Question
If someone takes over our SendGrid API key and uses it to send spam emails, what SendGrid logs should we check to identify the cause, and to determine how and where they used SendGrid? Does the SendGrid plan we currently use include audit event logs, and can we view them? If we use Email Logs, Additional Email Activity History or Event Webhook, will audit logs be included in these outputs?
Product
SendGrid Email API
Answer
If someone takes over your SendGrid API key and uses it to send spam emails, you should check the SendGrid Email Logs or Email Activity Feed and logs to identify suspicious activity. Look specifically for:
- Unrecognized API keys used to send emails
- Unknown email addresses sending from your account
Unusual subject lines or unexpected domains in your sending history
These logs will help you pinpoint where and how your SendGrid account was abused by tracking detailed email sending events over the past 30 days. The Email Activity Feed or Email Activity API provides sequential event data and can be filtered or exported for analysis.
Regarding audit event logs and whether your current SendGrid plan includes them: Most SendGrid plans provide the standard Email Activity Logs but audit event logs (such as detailed account changes, API key creation, or deletion events) typically require higher-tier plans or enterprise-level subscriptions. These audit logs are not usually part of the Additional Email Activity History or Event Webhook outputs; those mainly cover email send and delivery events rather than admin or security audit trails.
Used for:
- Identifying how and where the stolen API key was used: Check the Email Activity Feed logs.
- Confirming if your plan includes audit event logs: It depends on your specific plan, but audit logs generally come with premium or enterprise plans.
- Whether audit logs are included in Additional Email Activity History or Event Webhook: No, these focus on email sending events, not audit trails.
If you suspect compromise in the future, be sure to rotate your API keys immediately, enable security best practices (like IP whitelisting, two-factor authentication), and review SendGrid’s logs regularly to detect unauthorized use.
This approach aligns with official SendGrid guidance to monitor logs for unrecognized API keys and suspicious email activity as a core step to investigating API key theft and malicious usage.
Additional Information
Sources
[1] Proactive Steps for Customers Experiencing Account Takeover on … https://support.sendgrid.com/hc/en-us/articles/37988342265243-Proactive-Steps-for-Customers-Experiencing-Account-Takeover-on-SendGrid-Accounts
[2] Report Spam - SendGrid https://sendgrid.com/en-us/report-spam
[3] Deleted SendGrid API Key Used for Phishing — Account Locked, IP … https://www.reddit.com/r/SendGrid/comments/1jqbwv8/deleted_sendgrid_api_key_used_for_phishing/
[4] SendGrid Emails Getting Rejected as Spam - Stack Overflow https://stackoverflow.com/questions/31375914/sendgrid-emails-getting-rejected-as-spam
[5] SendGrid is abused to host phishing attacks impersonating itself https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself
[6] Exposed API Key Deletion - SendGrid Support https://support.sendgrid.com/hc/en-us/articles/14641611190939-Exposed-API-Key-Deletion
[7] Phishing Campaign Targeting IT Departments - BlueVoyant https://www.bluevoyant.com/blog/phishing-campaign-targeting-it-departments
[8] Protect Against Email Attacks by Compromised SendGrid Accounts https://emailsecurity.fortra.com/blog/phishing-bec-sendgrid-accounts
[9] Remediating SendGrid API Key leaks | GitGuardian https://www.gitguardian.com/remediation/sendgrid-api-key
[10] API Keys | SendGrid Docs - Twilio https://www.twilio.com/docs/sendgrid/ui/account-and-settings/api-keys