I have been noticing that email spoofing has gotten really good. You just can’t look and spot them anymore. Here’s one supposedly from SendGrid. It works because I use SendGrid to distribute the For M365 Admins newsletter each Monday.
The mail warns me that DMARC is reporting that my newsletter is landing in spam or being blocked. Obviously this is a concern to me. I want subscribers to get the newsletter they signed up for in their Inbox.
The button sends me off to review the domain authentication. When I click it, it opens a webpage that looks quite a bit like SendGrid.com and is a full page ask for my logon credentials.
Here are some things peaked my interest.
- Anytime I log into sendgrid there’s a cloudflare domain check that is part of the form. This one didn’t have one. Hmmm…
- My password tool, flagged this URL as one that is different that the one I ordinarily enter the credentials into. +1 for Roboform!
- Because the content was so compelling only then did I look at the from address in Outlook.
This email didn’t spark my skepticism immediately because although it was urgent, a hallmark of spoofs, it didn’t scream it at me. Act Now! Account Blocked!
Nice try.
