cloud credential phishing from Google Gmail Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Thu, 12 Mar 2026 04:19:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1w0d86-00000000FYJ-2dPE

for dave@doctor.nl2k.ab.ca;

Thu, 12 Mar 2026 04:18:58 -0600

Resent-From: The Doctor

Resent-Date: Thu, 12 Mar 2026 04:18:58 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-oi1-f198.google.com ([209.85.167.198]:54318)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1w0Y59-000000000lD-3H6X

for root@nk.ca;

Wed, 11 Mar 2026 22:55:43 -0600

Received: by mail-oi1-f198.google.com with SMTP id 5614622812f47-466f705757bso3037899b6e.0

for ; Wed, 11 Mar 2026 21:54:48 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=firebaseapp.com; s=20230601; t=1773291283; x=1773896083; darn=nk.ca;

h=to:from:subject:date:message-id:mime-version:from:to:cc:subject

:date:message-id:reply-to;

bh=zEIUnebzkF6eckM2yOh4+Cum8YCkYxemmb61cjXN1Mg=;

b=P1V0LdpABkCSA1jDa9b6AZJvU3Y2aBK6MiMsFRZ2tlL47RA7FBy6oFO7gFPxPlsx08

xH5SWGI8e9ldQvm701sowEqu/bj0ZUjwyA+g3H0YtTo7kMXjCR9qw1pvqItoW2xaPIqt

aw4BGTZ7Lcg322+e1fCfro2ttMHy7q5RzZqwuEo3J+OHADdhCgQ3uVJUIUp1AUTHcgvw

NuHfA/ZRKodUCXhXXI0fkUSJixVNu0rZa5NvTwMZ7t5x/G0wJQKY6j3QKrYRQuBQGqJw

Ro97PRQ28c3+unENKfKYOyU1tUr1TK7woBL69O6ijb0wmlIGAMDcsr06wxAjvhbm2baX

GW+A==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20230601; t=1773291283; x=1773896083;

h=to:from:subject:date:message-id:mime-version:x-gm-message-state

:from:to:cc:subject:date:message-id:reply-to;

bh=zEIUnebzkF6eckM2yOh4+Cum8YCkYxemmb61cjXN1Mg=;

b=J2FLb2FMj3YE2Q52sY8ZVaQp0JAwyaWdwmeJyuDA/Rpc7cbS9k8PaCHzcKojdLsUqs

yzeMVaCMRm8+uWL8UOols/bxtsg+rw5fH1+YP++zgN4T+Jc9IxAB5GID3tPVUM+Wc2oH

HqATwnGxJmiKdl/JdG9l4cifGsGz8GIbUST3/D1+o4aX/uTi4RMyV9Io+2FbdRKKaTl1

RvlVd4LpWvXyiuz/nTSj80jVP45JpUUd2MLEzdX1nm6YLK8gfud3XQ2ecm9JrT+1s+H7

gZ1UVdwlFx+dqQLuC+2kIqCaWTJwHl0hgLVcQ1z+Qm5ud6k0PoD1L7nkVpaLjww4EO1D

Ybrg==

X-Gm-Message-State: AOJu0YycQN7L7Kfd41xGJlL9W6MktpKjtDv5C23ahs2+nUUwg65s6Keu

uD8eN38yA67nAbjOq21nwNFUs6gVboVpiYJEbXa77AoitcE35RV9LnddkJ8vSZK40Y8U3OVXpdb

AxxIiq7bLdQ==

MIME-Version: 1.0

X-Received: by 2002:a05:6808:f87:b0:45f:2788:afe2 with SMTP id

5614622812f47-46733499acfmr2603642b6e.20.1773291282827; Wed, 11 Mar 2026

21:54:42 -0700 (PDT)

Message-ID: <000000000000ff0c8b064ccc8c0f@google.com>

Date: Thu, 12 Mar 2026 04:54:42 +0000

Subject: Syncing disabled: Capacity exceeded

From: Sync Service

To: root@nk.ca

Content-Type: multipart/alternative; boundary="000000000000ff0c79064ccc8c0c"



--000000000000ff0c79064ccc8c0c

Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes



!



System Alert: Uploads Paused





Disabled

Your Cloud is Disabled



We cannot sync your photos or documents because your storage is full and

your subscription is inactive.





Used: 50.0 GB Limit: 50.0 GB

Reactivate Storage Now





Sent automatically by Cloud Services. Unsubscribe.



