German language cloud credential phishing from Google Gmail Part 2

Posted by Dave Yadallee on Thursday, March 12. 2026

system,BlinkMacSystemFont,'SF Pro Display','Segoe UI',Arial,sans-serif;font=

-size:32px;line-height:38px;font-weight:600;color:#1d1d1f;letter-spacing:-0=

.5px;">

Your account has been deactivated

system,BlinkMacSystemFont,'SF Pro Text','Segoe UI',Arial,sans-serif;font-si=

ze:16px;line-height:26px;color:#424245;">

Payment method update required =E2=9A=A0=EF=B8=8F Your photos and videos wi=

ll be deleted.

=3D"0" cellspacing=3D"0" border=3D"0" style=3D"background-color:#f5f5f7;bor=

der:1px solid #ebebed;border-radius:16px;">

y:-apple-system,BlinkMacSystemFont,'SF Pro Display','Segoe UI',Arial,sans-s=

erif;font-size:18px;line-height:24px;font-weight:600;color:#1d1d1f;">

Subscription details

adding=3D"0" cellspacing=3D"0" border=3D"0" style=3D"font-family:-apple-sys=

tem,BlinkMacSystemFont,'SF Pro Text','Segoe UI',Arial,sans-serif;font-size:=

15px;color:#1d1d1f;">

solid #e5e5e7;color:#6e6e73;width:42%;">Tarif	solid #e5e5e7;font-weight:500;">Storage
solid #e5e5e7;color:#6e6e73;">Email address	solid #e5e5e7;font-weight:500;">doctor@nl2k.ab.ca
solid #e5e5e7;color:#6e6e73;">Product	;">iCloud Storage
R= enewal date	>13.03.2026

system,BlinkMacSystemFont,'SF Pro Display','Segoe UI',Arial,sans-serif;font=

-size:21px;line-height:28px;font-weight:600;color:#1d1d1f;">

Action required

system,BlinkMacSystemFont,'SF Pro Text','Segoe UI',Arial,sans-serif;font-si=

ze:15px;line-height:25px;color:#424245;">

Verification required

Please update your payment method

ing=3D"0" border=3D"0">

:980px;">

tent.com/cl?d=3D8aCXNRVVEafZjHNMeBCoYghZrKZyQKZ6WtVzWdVX&e=3Ddoctor@nl2k.ab=

.ca"

style=3D"display:inline-block;padding:14px 30p=

x;font-family:-apple-system,BlinkMacSystemFont,'SF Pro Text','Segoe UI',Ari=

al,sans-serif;font-size:15px;line-height:20px;font-weight:600;color:#ffffff=

;text-decoration:none;border-radius:980px;">

Update payment method

background-color:#ececee;">

r;font-family:-apple-system,BlinkMacSystemFont,'SF Pro Text','Segoe UI',Ari=

al,sans-serif;font-size:13px;line-height:21px;color:#6e6e73;">

This notification was generated automatically and concerns your iCloud stor=

age plan.

ily:-apple-system,BlinkMacSystemFont,'SF Pro Text','Segoe UI',Arial,sans-se=

rif;font-size:12px;line-height:18px;color:#8e8e93;">

Apple Services =C2=B7 iCIoud =C2=B7 Support

text-align:center;margin-top:10px">Unsub
.googleusercontent.com/un?d=3D8aCXNRVVEafZjHNMeBCoYghZrKZyQKZ6WtVzWdVX&e=3D=

doctor@nl2k.ab.ca">here to remove yourself from our emails list

--000000000000a451f2064ccadbbb--

Cloud credential phish from Google Gmail Part 3

Posted by Dave Yadallee on Thursday, March 12. 2026

.btn {

display: block;

width: 100%;

background: linear-gradient(90deg, #b91c1c, #dc2626, #ef4444);

color: white;

font-weight: 800;

text-align: center;

padding: 18px;

border-radius: 12px;

text-decoration: none;

font-size: 20px;

letter-spacing: 1px;

box-shadow: 0 8px 20px rgba(185, 28, 28, 0.5);

transition: all 0.3s ease;

position: relative;

overflow: hidden;

border: 1px solid #fecaca;

text-transform: uppercase;

