MailGuard is intercepting a phishing email that claims to warn recipients about suspicious activity in their mailbox, but instead directs them to a fake Webmail login page designed to steal email credentials.
The email is sent from “Protect your account” support(at)blockfunds(dot)store with the subject line “Mailbox Abuse Notice”.
The message claims that suspicious behaviour has been detected in the recipient’s email account and that this violates a security policy. It warns that the account was allegedly accessed from an unrecognised device and urges the recipient to “review recent activity”.
The email includes a green “Review recent activity” button. Clicking the link takes the recipient to a phishing website that imitates a Webmail login page.
In the example intercepted by MailGuard, the fake login page displays a Webmail logo and asks the user to enter their email address and password. The recipient’s email address is already populated on the page, because it is passed through to the phishing site via a value embedded in the link.
This is a common technique used to make phishing pages feel more personalised and convincing. By pre-filling the recipient’s email address, the scammers reduce friction and create the impression that the page is connected to the recipient’s real mailbox.
The phishing page asks for the user’s password. According to MailGuard’s analysis, once the password is entered three times, the site redirects the victim to the homepage of the recipient’s own domain. This tactic can make the interaction feel less suspicious, as the user may assume the login process simply failed or that they were redirected to a legitimate company page.
This attack is designed to harvest email account credentials. If stolen, those credentials could be used to access corporate mailboxes, intercept sensitive communications, reset passwords for other services, launch further phishing attacks, or conduct business email compromise activity.
There are several warning signs in this scam. The sender address does not match a legitimate email service provider. The message uses a generic “Mailbox Abuse Notice” theme and asks the recipient to act urgently. The email also includes awkward wording, including “Take these timeouts to protect your account,” which is not the kind of language users would expect from a professional email provider.
The landing page is also a red flag. Although it uses Webmail and cPanel-style branding, the URL is not associated with the recipient’s legitimate email provider or domain. Recipients should never enter credentials into a login page reached from an unexpected email warning.
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.