Cofense Logo - Email Security Solutions

Xneelo Users Targeted in a Multi-stage Phishing Attack 

Share Now


Found in Environments Protected by: Mimecast 

Author: Olwen Brangan  

Cofense Phishing Defense Center 

The Cofense Phishing Defense Center discovered a multi-stage phishing campaign targeting customers from Xneelo, a South African web hosting provider who supports over 500,000 customers. Xneelo provides customers with two options of control panels to manage accounts: the Xneelo control panel and the older KonsoleH control panel. In this four-stage attack, threat actors attempted to obtain login details for the Xneelo control panel and Webmail credentials through a fake KonsoleH login page, as well as credit card information and SMS two-factor authentication (2FA) codes.  

Stage 1 – Xneelo Credentials 

Initially, the user is presented with an email as shown in Figure 1. Aspects of the email appear genuine: the spoofed email contains the Xneelo logo and Xneelo’s address and phone number. However, there are indicators at this stage which raise suspicion about the validity of this email. Of note is the generic greeting “Hello”, a tactic often used by threat actors, but not particularly unusual by itself.  

Another red flag is the sense of urgency portrayed in the email. The user is strongly encouraged to click on the ‘Pay Now’ button. Failure to do so could result in the termination of services and deletion of hard drive content, leading to a full loss of data as they do not keep backups. This message is enforced using language such as “Please settle your account to avoid suspension of your service”, “deactivate” and “immediate” in bold. Note the payment due date is prior to the date of issue, implying an overdue payment, further enticing the email recipient to act quickly, although the requested amount due is R0.00.  

Figure 1 – Email Body

In Figure 1, the “Pay Now” button redirects the user to hXXps://postingbank[.]wpengine[.]com/sudd/ where the fake Xneelo login page is located (Figure 2). 

 Figure 2 – Fake Xneelo login page

This login page presents a message about signing up, however the ‘Sign Up’ button is not available. Logging onto Xneelo’s real website ( shows a similar page with the actual ‘Sign up’ button beside the ‘Log in’ button. Omission of buttons or other details are red flags this email and page are suspicious. Spelling errors such as “Pyament” instead of Payment in Figure 3 are also red flags. 

Stage 2: Credit Card Data 

Once the user enters their Xneelo login credentials, a page requesting credit card information is presented (Figures 3 and 4). 

Figure 3 Credit Card Information 

Figure 4 User Agreement 

To appear genuine, a consent list is included containing information from the real Xneelo website: the debit order date is the first working day of each month, the reference used on customers bank statements is MultiD and Xneelo does charge a fee of R50.00 for failed debit orders.  

Stage 3: SMS

Having provided the malicious actors with login credentials and credit card information, users then are asked for an SMS code to verify their identity and click the ‘Activate my Domain’ button shown in Figure 5.

Phishing for 2FA codes is common. Threat actors use the stolen credentials to interact with the real website and prompt it to send such SMS codes to users. Once users input the code into to the phishing website, threat actors can use it to successfully log in as the users.  

Figure 5 – SMS 

Stage 4: Webmail Credentials 

The fourth and final stage of this phishing campaign occurs when the user is directed to a webpage which spoofs the real KonsoleH webmail page (Figure 6). 

Figure 6 KonsoleH Webmail Login

Once the user enters an email address and password, and clicks the ‘Webmail Login’ button, the malicious actors will obtain the users credentials. Access to webmail allows malicious actors to do a variety of tasks including importing or exporting email contacts, access emails that are on the mail server, set up an auto responder using the manage mailbox option, access emails from any computer with an internet connection and create new accounts.  

Indicators of Compromise: 

Indicators of Compromise IP


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.