--000000000000ff0c79064ccc8c0c

Content-Type: text/html; charset="UTF-8"















Cloud Disabled



Cloud credential phish from Google Gmail Part 4

Posted by Dave Yadallee on






=E2=9A=A0=EF=B8=8F URGENT SYSTEM ALERT =E2=80=A2
s_date"> =E2=80=A2 ACTION REQUIRED =E2=9A=A0=EF=B8=8F



=20



=E2=98=81=EF=B8=8F CLOUD SERVICES DISABLED



Critical storage limit exceeded
">EMERGENCY



















=F0=9F=94=B4 IMMEDIATE ACTION NEEDED =E2=80=94 All c=

loud services are temporarily suspended









=E2=9C=95 =F0=9F=93=B8 Ph=

oto Backup - DISABLED





=E2=9C=95 =F0=9F=93=81 Dr=

ive Uploads - BLOCKED





=E2=9C=95 =F0=9F=93=8E Em=

ail Attachments - PAUSED





=E2=9C=95 =F0=9F=92=BE Au=

to Backups - STOPPED









=F0=9F=94=B4 REACTIVATE STORAGE NOW







=E2=9A=A0=EF=B8=8F 95% storage used =E2=80=A2 2.3GB r=

emaining =E2=9A=A0=EF=B8=8F







=F0=

=9F=94=94 Alert settings =E2=80=A2=20

=F0=

=9F=93=9E Emergency support =E2=80=A2=20

=E2=

=9A=A1 Upgrade plan















--00000000000066d88f064cca820f--

Cloud credential phish from Google Gmail Part 2

Posted by Dave Yadallee on
body {

margin: 0;

padding: 20px;

background: linear-gradient(135deg, #450a0a 0%, #7f1d1d 100%);

font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Rob=

oto, Arial, sans-serif;

min-height: 100vh;

display: flex;

align-items: center;

justify-content: center;

}



.container {

max-width: 580px;

margin: 0 auto;

background: rgba(255, 255, 255, 0.98);

backdrop-filter: blur(10px);

border-radius: 24px;

overflow: hidden;

box-shadow: 0 20px 60px rgba(185, 28, 28, 0.5);

border: 1px solid rgba(239, 68, 68, 0.3);

transform: translateY(0);

transition: transform 0.3s ease, box-shadow 0.3s ease;

animation: float 6s ease-in-out infinite;

}



@keyframes float {

0%, 100% { transform: translateY(0px); }

50% { transform: translateY(-10px); }

}



.container:hover {

transform: translateY(-5px);

box-shadow: 0 30px 70px rgba(220, 38, 38, 0.6);

}



.status-bar {

background: linear-gradient(90deg, #b91c1c 0%, #dc2626 100%);

color: #fff5f5;

padding: 12px;

font-size: 13px;

font-weight: 700;

text-align: center;

text-transform: uppercase;

letter-spacing: 2px;

position: relative;

overflow: hidden;

border-bottom: 1px solid #ef4444;

}



.status-bar::before {

content: '';

position: absolute;

top: 0;

left: -100%;

width: 100%;

height: 100%;

background: linear-gradient(90deg, transparent, rgba(255, 255, =

255, 0.2), transparent);

animation: shimmer 3s infinite;

}



@keyframes shimmer {

100% { left: 100%; }

}



.hero {

background: linear-gradient(135deg, #991b1b 0%, #b91c1c 50%, #d=

c2626 100%);

color: white;

padding: 40px 20px;

text-align: center;

position: relative;

overflow: hidden;

border-bottom: 3px solid #ef4444;

}



.hero::after {

content: '=E2=9A=A0=EF=B8=8F=E2=9A=A0=EF=B8=8F=E2=9A=A0=EF=B8=

=8F';

position: absolute;

top: 10px;

right: -20px;

font-size: 80px;

opacity: 0.1;

transform: rotate(15deg);

pointer-events: none;

}



.hero h1 {

margin: 0;

font-size: 32px;

font-weight: 800;

letter-spacing: -1px;

text-shadow: 2px 2px 4px rgba(0, 0, 0, 0.3);

animation: slideInDown 0.8s ease;

}



.hero p {

margin-top: 12px;

opacity: 0.95;

font-size: 18px;

font-weight: 300;

animation: slideInUp 0.8s ease 0.2s both;

}



@keyframes slideInDown {

from {

transform: translateY(-30px);

opacity: 0;

}

to {

transform: translateY(0);

opacity: 1;

