Hackers use trusted email services to launch Pride Month phishing attacks

Attackers are using diversity messaging and legitimate email services to harvest corporate credentials.

What happened

A phishing campaign using Pride Month and diversity-themed messaging is targeting employees across multiple industries, according to Hackread. The campaign began months before Pride Month in June and uses emails that appear to be internal corporate communications announcing Pride-themed branding updates. Recipients are offered an option to opt out, but both engagement paths redirect users to malicious credential harvesting pages. Attackers distribute emails via compromised SendGrid accounts, leveraging trusted infrastructure to bypass filters and increase delivery rates. Research data shows the United Kingdom and the United States among the most affected regions, with financial services, consulting, IT, SaaS, and retail organizations targeted.

Going deeper

The activity unfolded in two stages. An initial wave in December 2025 targeted just over 500 organizations and appeared limited to specific sectors, suggesting testing or validation of infrastructure. A second wave in January 2026 expanded sharply to thousands of organizations across North America, Europe, Australia, and South Africa. Later messages used persona-based subject line prefixes to impersonate specific individuals, attempting to increase credibility and bypass email filters. Victims were routed through CAPTCHA-protected pages before landing on phishing sites designed to collect login credentials. Attackers also relied on lookalike SendGrid pages to reinforce legitimacy.

What was said

Researchers say the campaign shows how attackers are using trusted services to increase effectiveness. In findings shared with Hackread in February 2026, the company stated that attackers are abusing Pride and diversity themes “to pressure employees into clicking links and handing over credentials, all while hiding behind trusted infrastructure.” They also confirmed it has deployed detection capabilities to identify campaigns abusing legitimate email services and continues to track new domain variants associated with the activity.

The big picture

Paubox’s January 2026 Top Email Attacks Report observed that many modern phishing campaigns are no longer dependent on malware. “These attacks did not rely on malware. They relied on inherited trust. When messages arrive through channels and platforms recipients already trust, identity abuse becomes harder to detect and easier to scale.”

The report added, “Attackers increasingly exploit trust in familiar identities, such as executives and vendors, rather than relying on malicious attachments or links.”

In 2025, threat actors began abusing Google-hosted services and healthcare Direct Secure Messaging (DSM) systems to deliver impersonation attacks. Because these messages originate from trusted cloud infrastructure, they often bypass standard security filters, making them more difficult for organizations to detect before damage occurs.

FAQs

Why are attackers using Pride-themed messaging before the event begins?

Launching campaigns months in advance reduces suspicion and allows attackers to test infrastructure and refine targeting before broader awareness increases closer to the calendar event.

How does compromising SendGrid increase the campaign’s effectiveness?

SendGrid is a legitimate email delivery platform used by many organizations. Emails sent from compromised accounts inherit trusted infrastructure, which helps bypass filtering and improves delivery rates.

What is a credential harvesting page?

It is a fraudulent website designed to look like a legitimate login portal. When users enter their credentials, the information is transmitted directly to the attacker.

Why route victims through CAPTCHA pages?

CAPTCHA challenges help block automated security scanners and sandbox systems, allowing phishing pages to avoid detection before reaching real users.

What controls can reduce exposure to similar campaigns?

Organizations can monitor for abnormal email sending behavior within marketing platforms, enforce multifactor authentication on CRM and email service accounts, train employees to verify internal policy updates through official channels, and deploy behavioral detection to identify suspicious login activity.