Product, Service, Component: SendGrid, Autodesk email “noreply” addresses
Impact: Spam emails sent to customers; legitimate emails from Autodesk may be blocked
Original Publish: 3/18/2025
| Severity | CVSS Score | Impact |
|---|---|---|
| Low | 0.1 - 3.9 | A vulnerability where scope and impact of exploitation is restricted and the ability to exploit is extremely difficult. |
| Medium | 4.0 - 6.9 | A vulnerability where exploitation is mitigated by factors such as difficulty to exploit, default configuration or ease of identification. |
| High | 7.0 - 8.9 | A vulnerability, which if exploited, would directly impact the confidentiality, integrity or availability of user's data or processing resources. |
| Critical | 9.0 - 10 | A vulnerability, which if exploited, would allow remote execution of malicious code without user action. |
A bad actor used an API key associated with our email delivery system to send spam emails from noreply@autodesk[.]com. As a result, one of our IP addresses was rightfully flagged as spam and blocked, impacting legitimate email to subscribers from Autodesk.
On March 17th, 2025, we discovered that spam emails were sent from one of Autodesk’s primary email addresses, noreply@autodesk[.]com. Our investigation revealed that credentials used by a contractor were compromised, and a bad actor used an API key associated with this account to send the spam emails.
These spam emails included subject lines associated NFTs such as “Illvium” and “OpenSea,” both of which are verified scams
We have found no evidence that customer data or any other Autodesk systems were compromised.
We disabled the API key and removed the compromised user from the account whose credentials we believe were used to access our email delivery system. After confirming that the outbound email queue was empty, we have successfully removed the impacted IP address from spam block lists and operations have returned to normal.
We apologize for any inconvenience this issue has caused.
We have identified the issue with our automated email delivery system and have begun remediation efforts.
We are still investigating, and we will provide more details when we have them.
We are aware of an issue with our automated email delivery system.
Our investigation is underway, and we will provide more details when we have them.
Some of our customers have reported receiving spam emails from legitimate Autodesk email addresses.
Our investigation is underway, and we will provide more details when we have them. We will publish additional information to this security bulletin as our investigation progresses.
If you receive an email you suspect may be spam, please exercise caution. Do not click links, open attachments, or send a reply.
INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND “AS IS” WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.