}

.btn:hover {

transform: scale(1.02);

box-shadow: 0 12px 30px rgba(220, 38, 38, 0.7);

background: linear-gradient(90deg, #991b1b, #b91c1c, #dc2626);

}

.btn:active {

transform: scale(0.98);

}

.btn::after {

content: '=E2=86=92';

position: absolute;

right: -20px;

top: 50%;

transform: translateY(-50%);

font-size: 28px;

font-weight: bold;

opacity: 0;

transition: right 0.3s ease, opacity 0.3s ease;

color: #ffffff;

}

.btn:hover::after {

right: 20px;

opacity: 1;

}

.footer-note {

text-align: center;

font-size: 13px;

color: #b91c1c;

margin-top: 25px;

padding-top: 15px;

border-top: 2px dashed #fecaca;

}

.footer-link {

display: inline-block;

color: #991b1b;

text-decoration: none;

padding: 6px 14px;

border-radius: 30px;

transition: all 0.2s ease;

font-weight: 600;

background: #fee2e2;

border: 1px solid #fecaca;

}

.footer-link:hover {

color: #7f1d1d;

background: #fecaca;

border-color: #dc2626;

box-shadow: 0 2px 8px rgba(220, 38, 38, 0.3);

}

.storage-meter {

margin: 20px 0 25px;

background: #fee2e2;

height: 12px;

border-radius: 6px;

overflow: hidden;

border: 1px solid #fecaca;

}

.storage-fill {

width: 95%;

height: 100%;

background: linear-gradient(90deg, #b91c1c, #dc2626, #ef4444);

border-radius: 6px;

animation: loading 2s ease-in-out infinite;

background-size: 200% 200%;

box-shadow: 0 0 10px #ef4444;

}

@keyframes loading {

0% { background-position: 0% 50%; }

50% { background-position: 100% 50%; }

100% { background-position: 0% 50%; }

}

.emergency-tag {

display: inline-block;

background: #dc2626;

color: white;

padding: 3px 10px;

border-radius: 30px;

font-size: 11px;

font-weight: 700;

letter-spacing: 1px;

margin-left: 10px;

animation: blink 1s infinite;

}

@keyframes blink {

0%, 100% { opacity: 1; }

50% { opacity: 0.7; background: #991b1b; }

}

Cloud credential phish from Google Gmail Part 4

Posted by Dave Yadallee on Thursday, March 12. 2026

=E2=9A=A0=EF=B8=8F URGENT SYSTEM ALERT =E2=80=A2
s_date"> =E2=80=A2 ACTION REQUIRED =E2=9A=A0=EF=B8=8F

=20

=E2=98=81=EF=B8=8F CLOUD SERVICES DISABLED

Critical storage limit exceeded
">EMERGENCY

=F0=9F=94=B4 IMMEDIATE ACTION NEEDED =E2=80=94 All c=

loud services are temporarily suspended

=E2=9C=95 =F0=9F=93=B8 Ph=

oto Backup - DISABLED

=E2=9C=95 =F0=9F=93=81 Dr=

ive Uploads - BLOCKED

=E2=9C=95 =F0=9F=93=8E Em=

ail Attachments - PAUSED

=E2=9C=95 =F0=9F=92=BE Au=

to Backups - STOPPED

=F0=9F=94=B4 REACTIVATE STORAGE NOW

--00000000000066d88f064cca820f--

Cloud credential phish from Google Gmail Part 2

Posted by Dave Yadallee on Thursday, March 12. 2026

body {

margin: 0;

padding: 20px;

background: linear-gradient(135deg, #450a0a 0%, #7f1d1d 100%);

font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Rob=

oto, Arial, sans-serif;

min-height: 100vh;

display: flex;

align-items: center;

justify-content: center;

