SendGrid isn’t emailing about ICE or BLM – it’s a phishing attack

Original Article ↗ Hacker News Discussion ↗

Clickbait title and HN meta-discussion

  • Many note the original headline was misleading and emotionally charged, mirroring the very phishing tactics being described.
  • Some argue the clickbait is actually appropriate, as it exposes readers’ own susceptibility to outrage-driven clicks.
  • Others see it as irresponsible and confusing about SendGrid “the company” vs. SendGrid “the infrastructure.”
  • There’s repeated frustration that many commenters react to headlines without reading, and suggestions that HN (or browser extensions/LLMs) should rewrite titles to be more factual, with human review.
  • The article’s author updated the title to be clearer, and HN’s title was changed accordingly.

Nature and sophistication of the phishing attacks

  • Phishing emails use legitimate SendGrid infrastructure via compromised customer accounts, so SPF/DKIM can pass.
  • Lures are tailored and “ragebait”: ICE support, BLM/LGBT/MLK footers, political banners, language changes, API failure notices, etc.
  • Several people report receiving multiple such emails daily and find them unusually convincing and well-targeted.
  • Some note this pattern across other providers (Mailgun, etc.): compromised accounts used as high-trust relays.
  • The exact “unsubscribe button compromise trick” is asked about but not clearly explained in the thread (unclear).

Email security, UX, and provider responsibility

  • Commenters criticize email clients (especially mobile Gmail) for hiding real sender domains and over-emphasizing display names, which makes phishing easier.
  • SPF/DKIM/DMARC help only if recipients enforce them strictly and cannot stop brand impersonation from other domains.
  • Some call for providers like SendGrid/Twilio to be held more accountable and to invest more heavily in abuse prevention; others note this is a broader ecosystem issue.

Defensive practices and technical ideas

  • Suggested mitigations:
    • Per-service email aliases or sub-addressing (user+service@domain) to detect unexpected senders.
    • Admin-side rules (e.g., Gmail regex policies) targeting mismatches between display names and sender domains.
    • Reporting phishing to [email protected] and similar channels.
  • Debate over 2FA: SMS/Authy are seen as phishable; WebAuthn is recommended but not currently offered by SendGrid.
  • Some speculate about using powerful ML/LLM pipelines for phishing detection; others respond that ML-based spam/phishing filters already exist but are constrained by cost and false positives, especially against “legit but dumb” corporate email.

Politics and social engineering

  • Politics is viewed as just one of many powerful emotional vectors; similar manipulative techniques appear in political fundraising texts.
  • Discussion branches into how polarized narratives and existing propaganda make certain groups especially vulnerable to such tactics.