MailGuard Blog — Breaking alerts, news and updates on cybersecurity topics

Fake “ICANN Registrar” email masquerades as compliance notice

Written by MailGuard | 27 August 2025 01:30:21 Z

A new email phishing scam is impersonating an ICANN registrar in the form of a compliance notice. ICAAN (the Internet Corporation for Assigned Names and Numbers) is a global nonprofit organisation that coordinates the technical infrastructure of the Internet to ensure unique identifiers, such as domain names and IP addresses, are managed consistently. The email urges recipients to “verify your email address within 3 days,” then sends them to a counterfeit webmail login page that’s designed to harvest credentials.

What the email looks like

Display name: [Recipient Domain Name] ICANN Registrar

From/ reply-to: `icann-registrar(at)guozhiyuan.com`

Content: A simple HTML message with a single “Verify Email Address” button linking to the attacker’s site.

Tone: Urgent, account compliance and service interruption risk.

Here’s an example of the email claiming that you need to verify your address for ICANN compliance.

How the scam works

  1. You receive a compliance-style email that appears to relate to your domain registration.
  2. Clicking the button sends you to a fake webmail portal hosted on a non-legitimate domain.
  3. The page asks for your email address and password.
  4. After submission, the page briefly shows “Authenticating…” to appear legitimate, while your credentials are sent to the attacker.

This is what the fake webmail login page looks like, that’s design to capture your credentials.

After authenticating, an error banner prompts you to retry, a tactic to collect multiple password attempts.

Red flags to watch for

Sender mismatch: The address `icann-registrar(at)guozhiyuan.com` is not your registrar’s domain.

Generic branding: No account-specific details a real provider would include.

Single call to action: One button that hides the destination URL.

Look-alike pages: A webmail skin or cPanel-style page hosted on an unrelated domain.

Manufactured urgency: A short deadline to “avoid interruption.”

If someone clicked or entered a password:

  • Reset the impacted mailbox password immediately and revoke any active sessions.
  • Check MFA status and re-enrol if required.
  • Review mail rules and forwarding for the affected account.
  • Scan endpoints used during login attempts.
  • Audit authentication logs for unusual IPs, geographies, and failed logins.

Guidance for IT and security teams

  • Enforce MFA for all mail and admin access.
  • Disable legacy protocols that bypass MFA where possible.
  • Implement conditional access and risk-based sign-in alerts.
  • Tighten allow-lists for admin consoles and registrars.
  • Educate staff on registrar-themed lures and how to preview links safely.

Stay Safe, Know the Signs

MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.

Avoid emails that:

  • Aren’t addressed to you personally.
  • Are unexpected and urge immediate action.
  • Contain poor grammar or miss crucial identifying details.
  • Direct you to a suspicious URL that isn’t associated with the genuine company.

Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.

One Email Is All That It Takes   

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters!  Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.  

 
View full post