alt Hacker NewsAs explained in the article, the scammers are using compromised Sendgrid domains to send the phishing emails. This means the emails are going to pass SPF/DKIM. Those domains are apparently owned by legitimate businesses which are actual Sendgrid customers. The phishers just compromised their account and API credentials
Replies
There's some confusion here, there is a secondary compromise, but it's not very relevant.
The actual origin of the email: theraoffice.com
The fake origin of the email: SendGrid
There is a mismatch there, easy to detect. SendGrid was not compromised, and nothing was sent in the name of sendgrid or whatever.
Now the domain theraoffice might have been registered by an attacker, warmed up with some small fake traffic, and aged. Or it might have been compromised.
The previous email could have used sendgrid or mailchimp or google workspace, that's not very relevant. The SPF and DKIM would always pass, because SPF and DKIM verifies that the owner of theraoffice.com is the one sending the emails.
There might be a connection with SendGrid, but it's not at all accurately explained in the article, it may be as simple as SendGrid being a common phishing target of attackers just because they can get access to more email infrastructure for magnifying their reach, like a self-replicating virus.
SendGrid's platform doesn't need to be the sender of these emails at all. It's just classic phishing, the emails can pass SPF, DKIM and DMARC as all of these rely on DNS resource records to be created on the RFC5321.MailFrom and/or RFC5322.From domain. Which is under control of the spammer. It's not pretending to be from sendgrid.com, if it was then these measures would help.