Home / Threat Intelligence bulletins / Namecheap's supplier breached and used to send phishing emails

Target Industry

Opportunistic targeting.


Popular domain registrar, NameCheap, has had their email delivery account abused as part of a phishing campaign.

A wave of Metamask and DHL themed emails were reported on Sunday from hello@namecheap[.]com, an address used by the company for official communications.

Responding to complaints via social media, Namecheap attributed the issue to an unamed third-party service provider.

Initial analysis showed the emails had not been spoofed but were coming from legitimate marketing service, SendGrid.

Speaking to BleepingComputer, Twilio, the owners of SengGrid, said the situation was “not the result of a hack or compromise of Twilio’s network”.
In some Twitter threads, the CEO posted a link to an article about Google Apps leaking Sendgrid API keys which would seem to indicate that a stolen API key was involved.

Based on the timing of the complaints on social media, the attack started around 9pm UTC and normal service was restored around midnight.


Namecheap reports that their own infrastructure was not affected and customer data is safe, but it’s unknown how many victims were successfuly phished.
The use of a legitimate account meant that mail was more likely to bypass some security filters.
If successful, this campaign could result in the loss of sensitive data and financial fraud.

Containment, Mitigations & Remediations

Namecheap has regained control of their service and disabled the malicious links in the emails.

Indicators of Compromise

For a brief period of time on Sunday, the domain links.namecheap.com was being used to redirect to malicious sites.

Threat Landscape

It is likely the impact could have been a lot more severe if the phishing theme had been better matched to the abused account.
A properly themed lure from the official hello@namecheap[.]com email address could have been incredibly effective at stealing credentials.
A compromised domain registrar account could be used for domain takeovers leading to further attacks.

Threat Group

No specific threat group has been attributed at the time of writing.

Mitre Methodologies

T1566.002– Phishing: Spearphishing Link
T1078.004 – Valid Accounts: Cloud Accounts
T1199 – Trusted Relationship

Further Information


MailChimp, Mailgun, and Sendgrid API leak endangered over 54M users

Hardcoded API Keys of Email Marketing Services Puts 54M+ Mobile App Users at Risk

Intelligence Terminology Yardstick