MailGuard is intercepting a new phishing campaign designed to steal user login credentials by impersonating a webmail error alert.
The attack uses a simple HTML email that appears to come from the recipient’s own domain, with the subject line: "Your server has been blocked". While the email pretends to be a routine service message, it is in fact a sophisticated lure designed to harvest credentials via a fake login portal.
How the scam works
- Display deception: The attacker manipulates the “From” display name to mimic the recipient’s own domain, creating a false sense of authenticity.
- Spoofed sender address: The email is actually sent from alert(dot)rouncube(at)etna-industries(dot)com, unrelated to the recipient’s domain.
- Deceptive content: The message claims there's a server error affecting email delivery and urges the user to log into a “Webmail Portal” to resolve the issue.
- Phishing link mechanics: The login button redirects to a spoofed site hosted on roundcubes(dot)blob(dot)core(dot)windows(dot)net, which is not affiliated with the targeted domain.
Once there, the victim’s email address is auto-filled into a fake webmail login page, and cannot be edited. The page is designed to capture the password when entered.
Here’s what the emails look like:
Clicking the 'Log On To Webmail Portal' button leads users to the phishing page which is mimicking a webmail portal.
Two-step deception
Victims are then subjected to a misleading verification process.
- First login attempt triggers a fake error – "Password is not correct. Please try again."
- Second login appears successful, displaying a green message: "CONGRATULATIONS! Account verification was successful."
The user is then redirected to the legitimate homepage of their own domain, adding an additional layer of false reassurance that nothing was amiss.
What's really happening behind the scenes?
This is a credential phishing attack. By capturing valid email usernames and passwords, attackers can gain access to inboxes and potentially launch further attacks, including:
- Internal and external business email compromise (BEC)
- Identity theft and data exfiltration
- Ransomware payload distribution
- Impersonation of executives or finance staff to authorise fraudulent payments
These emails are designed to bypass default security filters by using minimal HTML formatting, no attachments, and a clean user interface.
Stay Safe - Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or miss crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late.
Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
