Fake Cloud Storage Full Email

    Wednesday, April 29, 2026 In: Threat Research Print

    Date: 04/28/2026 

    Severity: High

    Summary

    We identified phishing emails falsely claiming mailbox storage limits are exceeded. They include shortened links that redirect to fake “Cloud” storage pages. The messages use urgent language like “Cloud storage is full” and “Permanent data loss warning.” Users are pressured through multiple redirects to pages mimicking real cloud dashboards. These pages imitate OS elements (e.g., “Activate Windows”) and display full-screen fake system pop-ups. Following the prompts leads to sites selling VPN or antivirus tools, often from firebaseapp-based noreply addresses.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    homewattflow.za.com/iZuveeStmcREyyjOXnQDluZX19skW-dfGYXhfu43u87Meqs

    homewattflow.za.com/oRng9xl0MaKWkEiNNavL_4D4WsZf5hVXRMU_e1NY4CYM597F

    homewattflow.za.com/bfzRSkXoQwL2cexujOb8hyhMTey4Zp3sDa8xXRTIxTgynEIF

    homewattflow.za.com/X2g1yMZ7mxBE2h2gtMA3IoRAmYIcfDqM9Rz4fkiCdTJU9Ac

    www.homewattflow.za.com/jghoujrvNz4D5WdL4Be3qWQPYNxYqry8q3ghFj1YbHtxlOBg

    redirect-system-e5318.web.app/#/SFUrdUdVangyY1AvcSthK2tCZ1hWWmt0eE42Y3p0ZTVVUWZMUXR1QXB1NWZvdWlVTVpUdnN3ZUk4TTU4YmY1RUllSXpBNk43WUNqQ01SbUMxaER3bHc9PQ__

