There's some confusion here, there is a secondary compromise, but it's not very relevant.
The actual origin of the email: theraoffice.com
The fake origin of the email: SendGrid
There is a mismatch there, easy to detect. SendGrid was not compromised, and nothing was sent in the name of sendgrid or whatever.
Now the domain theraoffice might have been registered by an attacker, warmed up with some small fake traffic, and aged. Or it might have been compromised.
The previous email could have used sendgrid or mailchimp or google workspace, that's not very relevant. The SPF and DKIM would always pass, because SPF and DKIM verifies that the owner of theraoffice.com is the one sending the emails.
There might be a connection with SendGrid, but it's not at all accurately explained in the article, it may be as simple as SendGrid being a common phishing target of attackers just because they can get access to more email infrastructure for magnifying their reach, like a self-replicating virus.
The actual origin of the email: theraoffice.com
The fake origin of the email: SendGrid
There is a mismatch there, easy to detect. SendGrid was not compromised, and nothing was sent in the name of sendgrid or whatever.
Now the domain theraoffice might have been registered by an attacker, warmed up with some small fake traffic, and aged. Or it might have been compromised.
The previous email could have used sendgrid or mailchimp or google workspace, that's not very relevant. The SPF and DKIM would always pass, because SPF and DKIM verifies that the owner of theraoffice.com is the one sending the emails.
There might be a connection with SendGrid, but it's not at all accurately explained in the article, it may be as simple as SendGrid being a common phishing target of attackers just because they can get access to more email infrastructure for magnifying their reach, like a self-replicating virus.