Mimecast Logo
Get a Quote

    Threat Actors Exploit Social Causes to Manipulate User Behavior

    10 Febraury 2026

    By Mimecast Threat Research Team

    Key Points
    • Phishing campaigns exploiting Pride Month themes to trigger emotional responses and bypass security awareness
    • Campaign occurred in two distinct waves: December 2025 with 504 targets followed by January 2026 escalation to 4,768 targets, totalling 5,272 organizations across US, UK, Germany, Australia, South Africa, Canada, and other regions
    • Attack techniques align with methods used by Scattered Spider, CryptoChameleon, and PoisonSeed threat actors
    • December campaign targeted financial services and consulting; January campaign shifted focus to IT, SaaS, and retail while maintaining financial services targeting, indicating either targeting optimization or multiple coordinated operations

    Campaign Overview

    Mimecast Threat Research Team has identified threat actors weaponizing social causes, specifically Pride Month and diversity initiatives, to manipulate organizations into hasty actions. These campaigns deliberately misuse legitimate organizational values to generate the urgency attackers need for successful credential theft.

    This tactic is particularly effective because it exploits genuine organizational commitment to diversity and inclusion. Whether recipients support or oppose the initiative, attackers count on either reaction driving engagement with malicious links without sufficient scrutiny.

    Notably, this campaign launched in mid-December, months before Pride Month in June. This suggests threat actors are planning ahead or testing messaging that will resonate with future campaigns. The timing also coincides with year-end holiday schedules when many organizations operate with reduced IT staffing and security monitoring, conditions that favor phishing success.

     

    LGBTQ 1.png

     

     

    Campaign Waves and Escalation

    The campaign executed as two distinct operations. The December 2025 wave targeted 504 organizations, primarily in the US (62%) and UK (20%), with concentrated focus on financial services, professional services, and consulting firms. This appears to have been a reconnaissance or testing phase.

    The January 2026 wave represented a 9.5x escalation, targeting 4,768 organizations across expanded geography. While US and UK remained primary targets (57% and 21% respectively), the campaign now meaningfully struck Germany, Australia, South Africa, and Canada. Industry targeting also shifted: IT and SaaS operations jumped from 6% of targets to 13%, retail from 4% to 7%, while financial services remained a top priority at 13%. This suggests either multiple coordinated operations or active optimization of targeting based on December results.

    The Attack Method

    The emails claim that Pride-themed email headers and footers will be automatically applied to corporate accounts per executive direction based on corporate values. Recipients are offered an opt-out option, creating a false sense of agency while directing them toward malicious links.

    This is social engineering by design. Recipients supporting the initiative click to learn more. Those opposed click to opt out. Both responses succeed for the attacker, engagement with the link precedes scrutiny.

    January emails evolved to include persona-based subject line prefixes, suggesting attackers are impersonating specific individuals to increase perceived legitimacy and bypass sender-based filtering.

     

    LGBTQ 2.png

     

    LGBTQ 3.png

    Once clicked, users encounter a CAPTCHA verification page (a common attacker tactic to evade detection and filter users) before being redirected to credential harvesting pages that mimic SendGrid login interfaces.

    Infrastructure and Supply Chain Exploitation

    Attackers leverage compromised SendGrid accounts, a legitimate bulk email platform, to distribute messages at enterprise scale. Malicious URLs redirect through SendGrid infrastructure to attacker-controlled domains including lgbtsendgrid[.]com and lgbt-sg[.]com.

    This approach exemplifies a broader supply chain attack pattern observed across multiple threat campaigns. By compromising CRM and email service providers like SendGrid, Mailchimp, HubSpot, and others, threat actors gain access to established infrastructure and contact lists that lend credibility to their phishing messages. The tactic is particularly effective because recipients receive emails from trusted services or from internal company accounts, bypassing initial trust barriers. Organizations often have weaker monitoring of third-party service accounts compared to native infrastructure, creating additional opportunity for attackers to operate with minimal detection.

    Once credentials are stolen and API keys are created for persistence, these compromised accounts become a vehicle for distributing phishing at scale. Other threat campaigns have used this same infrastructure to target cryptocurrency platforms, harvest mailing lists, and conduct bulk spam operations, demonstrating that email service providers are now a primary target in threat actor playbooks.

