Phishing email sent from compromised account directs users to update their Mailgun account details

Posted by Akankasha Dewan on 27 October 2020 19:41:30 AEDT

Don’t panic if you receive the above email claiming your Mailgun account has been put on hold. This is a phishing email scam designed to harvest your confidential data.

The email is titled “Your account is on hold” and uses a display name of “support Mailgun”, along with branding elements belonging to the email service provider. However, rather than being sent by Mailgun themselves, the email is sent from a compromised customer account using Mailgun’s services. The email informs users of “some trouble” with their “account information” and directs them to update their account.

Here’s what the email looks like:



Unsuspecting recipients who click on the link are led to a fake Mailgun-branded login page. This is a close representation of the actual Mailgun login page, and uses high quality branding & formatting elements, complete with animation. The domain used in the page’s URL however, doesn’t belong to Mailgun, and is a huge red flag that should point to the page’s illegitimacy. It is actually hosted on a compromised French website.

Mailgun 2


Upon “logging in”, users are credentials are entered and submitted, the attacker harvests them for later use, and the user is redirected to the actual Mailgun website.

Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click on it.

Cybercriminals frequently exploit the branding of global companies like Mailgun in their scams, because their good reputation lulls victims into a false sense of security, and with such a large number of users they are an easy and attractive target. Many companies use Mailgun to communicate with their customers via email, or else pay marketing firms to do that on their behalf using Mailgun’s services. Receiving an email informing them that there is “some trouble” with their account information is therefore likely to be alarming among companies. They may want to take immediate action in order to minimise disruptions to email communications with their customers. Cybercriminals hope that in their urgency to rectify the issue, users don’t pause to check for the legitimacy of the email and click on the phishing link.

Scams that are initiated from compromised accounts are particularly dangerous because the emails are sent from a legitimate account, so they are not likely to be blocked by email security services. Cybercriminals know this, and therefore exploit these rules to trick users.

Despite this, the scam contains several red flags that should alert users of its illegitimacy. These include the fact that the recipient isn’t addressed directly in the email and as mentioned above, the domain used in the phishing page’s URL doesn’t belong to Mailgun.

We encourage all users to exercise caution when clicking on any links within emails. If you are not expecting a notification from the sender, do not open the email, download files or click through on the links. Check with the sender first, even if they are known to you.

Mailgun lists the following advice on its support page:

“If you’ve received spam from a Mailgun customer, please report it to Send us the full email headers of the spam message so we can more quickly process your request and clean up our email stream.”

Phishing continues to be one of the most prevalent forms of cyber-crime. The vast majority of online scams - more than 90% - are perpetrated using email, so it’s wise to always be skeptical of messages from unfamiliar senders asking you to log into your accounts.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates



Topics: Phishing email scams fraud fastbreak mailgun compromised

Back to Blog


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all