Pride Month Phishing Targets Employees via Trusted Email Services
🚨 Pride Month Phishing Alert!
Attackers are using Pride Month themed phishing emails to target employees worldwide, abusing trusted email platforms like SendGrid to harvest credentials. Although Pride Month does not begin until June 1, 2026, scammers have already begun their campaign, getting ahead of the calendar.
📊 Campaign Overview
Organizations are being targeted in a phishing campaign that uses Pride Month and diversity messaging to trick employees into handing over login details. According to threat intelligence from Mimecast, attackers are leveraging these themes to pressure employees into clicking links and providing credentials, all while hiding behind trusted infrastructure.
📅 Timeline of Events
Mimecast researchers first identified this activity in mid-December 2025, indicating that the campaign was planned well in advance. The UK has been hit harder than many peers, with around 21% of all targeted organizations being UK-based, placing it among the most affected countries alongside the United States.
🛡️ How the Attack Works
The campaign uses messages designed to look like routine internal communications. They claim that Pride themed email branding would be rolled out by management and offer an opt-out option that redirects users to malicious links. This setup works regardless of personal views, as employees who support diversity initiatives click to read more, while those who oppose them click to opt out. Either way, the attacker gets engagement before the recipient questions the message.
🔍 Attack Techniques
Attackers distribute the malicious emails through compromised SendGrid accounts, using the trusted platform to scale delivery and evade detection. The scam redirects victims to SendGrid lookalike pages designed for credential theft.
📈 Escalation of Attacks
The activity appeared in two stages. The first, in December 2025, targeted 504 organizations, mostly in financial services and consulting. The second wave in January 2026 escalated sharply, expanding to 4,768 organizations across the US, UK, Germany, Australia, South Africa, Canada, and other regions.
⚠️ Recommendations
While it is unclear which threat actor group is behind this campaign, the techniques align with activity linked to Scattered Spider, CryptoChameleon, and PoisonSeed. Mimecast researchers also pointed to a growing pattern of attackers targeting email and CRM platforms such as SendGrid, Mailchimp, and HubSpot.
User awareness remains critical. Employees should treat unexpected policy updates with caution, especially when they arrive via external links. Verifying such messages through HR or IT teams can be the difference between a blocked attempt and a full account compromise.
For more details, check out the full article: Read full article