MailGuard has intercepted a phishing email campaign impersonating a legitimate system notification, using deceptive tactics to steal user credentials. The attack appears simple at first glance, but its execution is cunning, relying on dynamic redirects and branding lookups to improve the scam’s credibility and avoid detection.
This is the latest example of cybercriminals refining traditional phishing attacks to bypass security filters and exploit user trust.
The email
The subject line, marked with high urgency, reads:
“!-Notification: Email Validation\_Required 6/4/2025 2:52:22 p.m.||”
The message claims the recipient’s email account has been marked as inactive and is scheduled for removal unless action is taken within 24 hours. It includes a link that purports to “Mark Mail Active for accounts”, which leads to a credential-harvesting phishing page.
The entire email is plain text and lacks typical branding, a tactic that ironically makes it more likely to slip through filters by avoiding image scans or sandbox triggers. The recipients email address and domain are used throughout the email for personalisation and to create familiarity, in the absence of a trusted brand.
The scam in action
Once the recipient clicks the link, they are taken to a fake Gmail login page hosted on `lanpartykdg[.]nl`, a clearly unrelated domain. The page pre-fills the email address (extracted from the link), and prompts for a password.
Critically, after entering a password once, the site reports a login failure. A second attempt then redirects the victim to the real domain associated with their email address. For example:
`example@gmail.com` leads to `gmail.com`
`example@mailguard.com.au` leads to `mailguard.com.au`
This slight-of-hand may give the illusion of legitimacy, causing the user to believe the initial login was merely a typo or technical glitch.
Here's an example for 'mailguard.com.au':
Use of Clearbit Branding for Deception
One of the more sophisticated components of this attack is the use of [Clearbit.com](https://clearbit.com/) to fetch branding elements like logos. When the phishing page is accessed using a `mailguard.com.au` email address, the scam attempts to load:
https://logo.clearbit.com/mailguard.com.au
For example:
This technique is often used by legitimate services to enhance user experience, but in this case, it’s manipulated to lend authenticity to a fake login page. Screenshots reveal how the scam mimics a MailGuard-branded page when the right domain is passed.
Why this matters
This type of credential phishing attack is highly effective, not because of technical sophistication, but because it plays on urgency and trust. The attacker knows that if just one employee is tricked into entering their password, the door is open to data theft, internal fraud, or a broader compromise.
Attacks like this often bypass traditional security filters because:
- The email contains no attachments or known malware signatures
- The link leads to a live site that doesn't trigger standard blacklists
- The content is dynamically generated and personalised
That’s why MailGuard uses a unique, AI-driven detection engine built to identify unknown and fast-breaking threats, including zero-zero-day and zero-hour phishing attacks.
Stay Safe - Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Are not addressed to you by name.
- Use poor English or omit personal details that a legitimate sender would include.
- Come from unexpected businesses or government bodies.
- Contain links or QR codes that redirect to a domain not matching the sender's real URL.
- Claim you must act urgently to claim money or avoid penalties.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late.
Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero-zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
