In early 2026, security researchers from the Mimecast Threat Research Team uncovered a sophisticated phishing campaign that deliberately exploits organizational values around diversity and inclusion to manipulate user behaviour and harvest credentials. This tactic underscores a worrying evolution in social engineering where attackers target human trust in good-faith initiatives rather than attempting to breach systems through technical vulnerabilities.

The Core Strategy: Turning Diversity Into a Weapon

Threat actors behind this operation designed phishing campaigns that weaponize culturally meaningful themes—specifically, Pride Month and broader diversity values—to encourage engagement with malicious content. Unlike typical phishing that hinges solely on fear or urgency (e.g., compromised accounts, locked passwords), this campaign leverages authentic cultural resonance to drive clicks on links that ultimately lead to credential theft.

What makes this attack particularly effective is its exploitation of positive organizational commitments. Whether employees are supportive of Pride initiatives or simply curious, attackers count on human response patterns—especially emotional ones—to bypass scrutiny.

Two Waves, Growing Scale

The malicious activity unfolded in two distinct waves:

1. December 2025 Wave – Targeted 504 organisations, largely in financial services and consulting sectors, with early tests of messaging designed around Pride Month email theming.
2. January 2026 Wave – A significant escalation that expanded the attack surface to nearly 4,768 organisations spanning the US, UK, Germany, Australia, South Africa, Canada, and more. Notably, while financial services remained in the crosshairs, there was increased targeting in IT, SaaS, and retail sectors. This suggests either coordinated campaigns or optimization of targeting based on lessons learned from the first wave.

The geographic distribution illustrates that phishing tactics exploiting social causes are now global, not confined to one region or market.

Attack Methodology: From Engagement to Compromise

The emails used social engineering with precise design elements to bypass defensive skepticism:

• Pride-themed headers and footers were used to make messages look aligned with corporate values.
• Recipients were told that corporate Pride month theming would be applied unless they opted out—a classic psychological trick that uses false choice engagement.
• Click-throughs took users to a CAPTCHA verification step, a known adversary tactic to evade automated detection tools, before redirecting to credential harvesting pages crafted to resemble a legitimate SendGrid login interface.

Importantly, the act of clicking a link—regardless of whether users appeared supportive or opposed—was all that an attacker needed to begin harvesting credentials and compromising accounts.

Infrastructure Abuse and Supply Chain Exploitation

Once attackers secured stolen credentials, they didn’t just sit idle. Their infrastructure exploitation strategy involved:

• Compromised SendGrid accounts to distribute the phishing campaigns at enterprise scale.
• Redirects through legitimate SendGrid infrastructure to attacker-controlled domains such as lgbtsendgrid[.]com and lgbt-sg[.]com.
• An expanded roster of malicious domains and subjects that mimic login portals and internal communications.

Using widely trusted delivery platforms like SendGrid, Mailchimp, HubSpot, and similar services gave the attackers a credibility boost. Emails appeared to originate from trusted third-party services or even internal communications—making them harder for basic security filters to block and for users to dismiss.

Who’s Behind the Campaign?

Definitive attribution in cybercrime remains difficult, but the Mimecast researchers observed tactics consistent with some well-known threat groups, including:

• Scattered Spider – known for targeted credential harvesting
• CryptoChameleon – uses infrastructure abuse to scale phishing operations
• PoisonSeed – engages in high volume credential capture and abuse

These shared characteristics include attack infrastructure compromise, malicious domain naming conventions that resemble trusted services, and broad sector targeting.

Recommendations for Defence

Mimecast’s threat research team provides clear guidance for organisations aiming to mitigate these kinds of campaigns:

1. User Security Awareness Training
   • Educate employees on how emotional triggers or cultural initiatives can be abused in social engineering.
   • Emphasise verification via official internal channels rather than clicking external links.
2. Proactive Threat Hunting and Monitoring
   • Search email receipt logs for known subject lines and domains associated with these campaigns.
   • Monitor third-party email service accounts for unusual API activity or unauthorized credential use.
3. Simulation and Preparedness
   • Conduct phishing simulations that include themes abused by attackers—such as social causes—to build organizational immunity to these forms of manipulation.
4. Supply Chain Security Posture
   • Treat third-party email provider credentials with the same vigilance as internal systems, including multi-factor authentication and anomaly detection.

---

Conclusion: A Shift in Social Engineering Strategy

This investigation highlights a worrying trend: threat actors are not just exploiting code or technical vulnerabilities but are adeptly leveraging trusted themes and human psychology to induce engagement. By framing phishing around social values organisations publicly support, attackers make malicious content appear legitimate, bypassing even some defensive awareness strategies.

For security leaders, this underscores the need for threat intelligence that goes beyond technical indicators to include the human dimension of risk, particularly as attackers weaponise cultural narratives and organisational values in their campaigns.