None of us want our Qantas membership details to fall into the wrong hands, which is why this scam is so clever. By fooling frequent flyers into signing in to their account to check on fraudulent account activity, users will in fact be passing their credentials to cybercriminals. MailGuard's AI-powered threat detection network has intercepted this sophisticated and targeted phishing campaign impersonating Qantas, that’s cleverly exploiting the trusted relationship that many of us enjoy with the carrier.
The Attack Vector
The campaign begins with an HTML email containing a fabricated security alert claiming an "unrecognized device" has attempted to access the recipient's Qantas Frequent Flyer account. The message purports to be from "Cassian from Qantas Care" but originates from a Gmail address (sokobiqe914(at)gmail(dot)com), an immediate red flag that legitimate corporate communications would never exhibit.
As shown below, the email includes seemingly authentic details such as a timestamp (23 October 2025 08:40 AEDT), geographic location (Hobart, Australia), device information (Desktop/Windows 11), and browser type (Microsoft Edge). This level of specificity is deliberately designed to enhance the perceived legitimacy of the threat and prompt immediate action from the recipient.
The Multi-Stage Credential Harvesting Process
What distinguishes this attack is its sophisticated, multi-stage approach to credential theft. When victims click the "Not an entry by me" link, they are directed to a convincing phishing portal hosted on "qantsportal.online" – note the deliberate misspelling designed to evade detection while appearing legitimate at first glance.
The attack unfolds across multiple pages:
Stage 1 – Initial Credential Capture: The first landing page presents a professional login interface requesting the victim's Frequent Flyer membership number, last name, and PIN. The page includes authentic-looking Qantas branding and design elements that mirror the legitimate website.
Stage 2 – Verification Code Harvesting: After submitting credentials, victims are presented with an "Account Verification" screen requesting a code "sent to your registered mobile." This step is particularly insidious, as it capitalises on the victim's assumption that their account is genuinely compromised and requires immediate verification.
Stage 3 – Persistence Through Failure: If a victim enters an incorrect code, the system displays an error message stating "There was a problem processing your request" and prompts them to enter a new code. This manufactured failure serves two purposes: it adds authenticity to the experience and provides the attackers multiple opportunities to capture verification codes or other security information.
Stage 4 – Misdirection: Upon successful submission of the second verification code, victims see a "Login Successful" message indicating they will be redirected to the Qantas Help Center. The page then redirects to the legitimate Qantas website, leaving victims potentially unaware that their credentials have been compromised.
Why This Attack Is Effective
This phishing campaign demonstrates several hallmarks of sophisticated social engineering that security professionals should note:
Brand Exploitation: Qantas Frequent Flyer accounts represent significant value to both legitimate users and cybercriminals, making them prime targets for credential theft.
Urgency Creation: The "unrecognized device" narrative creates immediate concern, prompting users to act before thinking critically about the message's authenticity.
Visual Credibility: The phishing pages closely replicate Qantas's branding, colour scheme, and user interface design, making visual inspection insufficient for detection.
Multi-Factor Authentication Bypass: By requesting verification codes, attackers are positioned to potentially bypass MFA protections in real-time.
Behavioural Conditioning: The manufactured failure on the first verification attempt conditions victims to try again, increasing the likelihood they'll provide additional information.
Red Flags to Watch For
Despite its sophistication, this attack contains several indicators that should alert vigilant users:
- The sender address is a generic Gmail account rather than an official Qantas domain
- The linked domain "qantsportal.online" is not Qantas's legitimate domain (qantas.com)
- The email is not personalised with the recipient's name or specific account details
- Legitimate security alerts would not request you to enter credentials or verification codes via email links
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or miss crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
