Phishing mails asking to "Confirm account"

arnauvp · January 29, 2023, 10:20am

Some users have reported receiving a message with subject “Mail service message 1/28/2023” asking them to “Confirm account to avoid permanent termination”. These messages are phishing attempts potentially trying to obtain login credentials.

Do not open this email or click on any links it contains. If you accidentally went to this phishing site and entered your login data, please contact our support team – helpdesk@murena.com – as soon as possible.

Please remember any system maintenance will be confirmed at https://status.murena.io, and all our sites are using valid TLS certificates for the murena.io domain or its subdomains (closed padlock on your browser).

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online services phone

Pitttuhau · January 29, 2023, 10:42am

Something like this…

arnauvp · January 29, 2023, 11:27am

Thanks Iñigo. Could you please forward this message to dev@murena.io so we can evaluate how to block them?

El 29 de gener de 2023 11:52:50 CET, “Iñigo Ateka via /e/OS community” community@e.email ha escrit:

marcdw · January 29, 2023, 11:44am

I make it a habit of checking headers when I get mail of that sort.
Sometimes the From: headers are a dead giveaway.

SkewedZeppelin · January 29, 2023, 10:37pm

How were the emails obtained? Will there be a report clarifying the situation posted soon?

Manoj · January 30, 2023, 12:07am

The team is investigating what happened and should share its findings ASAP.

arnauvp · January 30, 2023, 7:25pm

Upon investigation, we only found 2 accounts receiving this message, with similar sender or source IP address. It doesn’t seem an orchestrated attack targetting e.email users.

How were the emails obtained?

Affected users may have signed up on a dubious/trap service, or their addresses leaked on another site (e.g. Twitter), or simply published their address on some site profile.

We already put in place a good number of phishing detection rules at the end of 2022, but this particular message seems to have passed the check as it was sent from a legitimate domain/IP combination. Hence, inspecting the actual From address would have revealed its lack of authenticity (it was not even coming from an e.email/murena.io account).

Going forward, we plan to add better phishing checks and look for ways to unequivocally determine the authenticity of a message from the Murena team, as well as offering tips to our users to protect themselves from such threats on any online service.

In case of doubt, please reach out to us at helpdesk@murena.com.

Thank you @Pitttuhau for the quick report!