}

.container {

max-width: 580px;

margin: 0 auto;

background: rgba(255, 255, 255, 0.98);

backdrop-filter: blur(10px);

border-radius: 24px;

overflow: hidden;

box-shadow: 0 20px 60px rgba(185, 28, 28, 0.5);

border: 1px solid rgba(239, 68, 68, 0.3);

transform: translateY(0);

transition: transform 0.3s ease, box-shadow 0.3s ease;

animation: float 6s ease-in-out infinite;

}

@keyframes float {

0%, 100% { transform: translateY(0px); }

50% { transform: translateY(-10px); }

}

.container:hover {

transform: translateY(-5px);

box-shadow: 0 30px 70px rgba(220, 38, 38, 0.6);

}

.status-bar {

background: linear-gradient(90deg, #b91c1c 0%, #dc2626 100%);

color: #fff5f5;

padding: 12px;

font-size: 13px;

font-weight: 700;

text-align: center;

text-transform: uppercase;

letter-spacing: 2px;

position: relative;

overflow: hidden;

border-bottom: 1px solid #ef4444;

}

.status-bar::before {

content: '';

position: absolute;

top: 0;

left: -100%;

width: 100%;

height: 100%;

background: linear-gradient(90deg, transparent, rgba(255, 255, =

255, 0.2), transparent);

animation: shimmer 3s infinite;

}

@keyframes shimmer {

100% { left: 100%; }

}

.hero {

background: linear-gradient(135deg, #991b1b 0%, #b91c1c 50%, #d=

c2626 100%);

color: white;

padding: 40px 20px;

text-align: center;

position: relative;

overflow: hidden;

border-bottom: 3px solid #ef4444;

}

.hero::after {

content: '=E2=9A=A0=EF=B8=8F=E2=9A=A0=EF=B8=8F=E2=9A=A0=EF=B8=

=8F';

position: absolute;

top: 10px;

right: -20px;

font-size: 80px;

opacity: 0.1;

transform: rotate(15deg);

pointer-events: none;

}

.hero h1 {

margin: 0;

font-size: 32px;

font-weight: 800;

letter-spacing: -1px;

text-shadow: 2px 2px 4px rgba(0, 0, 0, 0.3);

animation: slideInDown 0.8s ease;

}

.hero p {

margin-top: 12px;

opacity: 0.95;

font-size: 18px;

font-weight: 300;

animation: slideInUp 0.8s ease 0.2s both;

}

@keyframes slideInDown {

from {

transform: translateY(-30px);

opacity: 0;

}

to {

transform: translateY(0);

opacity: 1;

}

}

@keyframes slideInUp {

from {

transform: translateY(30px);

opacity: 0;

}

to {

transform: translateY(0);

opacity: 1;

}

}

.body-p {

padding: 35px;

}

.warning-message {

text-align: center;

margin-bottom: 25px;

color: #7f1d1d;

font-size: 16px;

line-height: 1.6;

font-weight: 500;

}

.warning-message i {

color: #b91c1c;

font-style: normal;

background: #fee2e2;

padding: 4px 12px;

border-radius: 30px;

font-weight: 700;

border: 1px solid #fecaca;

}

.warning-list {

background: linear-gradient(135deg, #fee2e2 0%, #fecaca 100%);

border-radius: 16px;

padding: 25px;

margin-bottom: 30px;

border: 2px solid #ef4444;

box-shadow: 0 4px 15px rgba(239, 68, 68, 0.3);

}

.list-item {

display: flex;

align-items: center;

margin-bottom: 15px;

color: #7f1d1d;

font-weight: 700;

font-size: 16px;

padding: 10px 15px;

background: rgba(255, 255, 255, 0.7);

border-radius: 12px;

transition: transform 0.2s ease, background 0.2s ease;

border-left: 4px solid #dc2626;

}

.list-item:hover {

transform: translateX(5px);

background: rgba(255, 255, 255, 0.9);

border-left: 4px solid #b91c1c;

}

.list-item:last-child {

margin-bottom: 0;

}

.x-mark {

color: #dc2626;

font-weight: 900;

margin-right: 15px;

font-size: 24px;

line-height: 1;

animation: pulse 2s infinite;

text-shadow: 0 0 5px rgba(220, 38, 38, 0.5);

