Confirm that this is spam, "Messages quarantined since 2/13/2020"

[GoWilkes]

I'm getting an email every night at around 4am that LOOKS like it's from cPanel, but I'm not entirely convinced so I'm hoping you guys can confirm. The email subject that it references IS one that would have been sent (but not from [email protected], and not at 3am), but the link isn't to my domain so it feels phishy.

The subject is "Messages quarantined since 2/13/2020 for [email protected]", where the date is always the previous date and the email is for my domain.

The reply email is [email protected]. I Googled this and found nothing.

This is the body, converted to plain text just in case there's something malicious in there:

[email protected]

example.com has prevented the delivery of a new message to
 [email protected] because it contains heavy attachments. To immediately release it use the "Release and Deliver" button below. 

Sent:  Tuesday ,February 13, 2020  at 03:24 am
To:  [email protected]
Subject: Past Due Invoices

Release and Deliver

Why was my message held for review?
Your email provider uses an email filtering service to stop certain types of email from being sent from your account. The content of the email you received scored high enough for the email systems to hold it in your quarantine for review.

This is an automated message
Please do not reply to this email.

Copyright © 2020. All rights reserved.

Clicking the "Release and Deliver" link takes me to:

https://firebasestorage.googleapis.com/v0/b/documail-f385f.appspot.com/o/webmail_net_login.html?alt=media&token=foo#[email protected]

And there's nothing related to this in WHM's Mail Queue.

TIA!

 

[quietFinn]

The sender wants you to press the button Release and Deliver, I wouldn't do it.
It is spam, no doubt.

 

[GoWilkes]

My thought, too, but it was just odd that the subject was the same as one sent by our billing department

 

[GoWilkes]

I'm positive that it's spam, though... it finally hit me to look at the source of the final link and see where the login form directed:

cyfyfkj.michalcova.beget.tech/data.php

On the form that's an HTTP link, not HTTPS. I removed it here to prevent it from becoming a link.

It's weird that it goes through googleapis.com, though.

 

[cPanelLauren]

Really, anyone can implement a google api - as long as they have a google account - in case you wanted to know what firebasestorage was you can find it here: Cloud Storage | Firebase

 

[bizzy]

It is spam or probably much worse. I moved from cPanel many years ago but still received an identical message to [email protected] [a domain of mine). It originated in Aruba. Very clever though. Ironically if I had still used cPanel I might have been tempted instead of instantly realising it didn't compute..

I pass my email through GMail which imho is the best spam cleaning service around - surprised they didn't catch it. Mine was received at 06:23 UTC this morning.