Key Points
What you'll learn in this notification
- More than 150k phishing campaigns impersonating service providers including, SendGrid, HubSpot, Google and Okta
- Predominately sent from white-labelled SendGrid accounts
- Use of fake CAPTCHA to evade detection
- Recent campaigns predominately targeting Retail and Software as a Services businesses in US and UK
- Campaign Objective: Credential harvesting
The Mimecast Threat Research team has been monitoring several related phishing campaign clusters that began in February and continuing into May 2025. These campaigns impersonate legitimate email service providers (ESPs), primarily SendGrid, to deliver fraudulent notifications to end users. The campaigns often include urgent messaging about account restrictions, login alerts, or compliance warnings, encouraging recipients to click on a call-to-action. The aim of these campaigns appears to be harvesting credentials for distributing further phishing emails. As part of our Threat Research process, we have reported this to SendGrid.
Okta Phishing Campaigns Against SaaS Providers
Between April and May 2025, we identified a shift toward spear phishing campaigns targeting specific Software-as-a-Service (SaaS) organizations with several samples imitating the Okta login flows. Okta is an identity and access management (IAM) platform used by thousands of organizations worldwide and serves as the front gate to a company's digital environment. The phishing pages include single sign-on (SSO)-themed styling designed to exploit user trust and harvest credentials within enterprise environments. The campaigns appear to be targeting senior employees with possible elevated access into internal system.
This tactic aligns closely with methods attributed to the Scattered Spider threat actor group highlighted by Silent Push, known for their use of advanced social engineering and adversary-in-the-middle (AiTM) phishing kits. By impersonating Okta and other SSO portals, the group seeks to compromise high-value SaaS platforms—such as customer relationship and support systems—by capturing authentication credentials and session tokens. The objective is often to gain privileged access to sensitive environments, bypass multi-factor authentication (MFA), and enable lateral movement within enterprise networks.
Please click here to read the entire article.
We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
