Terrible! ヽ(*。>Д<)o゜
Prior Notice: The team has only two official email addresses: [email protected] and [email protected]
Do not blindly trust all emails in the “Spam” folder—verify with the official team if necessary!
Summary
On 2026-02-18 at 01:18 (UTC), the forum admin received a suspicious phishing email from <[email protected]> addressed to [email protected]. After internal verification, the team confirmed that the email address [email protected] does not exist, and the email exhibited classic signs of forgery and phishing. The intent appears to be credential theft by impersonating an email storage management portal via deceptive links. Key findings include obfuscated content, suspicious domain redirects, and association with high-abuse top-level domains (TLDs). The target link’s .sbs TLD has a reported abuse rate of 225.9 in recent investigations.
Notably, the team received an identical phishing email at 13:48 (UTC) the same day. Neither email contained trackers in the body.
Both phishing emails failed DKIM signature verification and were filtered into the “Spam” folder.
Email Header Analysis
The email was relayed through multiple servers, originating from a Google Cloud IP (35.204..) before reaching the team’s mail server. Analysis by the security team revealed that the “From” field in the raw email was empty (<>), indicating this was not a standard email. The team’s spam filter successfully identified and blocked it. The header was marked with high-priority flags (Importance: high, X-Priority: 1).
The content used base64 encoding for both plaintext and HTML sections—a common tactic to evade spam detection. The MIME-Version: 1.0 and multipart/alternative structure mimicked professional emails.
Sender Analysis
Sent via a Google Cloud virtual instance, a common practice in phishing campaigns.
Content Analysis
Subject: [[email protected]]: Please confirm to continue.
Impersonates internal support to establish trust.
Body: Claims the mailbox is nearly full (49.5 GB / 50 GB) and will be unable to send/receive emails within 24 hours, urging immediate action. This fear-based tactic is a hallmark of phishing, pressuring recipients to click without verification.
The body also includes HTML elements—a progress bar (red background to create urgency) and a “Clear Cache” button—along with a confidentiality disclaimer to mimic corporate emails.
Notably, the phrase “EMail storage portal” is improperly capitalized.
Link and Redirect Analysis
The embedded link follows this structure:
https://juguetes[redacted to prevent victimization].com.ar/Banner.php?id=21&url=https://do[redacted to prevent victimization].sbs/tang/index.html?email=[Email]
juguetes[redacted].com.aris a legitimate Argentine toy company (founded in the 1990s). The/Banner.phppath suggests a possible compromise, such as an injected redirect script.- The target is
do[redacted].sbs. The.sbsTLD is flagged for high phishing abuse, with 10% of domains recently classified as malicious. Spamhaus reports a 172% growth rate in.sbsregistrations, with escalating abuse due to low registration costs. Users on platforms like Reddit have reported spam from.sbsdomains, often displaying “Insufficient relevant content” or Cloudflare verification—common in hidden phishing pages that dynamically load to evade detection.
The likely goal is credential theft (e.g., email/password). The ?email=[Email] parameter suggests a pre-filled form.
Conclusion
This is terrifying! ヽ(*。>Д<)o゜
