Inside the OpenAI invoice scam: SendGrid abuse and callback phishing explained

Cybercriminals never stand still, constantly reinventing their tactics to exploit trust, familiarity and human instinct. INKY continues to observe threat actors weaponizing cloud email platforms and voice‐based social engineering to bypass security controls. A recent example is a phishing campaign that sent hundreds of emails from a compromised SendGrid account linked to OpenAI to issue fraudulent invoices.

An invoice‑themed email, supposedly from OpenAI, arrived from [email protected] via SendGrid. Because the message was sent through a legitimate OpenAI SendGrid account, it passed SPF, DKIM and DMARC checks for openai.com. It claimed that a subscription charge of $763.99 had been confirmed and urged the recipient to call a support number to dispute it. The message contained no malicious links or attachments. Its only call‑to‑action was a phone number. This design allows the scam to slip through URL‑filtering gateways while exploiting the trust users place in well‑known brands and phone conversations.

Fig 1: The invoice-themed phishing email

Abuse of SendGrid infrastructure

Legitimate email delivery platforms have become powerful tools for threat actors seeking to blend in with normal business communications.

SendGrid’s appeal to attackers

SendGrid is widely used by businesses to send high‑volume transactional and marketing emails. It offers high deliverability and advanced features, such as click‑tracking and analytics.  However, cybercriminals are abusing SendGrid accounts to launch phishing campaigns, impersonating SendGrid itself and other trusted brands. The promise of a 99% delivery rate makes the platform attractive to criminals. A compromised SendGrid account allows them to send spoofed emails that pass SPF/DKIM checks and appear legitimate to recipients.

Possible compromise of OpenAI’s SendGrid account

The phishing emails in this campaign were not only spoofing OpenAI’s name – they were sent through a genuine SendGrid account configured on the openai.com domain. The messages passed SPF, DKIM and DMARC checks for openai.com and contained SendGrid‑specific headers, indicating that the sender had authenticated access to OpenAI’s SendGrid tenant.

There are several plausible pathways through which criminals could have obtained such access:

• Mass password cracking and account takeover: SendGrid’s parent company, Twilio, admitted that many customer accounts have beencompromised and abused for spam. KrebsOnSecurity has reported that an unusually large number of SendGrid customer accounts had their passwords cracked and sold to spammers, enabling criminals to send phishing and malware campaigns through trusted customer domains. Once a SendGrid account is hacked, the resulting emails sail past unsophisticated spam filters because recipients trust SendGrid’s infrastructure.
  
• Underground market for SendGrid credentials: Cybercriminals actively trade access to hijacked SendGrid accounts. Twilio’s chief security officer acknowledged that the company had seen an increase in compromised accounts and that multifactor authentication (MFA) was not mandatory. Researchers note that the market for these accounts is fuelled by password reuse: attackers target users who recycle credentials across sites and then sell working logins. One seller, operating under the handle “Kromatix,” advertised more than 400 compromised SendGrid accounts, pricing them based on the monthly email volume they could send. These stolen accounts can be used to generate API keys and blast out high-deliverability phishing emails.
  
• Phishing and credential harvesting: Attackers may phish SendGrid users directly to steal their credentials. Because criminals can use the compromised account to send authenticated emails, the victims’ domains become unwitting participants in future attacks. If an OpenAI employee or contractor reused their SendGrid password, or if their credentials were compromised in a separate breach, attackers can log in to the SendGrid dashboard and create a fraudulent invoice campaign.
  
• Weak or absent multifactor authentication: Twilio’s leadership indicated that MFA was optional for SendGrid accounts and that the company planned to make it mandatory. Without MFA, attackers can take over accounts by simply guessing or obtaining passwords. The absence of additional verification increases the risk that legitimate domains like openai.com are leveraged for phishing.

It is important to emphasise that there is no public confirmation that OpenAI itself was breached. The presence of the openai.com domain in these phishing emails means the attackers had access to some SendGrid credentials tied to OpenAI. Whether this access resulted from stolen credentials, password reuse, a phishing attack against an employee or a compromised third‑party vendor remains unknown.

Nevertheless, widespread sale of cracked SendGrid accounts and uncertainty about whether credentials were phished or if SendGrid itself was hacked suggests that the OpenAI invoice scam likely stemmed from account takeover rather than simple spoofing. Organizations using SendGrid should treat this incident as a warning to enforce MFA, rotate API keys regularly and monitor for unusual sending patterns.

Header analysis of the OpenAI invoice email

The malicious email was sent from [email protected] through SendGrid. Header analysis showed multiple hops through Microsoft’s mail infrastructure before reaching the recipient. Key observations include:

• Authentication results: The message passed SPF, DKIM and DMARC checks because tm.openai.com authorized SendGrid’s IP (159.183.120.121). Attackers rely on compromised SendGrid accounts to ensure such alignment.
  
  
• Received headers: One hop reads Received: from MjAyMTY3MDY (unknown) by geopod-ismtpd-15 (SG) with HTTP id …, indicating that SendGrid’s geopod‑ismtpd servers generated the message. The presence of “geopod‑ismtpd” and “(unknown)” in Received headers is a common indicator that the email originated from SendGrid.
  
