MailGuard’s AI-powered filter network is intercepting a new phishing campaign that impersonates Telstra and attempts to harvest credentials, personal identity details, and credit card information through a staged web form.
The email itself is simple and deliberately low-friction, a basic HTML message with a single button linking to the phishing site. The sophistication sits behind the click, where the victim is guided through multiple steps that progressively escalate the sensitivity of the information requested.
The lure presents as a “Billing Adjustment Notification” and claims a refund is pending, with a prominent call-to-action button such as “Submit Refund Request”.
What to note in the example: Telstra branding, a refund amount (AUD $420.00), and a request to “complete the short online form” via the button.
A key feature of this campaign is that the display name is formatted as “TelstraID-[random 7 digits]”, for example from: TelstraID-7614063 example(at)compromisedaccount(dot)com. The sender addresses themselves are not consistent with a legitimate Telstra sending domain. Instead, they appear to be drawn from a wide pool of unrelated compromised or misused email accounts across many organisations and regions.
There are three observed subject variants, each followed by a random number:
Importantly, the random number in the subject does not match the random number used in the “TelstraID” display name. This mismatch is a strong authenticity indicator that can be used for triage.
Once the user clicks the button, the phishing site guides them through a multi-page capture process:
1. Email address capture
This page presents as a Telstra webmail sign-in step, requesting the email address.
2. Password capture
This page requests the password after an email is entered.
3. Personal details capture
This page escalates to identity capture, name, date of birth, address, phone.
4. Credit card details capture
This page attempts card harvesting, requesting card number, expiry, and CVC.
In testing, the flow failed after the fourth step with a “can’t load file” style error, which is common in fast-moving phishing kits where components are swapped out frequently or infrastructure is unstable.
Share these with end users and service desk teams as a short checklist:
This is not just a brand-impersonation nuisance. If a user enters their email and password, attackers may attempt to re-use those credentials across corporate services, cloud apps, and VPNs. If personal details and card information are also provided, the victim and the business face additional exposure including financial fraud, identity misuse, and follow-on targeted attacks using harvested identity context.
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.