A recent phishing campaign is landing in corporate inboxes, pretending to be routine IT notices about blocked or quarantined emails.
According to Cyber Press, researchers have identified a phishing campaign that uses fake internal notifications to trick employees into revealing their email login credentials. The fraudulent messages claim that several incoming emails were quarantined for security reasons and prompt recipients to click a link to “release” them.
These phishing emails appear to originate from the victim’s own organization, using spoofed sender addresses to bypass suspicion. Attackers replicate company branding and tone to mimic genuine internal alerts, often using subject lines referencing “message delivery failure” or “security warning.”
Clicking the embedded links redirects victims to fake login pages designed to look identical to webmail portals like Microsoft 365, Outlook Web Access, or cPanel. These pages often autofill the user’s email address, asking only for the password to lower suspicion. Once entered, the credentials are transmitted directly to the attackers, who can then access corporate mailboxes.
Compromised accounts are used for further phishing attempts, internal reconnaissance, or to extract sensitive business information. Many of these phishing sites are hosted on compromised web servers and secured with free SSL certificates, which lend them a false sense of legitimacy. Some phishing kits can even adapt visuals like logos and colors to match the victim’s organization.
According to researchers, the phishing emails use forged “Reply-To” and “Return-Path” headers, with domain names that look credible, such as including terms like “secure,” “portal,” or “release-message.” These structural details make the emails appear trustworthy at first glance.
Researchers warned that users often mistake HTTPS padlocks for safety indicators without verifying the site’s legitimacy, making this tactic particularly effective.
Internal-style phishing has become one of the most deceptive and damaging attack methods because it exploits trust from within. When a message looks like it’s coming from a company’s own IT department, employees are far more likely to click without hesitation. With campaigns like this one, attackers are proving that even simple social engineering, when combined with convincing branding and HTTPS padlocks, can outsmart traditional filters and policies.
Since phishing remains the top threat across every industry, organizations need protection that goes beyond rule-based detection. Paubox Inbound Email Security uses generative AI to analyze message tone, sender behavior, and relationship history, identifying subtle patterns that point to impersonation or credential theft attempts. As attackers increasingly mimic internal communication, AI-powered email security gives companies the context awareness needed to stop these messages before they ever reach employees.
Employees tend to trust messages that appear to come from within their organization, making them less likely to question formatting inconsistencies or unexpected requests.
They exploit weak or missing domain authentication protocols like SPF, DKIM, and DMARC, allowing forged sender addresses to appear legitimate.
Attackers obtain free certificates from services like Let’s Encrypt to make fake sites appear secure, misleading victims who associate the padlock icon with safety.
Subtle red flags include generic wording, mismatched URLs, urgency cues, and login links leading to domains that don’t match the company’s real email service.
Organizations should combine domain authentication, staff awareness training, and multifactor authentication to reduce both the likelihood and impact of successful phishing attempts.