MailGuard is alerting businesses to a phishing campaign impersonating Vodien Internet Solutions Pte Ltd, using a fake domain renewal and expiry notice to pressure recipients into submitting payment card details via a fraudulent payment page.
This threat has been intercepted by MailGuard’s filter network. The email uses a simple but effective approach, claiming that a domain is at risk of deletion or service interruption, then directing the recipient to a phishing site designed to capture credit card details.
For many businesses, a domain, website or email outage is viewed as an urgent operational issue, which makes this type of message particularly dangerous. Attackers rely on that urgency to push recipients into acting quickly, before they stop to verify the sender, inspect the link or question whether the notice is legitimate.
The phishing email presents itself as a domain billing or expiry notice from Vodien 24/7 Cloud Hosting. The subject line shown in the example is: Your Domain Will be Deleted.
The message warns that an invoice has been generated and suggests that services may be interrupted or terminated if payment is not made. It also references the risk of data loss and account termination, language designed to heighten concern and trigger immediate action.
The email branding is made to resemble a legitimate hosting or domain management notification, with a prominent call-to-action button labelled VIEW INVOICE.
While the visual presentation may appear plausible at a glance, the sender information is a strong warning sign. In this case, the message purports to come from:
Display Name: Vodien Internet Solutions Pte Ltd
Display Address: info(dot)14x7zj0v5kweb(at)cabaroncello(dot)it
Sending Address: info(dot)14x7zj0v5kweb(at)cabaroncello(dot)it
This is not a legitimate Vodien email domain. It is a clear indicator that the message is fraudulent.
How the phishing site works
MailGuard is blocking the email that contains a single link leading to a phishing site. Once clicked, the recipient is taken to a fake payment page framed as a domain renewal transaction.
Here's the fraudulent payment form. The page uses familiar payment card branding (Visa and MasterCard) and a clean checkout layout to create a false sense of legitimacy. It prompts the victim to enter card number, expiry date, CVV and name details, while displaying a discounted renewal amount and a short time window to avoid service interruption.
This image shows the payment page with validation prompts activated, indicating the site is actively designed to harvest card data by requiring the victim to complete all fields before proceeding.
Once complete, a “Please wait” processing screen appears after payment information has been entered. This type of screen is commonly used in phishing workflows to reassure the victim that the transaction is being processed normally, even though the real purpose is to collect the submitted card details.
MailGuard was not able to progress beyond the initial payment card capture stage, but the intent is clear. This is a phishing attack designed to steal financial information by exploiting concern over domain expiry and business disruption.
Scams like this are dangerous not because they are technically complex, but because they exploit a very real business fear. For most organisations, domains are tied directly to websites, email services, client communications and digital operations. A message suggesting that a domain may be deleted or that services may soon be interrupted can trigger a fast response, especially if it reaches someone responsible for web, marketing, IT, procurement, finance or general business operations.
This type of phishing attack is also effective because it imitates a routine administrative task. It does not ask the recipient to do something unusual. Instead, it presents a familiar scenario, a payment reminder, a renewal request, or a service continuity warning, and uses that familiarity to lower suspicion. That is precisely why these threats continue to succeed. The message does not need to be highly sophisticated. It only needs to appear credible long enough for one person to act.
There are several indicators in this campaign that recipients and security teams should treat as red flags:
Even where branding, layout and language appear convincing, these signals matter. Attackers are increasingly using polished pages and familiar business workflows to disguise credential theft and payment fraud.
Stay Safe, Know the SignsMailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.