The ASEC analysis team detected multiple phishing emails that are distributed with a changing icon to reflect the email account service entered by the user. The threat actor used the favicon feature supported by Google.

Diving into details

Generally, the user's email address would be completed automatically so the user only had to enter their password. However, this phishing case required users to also enter their email addresses. 
  • On January 16, 2023, a phishing email was sent to users warning them that their account would be shut down unless they clicked the ‘Reactivate Now’ link.
  • According to the mail service type listed behind “@”, the icon of the phishing page changes if you enter your desired “website address” beneath the URL provided.


  • The account credentials entered on the phishing page were sent to a C2 whose address was the same domain as a previous campaign observed by the researchers. 
  • This led to the assumption that the same threat actor conducted the latest campaign.

The bottom line

In conclusion, phishing attacks are evolving and they are becoming more sophisticated, which makes them a serious threat to organizations. These attacks are not just limited to employees who have access to sensitive information but can also be used by attackers to gain access to corporate networks. This is a major concern for organizations as the consequences of an attack can be devastating and call for proactive cybersecurity defenses.
Cyware Publisher