Smishing from your own numbers: Twilio API key abuse and OTP interception

A Twilio API key is a non-human principal that can send from your trusted numbers and rewrite how inbound messages route. When one leaks, there is no password to reset and no MFA prompt to deny, because the attacker is already authenticated as a credential.

How the attack works

The key authenticates from an IP and ASN never seen for the account, outside business hours. It sends thousands of SMS from a verified sender pool, impersonating the org’s helpdesk with a link to a fake verify page. It then rewrites the Messaging Service inbound webhook and fallback URL to an attacker host, so customers’ one-time-code replies are mirrored to the attacker and replayed against downstream accounts within minutes. In ATT&CK terms this is T1078, Valid Accounts, with T1566, Phishing, T1656, Impersonation, and T1621 for the MFA-code interception.

Why it works

High volume, sent statuses, and Messaging Services are all normal telemetry. The unambiguous tell is a single key arriving from an unfamiliar source and then mutating message routing to a foreign host. Legitimate campaigns do not repoint your inbound webhook. A long-lived, account-wide key stored in a repo and reused across services is the root cause.

How to fix it

Revoke and rotate the key, then revert the rewritten webhook and fallback configuration, because killing the key alone leaves OTP capture running. A password reset on the human owner does nothing to a standalone key, and a corporate firewall block has no effect on Twilio’s hosted API. Scope what happened from the provider messaging and audit logs filtered to the key and window. For the class, inventory keys, scope them to subaccounts, vault the secrets, and enable IP access control. Trusted-sender abuse is reputational and the intercepted codes enable onward takeover.

Practice it

We built this as a GraphLattice Range scenario so responders can rehearse revoking the credential, reverting the routing change, and scoping the exposure.