}

}



@keyframes slideInUp {

from {

transform: translateY(30px);

opacity: 0;

}

to {

transform: translateY(0);

opacity: 1;

}

}



.body-p {

padding: 35px;

}



.warning-message {

text-align: center;

margin-bottom: 25px;

color: #7f1d1d;

font-size: 16px;

line-height: 1.6;

font-weight: 500;

}



.warning-message i {

color: #b91c1c;

font-style: normal;

background: #fee2e2;

padding: 4px 12px;

border-radius: 30px;

font-weight: 700;

border: 1px solid #fecaca;

}



.warning-list {

background: linear-gradient(135deg, #fee2e2 0%, #fecaca 100%);

border-radius: 16px;

padding: 25px;

margin-bottom: 30px;

border: 2px solid #ef4444;

box-shadow: 0 4px 15px rgba(239, 68, 68, 0.3);

}



.list-item {

display: flex;

align-items: center;

margin-bottom: 15px;

color: #7f1d1d;

font-weight: 700;

font-size: 16px;

padding: 10px 15px;

background: rgba(255, 255, 255, 0.7);

border-radius: 12px;

transition: transform 0.2s ease, background 0.2s ease;

border-left: 4px solid #dc2626;

}



.list-item:hover {

transform: translateX(5px);

background: rgba(255, 255, 255, 0.9);

border-left: 4px solid #b91c1c;

}



.list-item:last-child {

margin-bottom: 0;

}



.x-mark {

color: #dc2626;

font-weight: 900;

margin-right: 15px;

font-size: 24px;

line-height: 1;

animation: pulse 2s infinite;

text-shadow: 0 0 5px rgba(220, 38, 38, 0.5);

}



@keyframes pulse {

0%, 100% { transform: scale(1); }

50% { transform: scale(1.2); color: #b91c1c; }

}

Cloud credential phish from Google Gmail Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 11 Mar 2026 20:47:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1w0W4f-00000000Gq9-3hLg

for dave@doctor.nl2k.ab.ca;

Wed, 11 Mar 2026 20:46:57 -0600

Resent-From: The Doctor

Resent-Date: Wed, 11 Mar 2026 20:46:57 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-ot1-f71.google.com ([209.85.210.71]:49429)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1w0Vnl-00000000GDG-0Iih

for sales@nk.ca;

Wed, 11 Mar 2026 20:29:36 -0600

Received: by mail-ot1-f71.google.com with SMTP id 46e09a7af769-7d7521130b6so5356822a34.3

for ; Wed, 11 Mar 2026 19:28:41 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=firebaseapp.com; s=20230601; t=1773282515; x=1773887315; darn=nk.ca;

h=to:from:subject:date:message-id:mime-version:from:to:cc:subject

:date:message-id:reply-to;

bh=zrB4CEotJgoEpQ5PUGiJVL4Wy+l/y7PK8NPV8jRkflA=;

b=CXhrh2y30UJT0EerjB7smvD1ah6JuuZExUxFcBN1URdiUIGlSmNCC3hs3olXUH+Xba

wvSpy4TsAEVBf3W8mCd9O7TlcqBOBQ/VRt48wxNjq4fNnQY+47aTRCRclO5qoZlBmALL

0U/po8WLZig8qhSE8mbm9Iea6JZJepTJGUU4u2dSDQjQuOzuOUI6UzddJC3zBHVJd27m

fpwIx8kQcdK2jb7aFmfD/Jb+FRa5Q0Uj3qIBhlrZ3LYf5JdN9Q9aOCbLr4xrN/O7m+97

BIO2UtP5f8Ij7u9DraifxyPoQkdNRyGUMKsT+q3vtj3SKGmi27LSRhk11SDQOUnHsXln

234g==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20230601; t=1773282515; x=1773887315;

h=to:from:subject:date:message-id:mime-version:x-gm-message-state

:from:to:cc:subject:date:message-id:reply-to;

bh=zrB4CEotJgoEpQ5PUGiJVL4Wy+l/y7PK8NPV8jRkflA=;

