Phishing Email Sent from Internal Account - Telegram Phishing Attack (15/10/2025) Print

< Back to Scams and Phishing

We recently observed a phishing email sent from within a client's own Rackspace Mail hosted domain (c****@a***s.co.uk) to another Rackspace Mail hosted internal address on a different domain (j***@a***s.fr). The message included an attachment named Copy-RAC-pdf.html that impersonated the Rackspace Webmail login and silently forwarded any entered credentials to an attacker via Telegram.

Although the email from c****@a***s.co.uk passed SPF, DKIM, and DMARC checks (i.e. it appeared “legitimate” in the headers), the root issue is likely that the sender’s account or device is already compromised.

Message Header Analysis
The screenshot below is an email header trace showing the message was sent through Rackspace servers: (smtp20.relay.iad3b.emailsrvr.com → smtp9.gate.iad3b.rsapps.net → proxy4.mail.iad3b.rsapps.net → store525b.mail.iad3a.rsapps.net), SPF checked as pass, and the routing stayed inside the Rackspace infrastructure, which indicates the message was sent from the legitimate a***.co.uk mail system rather than being spoofed, in other words, it strongly suggests the sender’s account or device has been compromised and was used to send the phishing page.

HTML Attachment
This screenshot shows the phishing email as received. It appears to come from a trusted internal address and contains an attachment named Copy-RAC-pdf.html. The file looks harmless but, when opened, it displays a fake Rackspace Webmail login page with the recipient’s email address already filled in, tricking the user into entering their password and unknowingly sending it to the attacker.

Fake Log-in Page posing as Rackspace Mail log in
This screenshot shows what happens when the attached Copy-RAC-pdf.html file is opened. It displays a fake Rackspace Webmail login page, prefilled with the recipient’s real email address and prompting for a password. The layout looks genuine, but it’s a phishing page designed to capture any credentials entered and send them to the attacker.

Source Code analysis
This screenshot shows the malicious JavaScript code inside the HTML attachment. When a user enters their email and password, the script sends those credentials directly to a Telegram bot controlled by the attacker. The highlighted section reveals the hard-coded bot token and chat ID, confirming that every login attempt is forwarded to the attacker in real time, allowing them to immediately access the victim’s mailbox.

How the Attack Worked

Indicators & Red Flags

• Unexpected email from a known address (internal) with a suspicious attachment.

• Attachment filename such as *.html.

• The login form asks for credentials in the html file.

• Behaviour that “fakes failure” to rerun login attempts.

• Use of external APIs (Telegram) embedded in the HTML.

What This Suggests

1. The email account has likely been compromised (password leaked or reused).

2. One or more of the devices (PC, laptop, mobile) may be infected or under an attacker's control, allowing unauthorised outbound email activity.

Recommended Actions

1. Change the email password (use a strong, unique one).

2. Enable Two-Factor Authentication (2FA) for your email account.

3. Run full antivirus / anti-malware scans on all devices used for email access.

4. Examine Sent Items and Forwarding / Auto-reply rules for any unauthorised entries.

5. Revoke or reset any app passwords, active sessions, or tokens related to the email.

6. Monitor for further suspicious outgoing emails from your address.