}

@keyframes pulse {

0%, 100% { transform: scale(1); }

50% { transform: scale(1.2); color: #b91c1c; }

}

Cloud credential phish from Google Gmail Part 1

Posted by Dave Yadallee on Thursday, March 12. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 11 Mar 2026 20:47:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1w0W4f-00000000Gq9-3hLg

for dave@doctor.nl2k.ab.ca;

Wed, 11 Mar 2026 20:46:57 -0600

Resent-From: The Doctor

Resent-Date: Wed, 11 Mar 2026 20:46:57 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-ot1-f71.google.com ([209.85.210.71]:49429)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1w0Vnl-00000000GDG-0Iih

for sales@nk.ca;

Wed, 11 Mar 2026 20:29:36 -0600

Received: by mail-ot1-f71.google.com with SMTP id 46e09a7af769-7d7521130b6so5356822a34.3

for ; Wed, 11 Mar 2026 19:28:41 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=firebaseapp.com; s=20230601; t=1773282515; x=1773887315; darn=nk.ca;

h=to:from:subject:date:message-id:mime-version:from:to:cc:subject

:date:message-id:reply-to;

bh=zrB4CEotJgoEpQ5PUGiJVL4Wy+l/y7PK8NPV8jRkflA=;

b=CXhrh2y30UJT0EerjB7smvD1ah6JuuZExUxFcBN1URdiUIGlSmNCC3hs3olXUH+Xba

wvSpy4TsAEVBf3W8mCd9O7TlcqBOBQ/VRt48wxNjq4fNnQY+47aTRCRclO5qoZlBmALL

0U/po8WLZig8qhSE8mbm9Iea6JZJepTJGUU4u2dSDQjQuOzuOUI6UzddJC3zBHVJd27m

fpwIx8kQcdK2jb7aFmfD/Jb+FRa5Q0Uj3qIBhlrZ3LYf5JdN9Q9aOCbLr4xrN/O7m+97

BIO2UtP5f8Ij7u9DraifxyPoQkdNRyGUMKsT+q3vtj3SKGmi27LSRhk11SDQOUnHsXln

234g==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20230601; t=1773282515; x=1773887315;

h=to:from:subject:date:message-id:mime-version:x-gm-message-state

:from:to:cc:subject:date:message-id:reply-to;

bh=zrB4CEotJgoEpQ5PUGiJVL4Wy+l/y7PK8NPV8jRkflA=;

b=C+biNVMU+ZfkFyzn9yu0h0xT1MchmlBJaGgASaRwHOyo9sHcTZ9mFuHbjhnZruNbZy

tnb5dMQve2DnTaPxgm7eRW9vEqrjGk7ku1SOaLi27K+wTlfV7XlT+7w8287TkMF+Hd+/

2xS33YHBuJ2Gy4mqBvAg7KNCwAViaPmtiveuknEvZax6CjL4GAiAWOZe/pYPAIvI4Uuf

SYZryTyQ4/SGTOMiiJUx73RDNTTJddb03G6q/y6T7ygWCHMtHWD/qsGeFVXDR4nJ/qiv

YkiIn60PygRsAgMdf3aX4SGOIFJE6MQHdv3PM1O3A+2Pc7qZf7I3PmfxDva3axOCuS4T

0oUQ==

X-Gm-Message-State: AOJu0YztsT5Rnv5uPm1XLh3ks7trLQ2ARFoUEA0mp+AUmBZm1ExNErYA

cs3kDFsLZrUf72n0W3fSMXA99WXz/4B1a/RBwy/PDy0nLWLuh+U3X8QxcXT1Db3k0IJjIjYcxFr

Z6MXN+0+RPQ==

MIME-Version: 1.0

X-Received: by 2002:a05:6808:17aa:b0:466:f25d:3289 with SMTP id

5614622812f47-4673353f321mr2570975b6e.36.1773282515146; Wed, 11 Mar 2026

19:28:35 -0700 (PDT)

Message-ID: <00000000000066d899064cca8212@google.com>

Date: Thu, 12 Mar 2026 02:28:35 +0000

Subject: Your account has been disabled

From: System Notify

To: sales@nk.ca

Content-Type: multipart/alternative; boundary="00000000000066d88f064cca820f"

