I actually use Mailgun, its fantastic – so when I first saw the email subject land in my inbox, I was initially alarmed as I dont want a missed payment to affect the deliverability of website emails etc.
The Mailgun Scam Email
Google did flag the email as suspicious to be fair, but if this had come into a mail client like outlook or thunderbird it may not have been flagged and could have tricked someone.
Mailgun Scam: The Red Flags
OK, so as always we look for the red flags so we can all get better at spotting the scams.
Sender email: This seemed to come from a domain I own, which isn’t unusual.
Reply-to email: info@wasteconnections.com
Pretty sure that isnt an official mailgun email account!
The button: Linked to a huge sendgrid URL so wouldn’t have really been alarming as that’s not unusual. Sendgrid is an email marketing service. I have informed Sendgrid.
Digging Deeper into the Mailgun Scam
**NEVER PRESS BUTTONS OR LINKS IN DODGY EMAILS**
So, I pressed the button (lol) and it took me to some page that looked like it was processing something, and then boom, the Mailgun login window appeared;
This was hosted on Microsoft Azure, so I reported the website to the relevant department at MS.
If I had been tricked up to this point, I think I’d have been a bit alarmed at the fact they pre-filled my email I know Mailgun dont do this as I log into it most days.
None of the buttons apart from “Continue” seemed to do anything – seems to be a trend at the moment.
I added a fake password and pressed next, it asked me to confirm my password – this is NOT how the Mailgun website works. I confirmed my fake password, they then asked me for a 2FA which I also faked.
It seemed to hang at this point, I dont know if it was trying to log into my Mailgun account in the background or something.
I checked in the background and it is pulling a file from here;
hXXps://sourcebigwhale.cfd/10302025/sinch-connect/gobe.php
That must be the most sketchy looking domain name extension I have ever seen in my life haha. I have reported this domain as well.
The Mailgun Scam: Conclusion
This seems to be a classic “Credential and MFA phishing” scam, focusing on Mailgun for some reason. Perhaps as then once they are in they can send 30,000 spam emails or something.
Remember to check for red flags when getting an email or message that raises alarm bells, and if in doubt send it to me 🙂
Stay eSafe peeps!
Credential and MFA phishing Scam FAQs
Why do scammers create fake login pages that look like services like Mailgun or Sinch?
Because they know those are “backend” services that not many people outside digital teams understand. They rely on the fact that inboxes, tech teams, and marketing people will see the branding and think it’s legit. Once they have your login details, they can get into your email sending service and use it to send out further phishing emails that look totally legitimate (which then spreads the attack).
Why do these fake pages ask for passwords and then a 2FA code as well?
If they only took a password, the victim could still be protected by 2FA. Scammers now know this, so they make the fake form walk you through entering a 2FA token which they immediately use in real time to log into the real service as you. So they capture both your password and your temporary code.
How can I spot these scams before I click on anything?
Always check the actual domain name before typing in any credentials. If the domain is weird, cheap, or doesn’t match the official brand (for example something like “sourcebigwhale.cfd” instead of “mailgun.com”) then it’s almost certainly malicious. Legit login pages will always be on official domains, never random ones. Also, if a link comes out of the blue, treat it as untrusted until you verify it.
Mailgun Scam
We blogged about another MailGun Scam here.
Update 11/11/25: Just had word from NameSilo that they have suspended the dodgy domain, putting a stop to this scam;
Success!
Leave a Reply