In WHM/cPanel > Exim Config, how to prevent SendGrid API key from being breached?
Running a WHM/cPanel system on CentOS v7.9.2009 (STANDARD kvm) and cPanel Version 110.0.34.
We use WHM Exim Config with SendGrid for email forwarding.
In the last 3 months, our SendGrid account has been compromised twice with phishing campaigns sent from our email forwarding server resulting in suspension of our email accounts.
The Sendgrid API key is only found in the Exim Config > Advanced Editor of the WHM account, so we believe that either the key is leaked or our WHM/cPanel account has been compromised.
We also note that there has been daily persistent brute force attacks on our cPanel server as revealed in WHM > ModSecurity™ Tools » Hits List (screenshot attached), which might be of key interest.
What should we do to resolve this?
The first time we were breached, we had reset the API key, and reset all cPanel & WHM passwords, as well as terminated unused cPanel accounts. Since the issue has repeated, we believe it's unlikely to be a password leak.