X-Spam_score: 5.0

X-Spam_score_int: 50

X-Spam_bar: +++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: âš ï¸ URGENT SYSTEM ALERT â€¢ â€¢ ACTION REQUIRED âš ï¸

â˜ï¸ CLOUD SERVICES DISABLED Critical storage limit exceeded EMERGENCY

Content analysis details: (5.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

[209.85.210.71 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[209.85.210.71 listed in dnsbl.ahbl.org]

[209.85.210.71 listed in dnsbl.ahbl.org]

[209.85.210.71 listed in dnsbl.ahbl.org]

[209.85.210.71 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[209.85.210.71 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[209.85.210.71 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[209.85.210.71 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[209.85.210.71 listed in dnsbl.ahbl.org]

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[209.85.210.71 listed in list.dnswl.org]

-0.0 SPF_PASS SPF: sender matches SPF record

-0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)

[209.85.210.71 listed in wl.mailspike.net]

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 SARE_FROM_SPAM_WORD4 From address suggests this may be spam

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders

Subject: {SPAM?} Your account has been disabled

--00000000000066d88f064cca820f

Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes

Content-Transfer-Encoding: base64

4pqg77iPIFVSR0VOVCBTWVNURU0gQUxFUlQg4oCiIOKAoiBBQ1RJT04gUkVRVUlSRUQg4pqg77iP

DQoNCg0K4piB77iPIENMT1VEIFNFUlZJQ0VTIERJU0FCTEVEDQoNCkNyaXRpY2FsIHN0b3JhZ2Ug

bGltaXQgZXhjZWVkZWQgRU1FUkdFTkNZDQoNCg0K8J+UtCBJTU1FRElBVEUgQUNUSU9OIE5FRURF

RCDigJQgQWxsIGNsb3VkIHNlcnZpY2VzIGFyZSB0ZW1wb3JhcmlseSBzdXNwZW5kZWQNCg0KDQri

nJUg8J+TuCBQaG90byBCYWNrdXAgLSBESVNBQkxFRA0KDQrinJUg8J+TgSBEcml2ZSBVcGxvYWRz

IC0gQkxPQ0tFRA0KDQrinJUg8J+TjiBFbWFpbCBBdHRhY2htZW50cyAtIFBBVVNFRA0KDQrinJUg

8J+SviBBdXRvIEJhY2t1cHMgLSBTVE9QUEVEDQoNCvCflLQgUkVBQ1RJVkFURSBTVE9SQUdFIE5P

Vw0K4pqg77iPIDk1JSBzdG9yYWdlIHVzZWQg4oCiIDIuM0dCIHJlbWFpbmluZyDimqDvuI8NCg0K

8J+UlCBBbGVydCBzZXR0aW5ncyDigKIg8J+TniBFbWVyZ2VuY3kgc3VwcG9ydCDigKIg4pqhIFVw

Z3JhZGUgcGxhbg0KDQoNCg==

--00000000000066d88f064cca820f

Content-Type: text/html; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable

=3D1.0" />

Cloud Services Disabled

=20

=20

=E2=9A=A1 SERVICE INTERRUPTED =E2=9A=A1

=20

24.png" class=3D"logo-large" alt=3D"Cloud Storage Alert">

Cloud credential phishing from Google Gmail Part 2

Posted by Dave Yadallee on Wednesday, March 11. 2026

/ Header with bold gradient /

.header {

padding: 28px 36px;

background: linear-gradient(115deg, #2D3748 0%, #1A202C 100%);

display: flex;

align-items: center;

gap: 18px;

position: relative;

z-index: 2;

border-bottom: 4px solid #FF6B6B;

}

/ Creative icon design /

.icon-stop {

width: 52px;

height: 52px;

background: #FF6B6B;

color: #ffffff;

border-radius: 18px;

display: flex;

align-items: center;

justify-content: center;

font-weight: 900;

font-size: 28px;

box-shadow: 0 10px 20px -5px rgba(255, 107, 107, 0.4);

transform: rotate(-2deg);

