have sendgrid in SPF/DMARC it's much worse," TheAnalyst explained to BleepingComputer.

To deliver this HMRC phishing campaign to their victims, the attackers spoofed the From email field with the tax collector's outgoing email address: no_reply@advice.hmrc.gov.uk

Because the scammers are using SendGrid's delivery infrastructure, these emails "went straight through many mail filters," explained the researcher.

An ongoing unsolved problem

SendGrid responded to TheAnalyst's report stating they try to keep their platform safe against such phishing actors.

The company advised reports of any malicious emails should be made to their Consumer Trust Team so they could be investigated and actioned upon.

sendgrid reply hmrc phishing
SendGrid response to TheAnalyst's Twitter report

However, the researcher and other Twitter users didn't seem convinced.

"This issue has been going on for at least half a year, and they have promised to fix it at the start of next year, but I'm not very sure." 

"We are a Fortune1000 company and marketing uses Sendgrid, but I'm doing everything I can to have those contracts terminated so we can block them in SPF/DMARC," TheAnalyst told BleepingComputer.

The researcher's main concern is, while SendGrid continues to tell the users they'd solve the problem via domain ownership verification prior to allowing them to send emails, it is the "legacy" accounts that get compromised and are prone to abuse by scammers.

Over Thanksgiving, SendGrid's platform was abused in a massive Zoom phishing campaign according to the researcher.

Thousands of users' credentials had been stolen as a result of the attack.

When asked for more information, SendGrid's parent company told BleepingComputer:

"Twilio is aware of this incident and has taken steps to investigate and resolve the problem. Twilio takes abuse of its platform and services very seriously."

"It is always regrettable when an individual or organization is the victim of a phishing attack. As a best practice, we encourage users on our platform to take advantage of existing security controls to protect their accounts, such as using 2FA and IP Access Management, and encourage email senders to take full advantage of email authentication technologies to protect their domains from spoofing."

"Additional information on best practices for protecting email accounts can be found [on SendGrid's blog]," a Twilio spokesperson told BleepingComputer.

As the end of the year approaches, users should remain vigilant for any HMRC phishing and smishing tax scams.

Recipients of phishing emails with any mention of SendGrid are advised to forward such emails to abuse[at]sendgrid.com, and to not click any links within them.

 

Update 2-December-2020: Added quotes from Twilio. 

Related Articles:

UK e-visa rollout starts today for millions: no more physical immigration cards

Google now blocks spoofed emails for better phishing protection

Hackers impersonate U.S. government agencies in BEC attacks

Microsoft rolls out passkey auth for personal Microsoft accounts

Millions of Docker repos found pushing malware, phishing sites