The email looks legitimate. It arrives from what appears to be a trusted platform, uses professional formatting, and carries an urgent message: your company's outgoing emails will soon include a 'Support ICE' donation button unless you opt out immediately. The instinct to act fast is exactly what the hackers are counting on.
A phishing campaign targeting clients of major email marketing services is using politically charged bait to steal login credentials. The scheme tells recipients that a 'Support ICE' button will be automatically inserted into the footer of every email they send through the platform. A settings button offers an apparent way to disable the feature. It leads instead to a credential-harvesting website.
The most recent wave hit clients of Emma, a long-running email marketing service owned by Marigold. Its customer list reads like a who's who of American institutions. Yale University, Texas A&M, Orange Theory, the Cystic Fibrosis Foundation, Dogfish Head Brewery, and the YMCA all use the platform, 404 Media reported.
Lisa Mayr, Marigold's CEO, was blunt. The company 'would never publish anything like this,' she told 404 Media. 'This is a very common phishing attempt.'
The fraudulent message was routed through SurveyMonkey infrastructure and sent from the address myemma@help-myemma.app. Recipients who clicked the opt-out button were redirected to a site hosted at app-e2maa.net. Google Chrome had already flagged the page as dangerous by the time 404 Media investigated.
How the ICE Phishing Scam Spread Through SendGrid Months Earlier
Emma was not the first target. The same playbook surfaced in January, when cybersecurity professional Simo Kohonen spotted a near-identical scam impersonating SendGrid, the Twilio-owned bulk email delivery service. Kohonen, who founded security firm Defused, called the approach 'ragebait as a phishing tactic,' PCMag reported.
That particular email came from theraoffice.com, apparently a legitimate small business whose SendGrid credentials had been stolen. Kohonen told PCMag the phishing campaign had been running for at least six months. Earlier versions used straightforward fake login pages. The ICE angle was newer, sharper.
Programmer Fred Benenson went further. In a detailed blog post published 9 January, he traced how the phishing emails passed SPF and DKIM authentication checks. They looked real because, technically, they were real SendGrid emails. Just sent by the wrong people from hijacked accounts. Security researchers at Netcraft had coined a term for this back in 2024: 'Phishception.' A compromised account becomes the tool for compromising the next one, and the cycle continues.
SendGrid told PCMag its teams 'worked diligently to shut down these bad actors' and were 'continuously monitoring' their systems.
Beyond ICE: Phishing Emails Weaponise BLM and LGBTQ+ Issues Too
The ICE variant is just one flavour. Benenson documented phishing emails claiming SendGrid would add a 'pride-themed footer' to all outgoing emails after the platform's CEO had supposedly come out as gay. Another message said every email would feature a commemorative theme honouring George Floyd and the Black Lives Matter movement.
Same mechanics each time. Present a politically charged change nobody asked for, attach it to every email a client sends, then offer an opt-out button rigged to steal credentials. The bet is straightforward: a university communications officer or a nonprofit's marketing director is not going to sit around wondering whether the email is legitimate when their next newsletter is about to carry a political endorsement.
Benenson also found the attackers were working from what appeared to be actual customer lists, ensuring messages only reached people who genuinely used the service. One phishing email was traced to a Kenyan domain. Compromised accounts from multiple countries were being put to work.
The campaign has grown more active as protests over ICE operations across the United States have intensified. Cybersecurity professionals recommend that users never click links in unexpected emails, regardless of how familiar the sender appears. The safest course remains logging into a platform directly through a bookmarked URL or a fresh browser search rather than following any link embedded in a message.