}

.head-title {

color: #ffffff;

font-weight: 800;

font-size: 20px;

letter-spacing: -0.3px;

text-transform: uppercase;

line-height: 1.3;

}

.head-title span {

color: #FF6B6B;

background: rgba(255, 107, 107, 0.15);

padding: 4px 12px;

border-radius: 40px;

font-size: 14px;

margin-left: 10px;

display: inline-block;

}

.main-body {

padding: 48px 40px;

text-align: center;

background: #ffffff;

position: relative;

z-index: 2;

}

/ Creative badge design /

.urgent-badge {

display: inline-flex;

align-items: center;

background: #FF6B6B;

color: #ffffff;

padding: 10px 24px;

border-radius: 100px;

font-size: 15px;

font-weight: 800;

letter-spacing: 1px;

margin-bottom: 28px;

text-transform: uppercase;

box-shadow: 0 15px 25px -8px rgba(255, 107, 107, 0.4);

border: 2px solid #ffffff;

outline: 2px solid #FF6B6B;

}

/ Image with creative frame /

.image-container {

position: relative;

display: inline-block;

margin-bottom: 32px;

}

.logo-large {

display: block;

max-width: 200px;

border-radius: 30px;

box-shadow:=20

0 25px 40px -15px rgba(0, 0, 0, 0.3),

0 0 0 4px #ffffff,

0 0 0 6px #FF6B6B;

position: relative;

z-index: 2;

}

/ Creative background for text /

.h2 {

font-size: 42px;

font-weight: 900;

margin: 0 0 20px;

line-height: 1.1;

display: inline-block;

background: linear-gradient(135deg, #1A202C 0%, #2D3748 100%);

-webkit-background-clip: text;

-webkit-text-fill-color: transparent;

background-clip: text;

position: relative;

padding: 0 10px;

}

.h2::before,

.h2::after {

content: '=E2=9A=A1';

color: #FF6B6B;

font-size: 32px;

margin: 0 10px;

opacity: 0.7;

}

/ Description with creative background /

.desc {

background: linear-gradient(135deg, #FEE2E2 0%, #FFF3F0 100%);

padding: 28px 32px;

border-radius: 40px;

font-size: 18px;

color: #1A202C;

line-height: 1.6;

margin-bottom: 36px;

border: 2px dashed #FF6B6B;

position: relative;

box-shadow: 0 15px 30px -10px rgba(255, 107, 107, 0.2);

}

.desc strong {

color: #FF6B6B;

font-size: 20px;

font-weight: 800;

display: inline-block;

background: #ffffff;

padding: 2px 12px;

border-radius: 40px;

margin: 0 4px;

}

/ Creative status container /

.status-container {

background: #ffffff;

padding: 32px;

border-radius: 36px;

margin-bottom: 36px;

box-shadow:=20

0 20px 35px -10px rgba(0, 0, 0, 0.1),

inset 0 -3px 0 #FF6B6B;

border: 1px solid #EDF2F7;

}

.status-header {

display: flex;

align-items: center;

justify-content: space-between;

margin-bottom: 20px;

}

.status-header h3 {

font-size: 20px;

font-weight: 800;

color: #1A202C;

background: #FF6B6B;

color: #ffffff;

padding: 6px 20px;

border-radius: 40px;

}

.status-header span {

font-size: 18px;

font-weight: 700;

color: #FF6B6B;

}

.status-bar {

background: #EDF2F7;

height: 32px;

border-radius: 40px;

overflow: hidden;

margin-bottom: 16px;

border: 2px solid #ffffff;

box-shadow: inset 0 2px 6px rgba(0, 0, 0, 0.05);

}

.fill {

width: 100%;

height: 100%;

background: linear-gradient(90deg, #FF6B6B 0%, #FF8E53 100%);

border-radius: 40px;

position: relative;

}

/ Creative stats design /

.stats {

display: flex;

justify-content: space-between;

font-size: 18px;

font-weight: 700;

background: #F7FAFC;

padding: 18px 24px;

border-radius: 30px;

border: 2px solid #FF6B6B;

