the article talked about how the sendgrid accounts are real, and presume compromised.

I suspect that once the sendgrid account is compromised, they then send out these phishing emails, hoping to compromise _other_ sendgrid accounts to look for password overlap and/or keep the flow going.