[sakopov]

Is this a new trend in phishing emails? They appear to be using legitimate domains to bypass spam detection. Usually the domains are associated with legitimate companies who are completely oblivious. I always wondered how this works. Is it a broken contact form somewhere?

[pixl97]

One way is to look for companies that have SPF records (or whatever the system is these days) that contain ranges/names of large providers like sendgrid. Then they test sending mails with those large providers names under said system until they get ones that go out, and launch a campaign.

[lbotos]

the article talked about how the sendgrid accounts are real, and presume compromised.

I suspect that once the sendgrid account is compromised, they then send out these phishing emails, hoping to compromise _other_ sendgrid accounts to look for password overlap and/or keep the flow going.