}

Cloud credential phishing from Google Gmail Part 1

Posted by Dave Yadallee on Wednesday, March 11. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 11 Mar 2026 15:51:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1w0RS5-00000000IEd-0UGE

for dave@doctor.nl2k.ab.ca;

Wed, 11 Mar 2026 15:50:49 -0600

Resent-From: The Doctor

Resent-Date: Wed, 11 Mar 2026 15:50:49 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-oa1-f72.google.com ([209.85.160.72]:56405)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1w0QnW-00000000EH0-0ncc

for sales@nk.ca;

Wed, 11 Mar 2026 15:09:02 -0600

Received: by mail-oa1-f72.google.com with SMTP id 586e51a60fabf-40eee5d10c5so2981559fac.0

for ; Wed, 11 Mar 2026 14:08:07 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=firebaseapp.com; s=20230601; t=1773263281; x=1773868081; darn=nk.ca;

h=to:from:subject:date:message-id:mime-version:from:to:cc:subject

:date:message-id:reply-to;

bh=qtpCzzzf1lDQkeycj3pqK0FzqOPZHrrOqbCWhAHGbSI=;

b=Dybhuqia3QOuNwtkR9Fl2adg3kFUVH1wpYpmoK3ksGi3VVOtMbQXmzNtpFpbaTRVOV

QLpG0WI+SWnHLApS83/3o9sOXQCU3rwroM61GAZAXFDQ9YXrZnCtuep+SlqmvG7DPsZi

jMpcKrMOYXVFaBCFgGCNYw2+lTknDQDafzGk3UQDWwm406AHmIw3XVepHk+eFarQf7GP

Zb23ZOVxcb1JAHcvfv/opwx5eCRRCWIANNeg+/y7keVW6Iefito4srr908PzvOlqrVFd

8iL9XM+5ld27FWBV7y8tqp8y9ahjvgGY6nWlmVRVR2PoXdo/I2OhY0E/L9a+X3XyOr8E

kW9w==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20230601; t=1773263281; x=1773868081;

h=to:from:subject:date:message-id:mime-version:x-gm-message-state

:from:to:cc:subject:date:message-id:reply-to;

bh=qtpCzzzf1lDQkeycj3pqK0FzqOPZHrrOqbCWhAHGbSI=;

b=jMH6kyob4hkXUjgpg2nMUn7rT8sHqao1Pg1i9CbgvS3DGQHp5GVmgjitJE0i/fI2rl

JNUkrbiLWK7XKOmWCdBN1yeKzQCh/INxnUVlGqN3xMJsYEjU6iiC7tDvARqgG4DNH4fW

D03A2ZlgHeyywSV4xnpoidizAcL9bouiyaEL5/XPJ9ceoao8T96Wqe0GY4I8g/BR/KGT

+MhXmUNry+bKEJDYE2eM9dycoK7kjehI9WqcZctbm4HndfdvnWGYddWpLkJuV1tdqF9A

bOAaDNmg6ZhXxtvsRO/et+frpQNkM6U+U+5Kb6iG++VkKNfUs/IralNR5I8JVwzunlOY

auzw==

X-Gm-Message-State: AOJu0YzEbuqQRUSrnBHvDeqPOZNwCjtXr72KMCsz18LmMZJgRbWmYf36

SCSQ3T4S70RJF9OUyb/nJMlProkuc+Qf9bl84Ldodq8Tn4mN+lSFUzQRAWy9AZQjfGlr+52un7W

HPvjba2Pybw==

MIME-Version: 1.0

X-Received: by 2002:a05:6820:168e:b0:67b:b182:19e with SMTP id

006d021491bc7-67bc889874emr2796450eaf.11.1773263280961; Wed, 11 Mar 2026

14:08:00 -0700 (PDT)

Message-ID: <000000000000f47abf064cc607fc@google.com>

Date: Wed, 11 Mar 2026 21:08:00 +0000

Subject: FINAL WARNING regarding your account

From: Cloud Security

To: sales@nk.ca

Content-Type: multipart/alternative; boundary="000000000000f47ab1064cc607f9"