    is.gd/BlfHHN

    is.gd/Tsre2w

    is.gd/kBP9Am

    is.gd/B4PSbB

    is.gd/qCiiXyg

    rebrand.ly/a0ylnkd

    createnewai.com/4XXR4FF/27KQBZNB/?source_id=othe&sub1=C01&sub2=S1&sub3=3-8

    recentworkcode.com/4SQRKGX/27FR89RQ/?sub1=sidiabdelaali

    recentworkcode.com/4SQRKGX/27FR89RQ/?sub1=ouzzine1

    artificialoiltechno.com/5WHF7BW/27FR89RQ/?sub1=br5

    artificialoiltechno.com/5WHF7BW/27KQBZNB/?sub1=br77

    artificialoiltechno.com/5WHF7BW/27KQBZNB/?sub1=krm41

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "homewattflow.za.com/iZuveeStmcREyyjOXnQDluZX19skW-dfGYXhfu43u87Meqs" or url like "homewattflow.za.com/iZuveeStmcREyyjOXnQDluZX19skW-dfGYXhfu43u87Meqs" or siteurl like "homewattflow.za.com/iZuveeStmcREyyjOXnQDluZX19skW-dfGYXhfu43u87Meqs" or domainname like "homewattflow.za.com/oRng9xl0MaKWkEiNNavL_4D4WsZf5hVXRMU_e1NY4CYM597F" or url like "homewattflow.za.com/oRng9xl0MaKWkEiNNavL_4D4WsZf5hVXRMU_e1NY4CYM597F" or siteurl like "homewattflow.za.com/oRng9xl0MaKWkEiNNavL_4D4WsZf5hVXRMU_e1NY4CYM597F" or domainname like "homewattflow.za.com/bfzRSkXoQwL2cexujOb8hyhMTey4Zp3sDa8xXRTIxTgynEIF" or url like "homewattflow.za.com/bfzRSkXoQwL2cexujOb8hyhMTey4Zp3sDa8xXRTIxTgynEIF" or siteurl like "homewattflow.za.com/bfzRSkXoQwL2cexujOb8hyhMTey4Zp3sDa8xXRTIxTgynEIF" or domainname like "homewattflow.za.com/X2g1yMZ7mxBE2h2gtMA3IoRAmYIcfDqM9Rz4fkiCdTJU9Ac" or url like "homewattflow.za.com/X2g1yMZ7mxBE2h2gtMA3IoRAmYIcfDqM9Rz4fkiCdTJU9Ac" or siteurl like "homewattflow.za.com/X2g1yMZ7mxBE2h2gtMA3IoRAmYIcfDqM9Rz4fkiCdTJU9Ac" or domainname like "www.homewattflow.za.com/jghoujrvNz4D5WdL4Be3qWQPYNxYqry8q3ghFj1YbHtxlOBg" or url like "www.homewattflow.za.com/jghoujrvNz4D5WdL4Be3qWQPYNxYqry8q3ghFj1YbHtxlOBg" or siteurl like "www.homewattflow.za.com/jghoujrvNz4D5WdL4Be3qWQPYNxYqry8q3ghFj1YbHtxlOBg" or domainname like "redirect-system-e5318.web.app/#/SFUrdUdVangyY1AvcSthK2tCZ1hWWmt0eE42Y3p0ZTVVUWZMUXR1QXB1NWZvdWlVTVpUdnN3ZUk4TTU4YmY1RUllSXpBNk43WUNqQ01SbUMxaER3bHc9PQ__" or url like "redirect-system-e5318.web.app/#/SFUrdUdVangyY1AvcSthK2tCZ1hWWmt0eE42Y3p0ZTVVUWZMUXR1QXB1NWZvdWlVTVpUdnN3ZUk4TTU4YmY1RUllSXpBNk43WUNqQ01SbUMxaER3bHc9PQ__" or siteurl like "redirect-system-e5318.web.app/#/SFUrdUdVangyY1AvcSthK2tCZ1hWWmt0eE42Y3p0ZTVVUWZMUXR1QXB1NWZvdWlVTVpUdnN3ZUk4TTU4YmY1RUllSXpBNk43WUNqQ01SbUMxaER3bHc9PQ__" or domainname like "is.gd/BlfHHN" or url like "is.gd/BlfHHN" or siteurl like "is.gd/BlfHHN" or domainname like "is.gd/Tsre2w" or url like "is.gd/Tsre2w" or siteurl like "is.gd/Tsre2w" or domainname like "is.gd/kBP9Am" or url like "is.gd/kBP9Am" or siteurl like "is.gd/kBP9Am" or domainname like "is.gd/B4PSbB" or url like "is.gd/B4PSbB" or siteurl like "is.gd/B4PSbB" or domainname like "is.gd/qCiiXyg" or url like "is.gd/qCiiXyg" or siteurl like "is.gd/qCiiXyg" or domainname like "rebrand.ly/a0ylnkd" or url like "rebrand.ly/a0ylnkd" or siteurl like "rebrand.ly/a0ylnkd" or domainname like "createnewai.com/4XXR4FF/27KQBZNB/?source_id=othe&sub1=C01&sub2=S1&sub3=3-8" or url like "createnewai.com/4XXR4FF/27KQBZNB/?source_id=othe&sub1=C01&sub2=S1&sub3=3-8" or siteurl like "createnewai.com/4XXR4FF/27KQBZNB/?source_id=othe&sub1=C01&sub2=S1&sub3=3-8" or domainname like "recentworkcode.com/4SQRKGX/27FR89RQ/?sub1=sidiabdelaali" or url like "recentworkcode.com/4SQRKGX/27FR89RQ/?sub1=sidiabdelaali" or siteurl like "recentworkcode.com/4SQRKGX/27FR89RQ/?sub1=sidiabdelaali" or domainname like "recentworkcode.com/4SQRKGX/27FR89RQ/?sub1=ouzzine1" or url like "recentworkcode.com/4SQRKGX/27FR89RQ/?sub1=ouzzine1" or siteurl like "recentworkcode.com/4SQRKGX/27FR89RQ/?sub1=ouzzine1" or domainname like "artificialoiltechno.com/5WHF7BW/27FR89RQ/?sub1=br5" or url like "artificialoiltechno.com/5WHF7BW/27FR89RQ/?sub1=br5" or siteurl like "artificialoiltechno.com/5WHF7BW/27FR89RQ/?sub1=br5" or domainname like "artificialoiltechno.com/5WHF7BW/27KQBZNB/?sub1=br77" or url like "artificialoiltechno.com/5WHF7BW/27KQBZNB/?sub1=br77" or siteurl like "artificialoiltechno.com/5WHF7BW/27KQBZNB/?sub1=br77" or domainname like "artificialoiltechno.com/5WHF7BW/27KQBZNB/?sub1=krm41" or url like "artificialoiltechno.com/5WHF7BW/27KQBZNB/?sub1=krm41" or siteurl like "artificialoiltechno.com/5WHF7BW/27KQBZNB/?sub1=krm41" 

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-04-28-Fake-Cloud-Storage-Full-Emails.txt


    Tags

    MalwarePhishingMimic

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.