Yeah, I checked the mail source too. Passed DKIM, SPF, DMARC etc, so the mail server is definitely compromised.
They seem to be using SendGrid. I pinged the CEO and CTO of Autodesk, the official Autodesk account and the SendGrid account on X about this, but now, more than 24h later, the attack is still ongoing and nobody seems to be giving a flying fuck about it.
> Authentication-Results: spamfilter01.heinlein-hosting.de (amavisd-new); > dkim=pass (2048-bit key) header.d=autodesk.com
For this DKIM-Signature:
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autodesk.com; > h=from:subject:mime-version:list-unsubscribe:content-type:reply-to: > cc:content-type:from:subject:to; > s=s11; bh=...
MTA:
> Received: from ec2-3-8-140-122.eu-west-2.compute.amazonaws.com (unknown) > by geopod-ismtpd-13 (SG) with ESMTP id n5WDORJ6Taauv7FuUNA9Ug
I wonder if just their DKIM selector got stolen or someone owned their AWS accounts as well?