X-Spam_score: 6.0

X-Spam_score_int: 60

X-Spam_bar: ++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: âš ï¸ CRITICAL SYSTEM ALERT URGENT âš¡ SERVICE INTERRUPTED

âš¡

Content analysis details: (6.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[209.85.160.72 listed in will-spam-for-food.eu.org]

[209.85.160.72 listed in will-spam-for-food.eu.org]

[209.85.160.72 listed in will-spam-for-food.eu.org]

[209.85.160.72 listed in will-spam-for-food.eu.org]

[209.85.160.72 listed in will-spam-for-food.eu.org]

[209.85.160.72 listed in will-spam-for-food.eu.org]

[209.85.160.72 listed in will-spam-for-food.eu.org]

[209.85.160.72 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[209.85.160.72 listed in dnsbl.ahbl.org]

[209.85.160.72 listed in dnsbl.ahbl.org]

[209.85.160.72 listed in dnsbl.ahbl.org]

[209.85.160.72 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[209.85.160.72 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[209.85.160.72 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[209.85.160.72 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[209.85.160.72 listed in dnsbl.ahbl.org]

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[209.85.160.72 listed in list.dnswl.org]

-0.0 SPF_PASS SPF: sender matches SPF record

1.0 SAVE_PERCENT BODY: Save some percentage

-0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)

[209.85.160.72 listed in wl.mailspike.net]

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.0 SARE_FROM_SPAM_WORD4 From address suggests this may be spam

Subject: {SPAM?} FINAL WARNING regarding your account

--000000000000f47ab1064cc607f9

Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes

Content-Transfer-Encoding: base64

4pqg77iPDQoNCkNSSVRJQ0FMIFNZU1RFTSBBTEVSVCBVUkdFTlQNCg0KDQrimqEgU0VSVklDRSBJ

TlRFUlJVUFRFRCDimqENCg0KQ2xvdWQgU3RvcmFnZSBBbGVydA0KDQpZT1VSIENMT1VEIElTIERJ

U0FCTEVEDQoNCvCfmqggSU1NRURJQVRFIEFDVElPTiBSRVFVSVJFRA0KV2UgY2FuJ3Qgc3luYyB5

b3VyIHBob3RvcyDigKIgZG9jdW1lbnRzIOKAoiBmaWxlcw0KU3RvcmFnZSAxMDAlIEZVTEwg4oCi

IFN1YnNjcmlwdGlvbiBJTkFDVElWRQ0KDQoNClNUT1JBR0UgU1RBVFVTDQpDUklUSUNBTA0KDQoN

CuKaoO+4jyBVc2VkOiA1MC4wIEdCIC8gNTAuMCBHQiDwn5OmIFRvdGFsOiA1MC4wIEdCDQoNCvCf

lJMgUkVBQ1RJVkFURSBOT1cgLSA1MCUgT0ZGIPCflJMNCuKPsyBMSU1JVEVEIFRJTUUgT0ZGRVIg

MjM6NTk6NTkNCg0K8J+OgSBGSVJTVCAxMDAgVVNFUlMgT05MWSBTQVZFIDUwJQ0KDQoNCuKcqCBJ

bnN0YW50IEFjY2Vzcw0KDQrwn5uh77iPIDMwLURheSBHdWFyYW50ZWUNCg0K4pqhIDI0LzcgUHJp

b3JpdHkgU3VwcG9ydA0KDQoNCvCfk54gQ3VzdG9tZXIgU3VwcG9ydCDimpnvuI8gQWNjb3VudCBT

ZXR0aW5ncyDinInvuI8gVW5zdWJzY3JpYmUNCg0KwqkgMjAyNCBDbG91ZCBTZXJ2aWNlcyBJbmMu

IOKAoiBTYW4gRnJhbmNpc2NvLCBDQQ0KDQo=

--000000000000f47ab1064cc607f9

Content-Type: text/html; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable

=3D1">

Cloud Disabled - Action Required

ont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; =

color: rgb(0, 0, 0);" class=3D"elementToProof">

Hey There!