MailGuard Blog — Breaking alerts, news and updates on cybersecurity topics

“Email Quarantine” phish targets passwords

Written by MailGuard | 19 August 2025 05:44:43 Z

MailGuard’s filters are intercepting a credential-harvesting campaign masquerading as an Email Quarantine report. The lure is simple and fast, a plain HTML message with a single link that leads to a fake quarantine portal. The page pre-fills the victim’s email address, asks for the mailbox password, shows a brief “verification” screen, then redirects to the victim’s own domain on port 2096, the default webmail port for cPanel. The sequence is designed to feel legitimate and lower suspicion.

What the scam looks like

Attackers are using a rotating set of urgent subject lines, each embedding the recipient’s address to increase trust. Examples include:

  • Review Needed: Quarantine Alert for [recipient address]
  • Alert: Quarantined Messages Identified for [recipient address]
  • Urgent Email Quarantine Report for [recipient address]
  • Immediate Action Required: Quarantined Emails [recipient address]
  • Immediate Review Required: Quarantined Emails [recipient address]
  • Immediate Review Required: Quarantined Emails for [recipient address]
  • Immediate Action Required: Quarantined Emails for [recipient address]
  • Alert: Quarantined Messages Identified [recipient address]
  • Critical Notification for [recipient address]
  • [recipient address] Urgent Quarantine Action
  • Critical Notification for [recipient address]: Quarantined Messages

Sender details

Display name: Email Quarantine

Display address: filtercp(at)hoodscompanyllc(dot)com

Envelope/sending address: filtercp(at)hoodscompanyllc(dot)com

Here's an example of the email below 👇

The lure presents as an Email Protection Report with a “View Quarantine” button. The summary lists recent “messages” to be released from quarantine.

Click-through to fake portal 👇

The landing page displays a spinner with “Email Quarantine Verification In Progress Please Wait…”, a common trust tactic to normalise the flow.

Credential capture 👇

A sign-in form appears with the username field pre-filled to match the target mailbox. The page then requests the password. Any password entered is sent to the attacker.

To finish, the scam ends with a plausible confirmation and redirect. After submission, the page shows a brief confirmation, then redirects to `https://<your-domain>:2096/`, the standard cPanel webmail port. This redirection is intended to reassure the victim that the process was legitimate.

Why this tactic is dangerous

The email contains no attachment and often no obviously malicious link text, which can help it bypass basic content checks. It targets human trust, not system weaknesses.

Once a mailbox password is captured, attackers can:

  • Take over the account and set forwarding or hidden rules
  • Inject messages into live threads to divert payments
  • Reset passwords for other services tied to that mailbox
  • Launch further phishing from a real, trusted account

Technical indicators & advice to help your SOC

  • From / Return-Path: `filtercp@hoodscompanyllc.com`
  • Display name: `Email Quarantine`
  • Subject patterns: the list above with embedded recipient address
  • Behaviour: credential capture followed by redirect to `:2096` webmail
  • Hosting: the phishing portal is hosted on commodity infrastructure, the screenshots show a `.netlify.app` hostname. Attackers frequently rotate these.

What to look for in your environment:

  • Mailbox rules that auto-forward or delete messages from finance, invoices, or security systems
  • Unusual successful logins followed by IMAP access from new IPs
  • OAuth tokens or app passwords created shortly after the time of the click
  • Thread hijacking attempts that reference recent vendor conversations

If someone in your team clicked or entered a password:

  1. Reset the mailbox password immediately and enforce MFA.
  2. Revoke active sessions and app passwords, then review recent login history.
  3. Audit mailbox rules for auto-forward, hide, or delete actions.
  4. Notify IT and finance to increase verification for payment changes and invoice approvals.
  5. Consider forced resets for users with similar roles or shared credentials.

Stay Safe, Know the Signs

MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.

Avoid emails that:

  • Aren’t addressed to you personally.
  • Are unexpected and urge immediate action.
  • Contain poor grammar or miss crucial identifying details.
  • Direct you to a suspicious URL that isn’t associated with the genuine company.

Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.

One Email Is All That It Takes   

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters!  Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.  

 
View full post