Trusted Redirects, Deceptive Destinations

A phishing attack that abuses a Calendly open redirect to mask a SendGrid-tracked malicious link.

The phishing email impersonates TV2Play, a legitimate streaming service, and uses a failed payment lure to trick users into clicking.

The multi-layer redirection chain helps the attacker obfuscate the final phishing destination and evade detection.

Verified Source: Email sent from a domain passing sender authentication checks.

Open Redirect: The phishing link leverages open redirect functionality (url?q=), making the URL appear benign while redirecting the user to another domain.

Legitimate Infrastructure: The attacker sends the email and tracks user clicks via SendGrid, a widely trusted email delivery service. This allows the use of SendGrid’s click-tracking domain to mask the true destination.

Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.

Content Analysis and Natural Language Processing: Abnormal understands the email's content, recognizing the urgency and financial implications as indicators of a financially themed attack.