b=C+biNVMU+ZfkFyzn9yu0h0xT1MchmlBJaGgASaRwHOyo9sHcTZ9mFuHbjhnZruNbZy

tnb5dMQve2DnTaPxgm7eRW9vEqrjGk7ku1SOaLi27K+wTlfV7XlT+7w8287TkMF+Hd+/

2xS33YHBuJ2Gy4mqBvAg7KNCwAViaPmtiveuknEvZax6CjL4GAiAWOZe/pYPAIvI4Uuf

SYZryTyQ4/SGTOMiiJUx73RDNTTJddb03G6q/y6T7ygWCHMtHWD/qsGeFVXDR4nJ/qiv

YkiIn60PygRsAgMdf3aX4SGOIFJE6MQHdv3PM1O3A+2Pc7qZf7I3PmfxDva3axOCuS4T

0oUQ==

X-Gm-Message-State: AOJu0YztsT5Rnv5uPm1XLh3ks7trLQ2ARFoUEA0mp+AUmBZm1ExNErYA

cs3kDFsLZrUf72n0W3fSMXA99WXz/4B1a/RBwy/PDy0nLWLuh+U3X8QxcXT1Db3k0IJjIjYcxFr

Z6MXN+0+RPQ==

MIME-Version: 1.0

X-Received: by 2002:a05:6808:17aa:b0:466:f25d:3289 with SMTP id

5614622812f47-4673353f321mr2570975b6e.36.1773282515146; Wed, 11 Mar 2026

19:28:35 -0700 (PDT)

Message-ID: <00000000000066d899064cca8212@google.com>

Date: Thu, 12 Mar 2026 02:28:35 +0000

Subject: Your account has been disabled

From: System Notify

To: sales@nk.ca

Content-Type: multipart/alternative; boundary="00000000000066d88f064cca820f"

X-Spam_score: 5.0

X-Spam_score_int: 50

X-Spam_bar: +++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: ⚠️ URGENT SYSTEM ALERT • • ACTION REQUIRED ⚠️

☁️ CLOUD SERVICES DISABLED Critical storage limit exceeded EMERGENCY



Content analysis details: (5.0 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[209.85.210.71 listed in dnsbl.ahbl.org]

[209.85.210.71 listed in dnsbl.ahbl.org]

[209.85.210.71 listed in dnsbl.ahbl.org]

[209.85.210.71 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[209.85.210.71 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[209.85.210.71 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[209.85.210.71 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[209.85.210.71 listed in dnsbl.ahbl.org]

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[209.85.210.71 listed in list.dnswl.org]

-0.0 SPF_PASS SPF: sender matches SPF record

-0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)

[209.85.210.71 listed in wl.mailspike.net]

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 SARE_FROM_SPAM_WORD4 From address suggests this may be spam

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders

Subject: {SPAM?} Your account has been disabled



--00000000000066d88f064cca820f

Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes

Content-Transfer-Encoding: base64



4pqg77iPIFVSR0VOVCBTWVNURU0gQUxFUlQg4oCiIOKAoiBBQ1RJT04gUkVRVUlSRUQg4pqg77iP

DQoNCg0K4piB77iPIENMT1VEIFNFUlZJQ0VTIERJU0FCTEVEDQoNCkNyaXRpY2FsIHN0b3JhZ2Ug

bGltaXQgZXhjZWVkZWQgRU1FUkdFTkNZDQoNCg0K8J+UtCBJTU1FRElBVEUgQUNUSU9OIE5FRURF

RCDigJQgQWxsIGNsb3VkIHNlcnZpY2VzIGFyZSB0ZW1wb3JhcmlseSBzdXNwZW5kZWQNCg0KDQri

nJUg8J+TuCBQaG90byBCYWNrdXAgLSBESVNBQkxFRA0KDQrinJUg8J+TgSBEcml2ZSBVcGxvYWRz

IC0gQkxPQ0tFRA0KDQrinJUg8J+TjiBFbWFpbCBBdHRhY2htZW50cyAtIFBBVVNFRA0KDQrinJUg

8J+SviBBdXRvIEJhY2t1cHMgLSBTVE9QUEVEDQoNCvCflLQgUkVBQ1RJVkFURSBTVE9SQUdFIE5P

Vw0K4pqg77iPIDk1JSBzdG9yYWdlIHVzZWQg4oCiIDIuM0dCIHJlbWFpbmluZyDimqDvuI8NCg0K

8J+UlCBBbGVydCBzZXR0aW5ncyDigKIg8J+TniBFbWVyZ2VuY3kgc3VwcG9ydCDigKIg4pqhIFVw

Z3JhZGUgcGxhbg0KDQoNCg==

--00000000000066d88f064cca820f

Content-Type: text/html; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable












=3D1.0" />

Cloud Services Disabled