Although Pride Month does not officially start until June 1, 2026, cybersecurity experts have already noted a rise in phishing attacks targeting employees with Pride-themed emails, indicating that scammers are capitalizing on upcoming events well ahead of time.
Organizations are currently facing a phishing campaign leveraging Pride Month and diversity themes to deceive employees into revealing their login credentials. According to threat intelligence from Mimecast, attackers are exploiting these themes to create a sense of urgency, prompting employees to click on malicious links while masquerading as trusted communications.
Mimecast researchers first detected this activity in mid-December 2025, indicating that the planning for this campaign has been underway for months. Recent findings shared with Hackread.com reveal that the United Kingdom has been particularly hard-hit by these phishing attempts, with around 21% of all targeted organizations based there, making it one of the most affected countries alongside the United States.
The campaign employs messages that mimic routine internal communications, claiming that management will introduce Pride-themed email branding, while providing an opt-out option that leads to harmful links. This tactic plays on varying employee sentiments, as those supportive of diversity initiatives and those against them may inadvertently engage with the scammers’ content.
Notably, attackers are sending these phishing emails through compromised SendGrid accounts, leveraging this well-known platform to enhance their reach and evade detection. Victims are often redirected to pages that closely resemble SendGrid, specifically designed to facilitate credential theft.
Two-Stage Activity
The phishing campaign occurred in two distinct phases. The initial phase in December 2025 targeted 504 organizations, predominantly within financial services and consulting sectors; this appears to have served as a testing ground. The subsequent wave in January 2026 saw a significant escalation, affecting 4,768 organizations across the United States, United Kingdom, Germany, Australia, South Africa, Canada, and other regions, with a wider array of industries targeted, including IT, SaaS, and retail.
During the January outreach, the sophistication of the phishing strategies increased. Attackers began utilizing persona-based prefixes in their subject lines, implying impersonation of specific individuals to enhance credibility and bypass email filters. Victims were also directed through CAPTCHA pages, a method commonly used to avoid automated detection and strengthen the attack.
While it remains unclear which specific group is behind this campaign, the techniques observed align with those utilized by known adversarial entities such as Scattered Spider, CryptoChameleon, and PoisonSeed. Researchers at Mimecast have highlighted a concerning trend in which email and CRM platforms, such as SendGrid, Mailchimp, and HubSpot, are increasingly coming under attack, turning these services into vehicles for phishing and credential harvesting when compromised.
Mimecast has implemented detection capabilities to identify and mitigate campaigns that exploit legitimate email services, actively monitoring for new domain variants associated with this activity. However, technological defenses alone cannot fully prevent such attacks; raising user awareness remains vital. Employees should exercise caution when encountering unexpected policy updates, especially those containing external links, and confirm their authenticity through HR or IT departments to prevent account compromises.