ICE Phishing Scam: Hackers Use 'Support ICE' Emails to Steal Credentials from Professionals and Organisations

The email looks legitimate. It arrives from what appears to be a trusted platform, uses professional formatting, and carries an urgent message: your company's outgoing emails will soon include a'Support ICE' donation buttonunless you opt out immediately. The instinct to act fast is exactly what the hackers are counting on.

A phishing campaign targeting clients of major email marketing services is using politically charged bait to steal login credentials. The scheme tells recipients that a 'Support ICE' button will be automatically inserted into the footer of every email they send through the platform. A settings button offers an apparent way to disable the feature. It leads instead to a credential-harvesting website.

The most recent wave hit clients of Emma, a long-running email marketing service owned by Marigold. Its customer list reads like a who's who of American institutions. Yale University, Texas A&M, Orange Theory, the Cystic Fibrosis Foundation, Dogfish Head Brewery, and the YMCA all use the platform,404 Media reported.

Lisa Mayr, Marigold's CEO, was blunt. The company 'would never publish anything like this,' she told 404 Media. 'This is a very common phishing attempt.'

The fraudulent message was routed through SurveyMonkey infrastructure and sent from the address [email protected]. Recipients who clicked the opt-out button were redirected to a site hosted at app-e2maa.net. Google Chrome had already flagged the page as dangerous by the time 404 Media investigated.

Emma was not the first target. The same playbook surfaced in January, when cybersecurity professional Simo Kohonen spotted a near-identical scam impersonating SendGrid, the Twilio-owned bulk email delivery service. Kohonen, who founded security firm Defused, called the approach 'ragebait as a phishing tactic,'PCMag reported.

That particular email came from theraoffice.com, apparently a legitimate small business whose SendGrid credentials had been stolen. Kohonen told PCMag the phishing campaign had been running for at least six months. Earlier versions used straightforward fake login pages. The ICE angle was newer, sharper.

Programmer Fred Benenson went further. In adetailed blog post published 9 January, he traced how the phishing emails passed SPF and DKIM authentication checks. They looked real because, technically, they were real SendGrid emails. Just sent by the wrong people from hijacked accounts. Security researchers at Netcraft had coined a term for this back in 2024: 'Phishception.' A compromised account becomes the tool for compromising the next one, and the cycle continues.

SendGrid told PCMag its teams 'worked diligently to shut down these bad actors' and were 'continuously monitoring' their systems.

The ICE variant is just one flavour. Benenson documented phishing emails claiming SendGrid would add a 'pride-themed footer' to all outgoing emails after the platform's CEO had supposedly come out as gay. Another message said every email would feature a commemorative theme honouring George Floyd and the Black Lives Matter movement.

Source: International Business Times UK