Phishing Disguised as Spam

Home » Blog » Phishing Disguised as Spam

Attackers are trying to steal credentials from corporate mail by sending lists of quarantined spam e-mails.

What do you do when an unsolicited e-mail lands in your work inbox? Unless you’re a spam analyst, you will most certainly probably just delete it. Paradoxically, that’s exactly what some phishers want you to do, and as a result, we have been seeing more and more e-mails lately that appear to be notifications about obviously unwanted messages.

How it works

Cybercriminals, relying on users’ inexpert knowledge of antispam technologies, send notifications to company employees about e-mails that allegedly arrived at their address and were quarantined. Such messages look something like this:

Fake notification about quarantined e-mails.

Picture: Fake notification about quarantined e-mails.

The attackers simply copy the style of other advertising for unsolicited goods and services and provide buttons for deleting or keeping each message. It also provides an option to delete all quarantined messages at once or to open mailbox settings. Users even receive visual instructions:

Visual instructions sent by scammers.

Picture: Visual instructions sent by scammers.

SEE: WHY We Fall for Phishing Scams so Easily?

What’s the catch?

The catch, of course, is that the buttons are not what they seem. Behind every button and hyperlink lies an address that brings the clicker to a fake login page, which looks like the Web interface of the mail service:

Phishing site.

Picture: Phishing site.

The message “Session Expired” is meant to persuade the user to sign in. The page serves one purpose, of course: to harvest corporate mail credentials.

SEE: 1 in 3 Employees are Likely to Fall for Phishing Scam


In the e-mail, the first thing that should set alarm bells ringing is the sender’s address. If the notification were real, it would have to have come from your mail server, which has the same domain as your mail address, not, as in this case, from an unknown company.

SEE: Email Red Flags

Before clicking any links or buttons in any message, check where they point by hovering the mouse cursor over them. In this case, the same link is stitched into all active elements, and it points to a website that has no relation to either the domain of the recipient or the Hungarian domain of the sender.

How to avoid spam and phishing

To avoid getting hooked, corporate users need to be familiar with the basic phishing playbook. Of course, it is better to prevent encounters between end-users and dangerous e-mails and phishing websites in the first place. For that, use antiphishing solutions both at the server level and on users’ computers.

To discuss solutions for your team, contact us. We’ll review the security options that are best suited to your business, and employees.

Helping Grow Your Business


Subscribe To Our Newsletter

Newsletter Signup