    Campaign Attribution

    While definitive attribution is challenging, observed techniques share characteristics with Scattered Spider, CryptoChameleon, and PoisonSeed threat operations:

    • Exploitation of legitimate email service provider infrastructure
    • Domain naming conventions mimicking trusted services
    • Focus on credential harvesting to enable downstream attacks
    • Targeting enterprise organizations across multiple sectors

    The Broader Threat Landscape

    These campaigns represent part of a larger attack pattern where threat actors compromise CRM and email service providers to distribute phishing at scale. By stealing credentials from platforms like Mailchimp, SendGrid, and HubSpot, attackers send fraudulent messages that appear to originate from trusted internal or partner sources.

    Recent threat research has identified multiple coordinated campaigns targeting the same email infrastructure, indicating this has become an established attack strategy rather than an isolated occurrence. Organizations appear to be targeted systematically—both for their credentials as attack infrastructure and for their contact lists to reach high-value targets. This means defending SendGrid, Mailchimp, and similar platforms is now a critical part of organizational email security posture, not just managing on-premises or direct cloud infrastructure.

    The approach addresses a persistent challenge for attackers: getting organizational recipients to engage with phishing messages. Leveraging legitimate services and timely social causes increases credibility and engagement rates compared to traditional mass phishing.

    Mimecast Protection

    Mimecast has implemented detection capabilities to identify campaigns leveraging legitimate email service infrastructure for malicious purposes. Our threat research team continues monitoring for evolving tactics and domain variations used by these threat operations.

    Primary Targets

    Organizations across 8 countries spanning North America, Europe, and Southern Africa. Primary targets by region: US (58% of total), UK (21%), Australia, Germany, South Africa, Canada, and others.

    Indicators of Compromise (IOCs)

    LGBTQ Lure Malicious Domains

    • lgbtsendgrid[.]com
    • gbt-sg[.]com

    LGBT Lure Subjects

    • Pride month Theme Update
    • A Message from our Team
    • Update on Email Theming

    Similar Campaigns Malicious Domains

    • https-sendgrid[.]info
    • https-sglogin[.]com
    • https-sgpartners[.]info
    • https-sgportal[.]com
    • id-unlink[.]com
    • internal-ssologin[.]com
    • legalcompliance-login[.]com
    • login-enterprisesso[.]com
    • login-request[.]com
    • login-sgdashboard[.]com
    • loginportalsg[.]com
    • manage-sgdashboard[.]com
    • myhubservices[.]com
    • mysandgrid[.]com
    • navigate-sendgrid[.]com
    • network-sendgrid[.]com
    • open-sglogin[.]com
    • >partnerdashboard-sglogin[.]com
    • portal-sendgrld[.]com
    • establish-sendgrid[.]com

    Similar Campaigns Subjects

    • API Endpoint Not Responding
    • API Endpoint Unresponsive
    • API Key Generated
    • API Request Delivery Issue
    • API Request Policy Update
    • API Requests Not Delivering
    • Callback URL Failing
    • Domain Authentication Records Expiring
    • Endpoint Connection Problem Detected
    • Gateway Endpoint Failure Detected
    • New Login Detected
    • SendGrid API Rate Limit Threshold Reached
    • Sending Capacity Reached
    • Service Alert
    • Template Configuration Problem
    • Webhook Endpoint Not Responding
    • Webhook Endpoint Returning Errors

    Recommendations

    User Security Awareness Training

    • Educate employees about social engineering tactics that exploit emotional responses to social or political topics.
    • Emphasize that legitimate policy changes from executive leadership typically follow established internal communication channels, not external email links
    • Train users to verify unexpected policy notifications through direct communication with HR or IT departments
    • Conduct phishing simulations that include emotionally charged social themes to build recognition

    Proactive Threat Hunting

    Keep your edge in threat intelligence

    Join thousands of security professionals who rely on our curated alerts, expert analysis, and campaign IOCs to defend against the latest cyber threats.

    Sign up successful

    Thank you for signing up to receive updates for our threat intelligence notifications.

    We will be in touch!

    Back to Top