You will be surprised by the enormous number of phishing attacks targeting webmail users on non-free mail domains in an attempt to siphon out their credentials for later use.

These emails often make it look like they come from the recipient’s own IT support, or security department, seemingly about a queued or held message that requires some type of action for the user to receive it. For example, these emails might suggest account closure, password expiration, storage updates, or other topics that would normally suggest urgency and importance.

Given the huge rise in attacks over the past year, there has never been a better time to know how to stay ahead of these threats.

How do I even receive these emails?

Cybercriminals do everything in their power to obtain as many addresses as possible for potential financial gain. The methods they use vary vastly and include things such as:

  • Compromising online accounts
  • Using “publicly available” email lists
  • Exploiting websites to obtain data dumps
  • Leveraging scraping software to harvest addresses from thousands of web pages

Once the bad actors have obtained the log-in credentials they need, compromising the email/domain mail accounts to spread more spam and phishing emails is straightforward. Also, they are able to check if those credentials are being used for other websites (from bank accounts to social media accounts), leading to more account takeovers and even more headaches for users.

How to detect a phishing email?

1. Email headers

Put your Sherlock Holmes hat on and let’s take a peek at the header and sender’s information for one of these attacks. Note: the recipient’s domain has been changed to to protect the victim and the sender’s IP has also been changed.

The cyber criminal’s goal here is to make their email look as if it’s coming from the recipient’s domain, as you can see in the screenshot below.

The header of the email shows that (although edited in this example) the attacker is tring very hard to assume the identity of the recipient’s domain:

  • The HELO which is used as a “greeting” by mail-servers to identify the server’s FQDN (Fully Qualified Domain Name) is spoofed to the recipient’s domain.
  • The envelope sender address (the one from which the email is sent) is spoofed to resemble a generic recipient on the recipient’s domain (e.g., info@, support@, etc.)
  • The from address and display names are spoofed to appear as if they come from an internal service.
  • The message ID is spoofed.

The emails themselves arrive from various sources. These can include (but are not limited to):

  • PHP mailers from hacked hosting accounts
  • Cloud services
  • Web hosting services
  • VPN services
  • Hacked email accounts

2. Content

This kind of phishing attack relies heavily on variations of the same content, e.g., Queued or Pending emails, or Account Verification and Closure/Expiration, with a call to action (CTA) that is often brightly colored.

The English language and grammar used will often be clumsy or incorrect, and the wording – designed to create a sense of urgency.

On top of this, the HTML of the email can sometimes be encoded in an attempt to circumvent a domain’s anti-spam and phishing policies.


If this information is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query.

Content curated by the team of COMPUTER 2000 on the basis of marketing materials provided by our partners/vendors.


Follow us to learn more


Let’s walk through the journey of digital transformation together.

By clicking on the SEND button you agree to the processing of personal data. In accordance with our Privacy Policy

7 + 1 =