Ir para o conteúdo principal
Abnormal Intelligence

Credential Phishing

Salesforce Sites Redirect Chain Phishing Uses SendGrid Wrapper and Bot Verification Protection

A phishing attack impersonates business platform access notifications using SendGrid link wrapper and Salesforce Sites redirect chain with Cloudflare Turnstile protection to bypass detection systems.

June 13, 2025

Attack Overview

Step 1: Partner Portal Access Downgrade Notification

The attacker sends a deceptive email impersonating a business platform with urgent access-related messaging.

Attack Library Repo 26 31 11 Jun Image 1
  • Email claims recipient's access to sensitive business assets has been temporarily revoked due to policy violations.
  • Message references "Partner Portal Access Downgrade" to create urgency and legitimacy.
  • Content lists specific detected activities including sharing sensitive assets and not following least privilege principles.

Step 2: SendGrid Link Wrapper Conceals Destination

The phishing link is concealed using a trusted email service domain to bypass reputation filters.

Attack Library Repo 26 31 11 Jun Image 2
  • Link is wrapped in ct.sendgrid[.]net domain, commonly used by legitimate SaaS platforms.
  • SendGrid wrapper masks the final destination from link reputation filters and detection systems.
  • Obfuscated link structure allows email to bypass traditional security scanning.

Step 3: Multi-Layer Redirect Through Salesforce Sites

The attack uses Salesforce Sites as an intermediate redirector with additional protection mechanisms before delivering the final phishing page.

Attack Library Repo 26 31 11 Jun Image 3
  • Intermediate redirector hosted on *.my.salesforce-sites[.]com, a legitimate Salesforce platform feature.
  • JavaScript delays and obscures the final phishing destination to evade analysis.
  • Cloudflare Turnstile verification adds legitimacy while limiting automated link crawling and URL analysis.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for several reasons, including:

  • Phishing link wrapped in trusted ct.sendgrid[.]net domain masks destination and bypasses link reputation filters.
  • Intermediate redirector hosted on legitimate Salesforce Sites platform provides trusted hosting infrastructure.
  • Cloudflare Turnstile functionality limits automated link crawling and URL analysis features, increasing difficulty for automated detection.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including:

  • Behavioral AI flagging never-before-seen senders, unusual email content, and URLs as anomalies for novel attack detection.
  • Detection of redirect chains and suspicious URL workflows despite clean-appearing infrastructure.
  • Natural language processing identifying impersonation attempts regardless of link legitimacy appearance.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Classification

Credential PhishingLink-basedExternal Party - OtherCredential Theft

Stop these attacks at your organization

See how Abnormal's behavioral AI detects the threats this digest covers — before they reach inboxes.

Request a Demo