  
• X‑SG fields: The message includes X‑SG‑EID and X‑SG‑ID headers, which are unique to SendGrid. These reveal that it was sent via SendGrid’s API rather than a personal mail client.
  
  
• Subject and body: The subject claimed “Subscription charge confirmed: $763.99” and the body contained a single call‑to‑action: “Support +1 (701) 638‑0848.” No links were included, so URL filters could not identify malicious domains. The body used OpenAI branding and urgent language to create a sense of panic and legitimacy.

The combination of SendGrid deliverability, cryptographic alignment and brand impersonation makes such emails difficult for standard email security gateways to block.

Fig 2: Email header analysis of the phishing email

Attack chain: Callback phishing/vishing

Callback phishing, also known as telephone‑oriented attack delivery (TOAD), is a scam that begins with a fake invoice or subscription notice. These emails often claim to be charges from well‑known companies and include a phone number to call if the charge is not authorized. Their goal is to make the victim call the number rather than click a link. Once on the phone, the attacker impersonates a customer‑service representative, requesting personal information or instructing the victim to install remote‑support software. Because there are no malicious links or attachments, such messages can bypass traditional email filters.

Callback scams rely on urgency: the email urges the recipient to call to cancel a large charge, and a scammer then asks for personal information or remote access. Callback phishing tricks users into calling a provided number. The scammer then uses social engineering to obtain login credentials, financial details or remote access. The method differs from traditional phishing because the conversation moves to a voice call, making it harder for security tools to monitor.

Fig 3: Callback phishing message

Step‑by‑step chain in the OpenAI invoice case

• Initial email: The victim receives an invoice‑styled message from [email protected] via SendGrid. It claims a high‑value charge ($763.99) has been processed and provides a support number to call. Because the message passes SPF, DKIM and DMARC, it appears authentic and evades email filters.
  
  
• Phone call: Believing the charge is real, the victim calls the support number. A scammer posing as an OpenAI representative answers. They may ask for the victim’s name, email address or other identifying details to “look up the account.”
  
  
• Remote assistance: The scammer claims they need to reverse the charge or issue a refund and instructs the victim to install remote support software, giving them access to the victim’s device.
  
• Compromise: With remote access, the attacker can harvest sensitive data (banking credentials, personal identification numbers) or guide the victim through fake refund processes that result in real financial loss. Early campaigns used this technique to install malware, granting remote access and sometimes leading to ransomware attacks. Attackers may also instruct the victim to log into their bank to “verify” funds, then quietly transfer money.
  
  
• Post‑compromise actions: Attackers can persist on the victim’s machine, install additional malware, steal data or pivot to other systems. Because the victim initiated the call, they may remain unaware that anything malicious occurred.

Consequences of callback phishing

Callback phishing can have severe repercussions. Once remote access is granted, attackers can carry out:

• Identity theft and financial fraud: Remote‑support tools allow criminals to view and steal banking information, initiate wire transfers or apply for loans. Netcraft notes that criminals used compromised SendGrid accounts to launch phishing attacks impersonating various companies, highlighting the scale of such abuse. After remote access is established, attackers can manipulate the victim’s financial dashboard and exfiltrate data.
  
  
• Malware installation and ransomware: Victims are tricked into downloading remote‑access trojans, which are later used to deploy ransomware. Attackers might also install keyloggers or other spyware.
  
  
• Network compromise and lateral movement: With access to an endpoint, criminals can move laterally within an organization, steal business data or send further phishing emails (lateral phishing).

Best practices and recommendations

To mitigate the risk of SendGrid‑abused callback phishing scams:

• Verify via official channels: Do not call phone numbers provided in unsolicited emails. If you receive an invoice or subscription notice that seems suspicious, contact the company directly using a number from their official website or your account portal.
  
  
• Never grant remote access to unknown callers: Legitimate companies will not ask for remote access to issue refunds or cancel subscriptions. Never install remote‑support software unless you have initiated a support request with a trusted provider.
  
  
• Educate users: Train employees to recognize invoice scams.
  
  
• Report and isolate: If you suspect a callback phishing attempt, report the email to your security team and isolate any devices that have installed remote‑support software. Monitor your accounts for unauthorized transactions and change passwords.
  
  
• Secure SendGrid accounts: Organizations that use SendGrid should enable multifactor authentication, monitor sending activity and revoke any compromised API keys. Netcraft warns that criminals use compromised SendGrid accounts to send authenticated phishing emails.

Final thoughts

The OpenAI invoice scam demonstrates how attackers leverage legitimate cloud email services and voice‑based social engineering to bypass security controls. By sending an invoice‑themed email through SendGrid, criminals ensured the message passed SPF/DKIM/DMARC checks and appeared trustworthy. The absence of malicious links allowed the email to evade URL filters, while the urgent call‑to‑action prompted the recipient to contact a scammer who then sought remote access.

Callback phishing is part of a broader trend in which attackers weaponize trusted platforms and remote‑support tools. Advanced email security, vigilance, user education and rigorous verification through official channels remain the most effective defenses against this evolving threat.