MailGuard has intercepted a new email scam circulating widely, targeting employee trust and exploiting curiosity and eagerness around end-of-financial-year communications. The campaign is being blocked by our filter network, but has the potential for serious consequences for those that do receive it.
What’s the scam?
A plain-text phishing email, it arrives from a spoofed payroll address, presenting as an internal message regarding a salary adjustment. The subject line — “Commission/Salary adjustment” — is designed to trigger immediate attention. The message body prompts the recipient to view “updated salary details” via a seemingly legitimate link.
Here’s what the emails look like:
The email purports to be from a Payroll Admin and includes a link targeting unsuspecting staff members.
The link leads to a phishing page that impersonates a cPanel Webmail login portal, prompting the victim to enter their email credentials.
This login screen is not legitimate. It’s designed to steal your user credentials.
Once the details are entered, users are redirected to a decoy webpage associated with the email domain to reduce suspicion. The attacker captures the email and password for later exploitation — potentially including unauthorised access, internal data compromise, and account hijacking.
Technical Details
- Sender: Spoofed as “Payroll Admin” but actually sent using Sendgrid.
- Phishing Host: The malicious login page is hosted on the Vercel platform.
- Impersonation Tactic: The phishing page mimics cPanel Webmail’s branding and interface with a high degree of accuracy.
This campaign relies heavily on recipients failing to verify sender details, and assuming legitimacy due to the sensitive and routine nature of salary-related communications.
Why this matters
As businesses approach the end of the financial year, HR and payroll notifications become commonplace — making inboxes ripe for social engineering attacks. Messages like this exploit trusted internal workflows and can compromise critical systems if a single staff member is deceived.
Multiple Attacks, Same Infrastructure
MailGuard analysts have confirmed that this phishing infrastructure is being used across multiple campaigns. Another scam—posing as a Fedex notification—redirects users to the exact same phishing site. This strongly indicates a single, coordinated threat actor behind both attacks.
At the time of writing, only one other vendor is identifying this link as malicious, however MailGuard’s proprietary ML & AI-powered email threat detection stopped it in real time.
Stay Safe - Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or miss crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late.
Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
