Review Your Recent Activity Scam

Cybersecurity researchers have flagged a widespread phishing campaign known as the 'Review Your Recent Activity' scam. These messages falsely claim there were suspicious sign-ins to the recipient's webmail and push users to 'secure' their accounts by clicking a button that leads to a fake sign-in page. These emails are malicious spam and are not associated with cPanel, Webmail providers, or any legitimate company, organization, or service. Treat them as hostile attempts to steal credentials and deliver malware.

The Email Bait

Typical messages (subject lines vary; one common example begins 'We have detected recent login activity on your Webmail account please confirm') present a fabricated activity summary — usually claiming three recent logins from different regions (commonly Africa, Europe, and North America). The message urges the recipient to review or secure their account immediately. To create urgency, it warns that access will be restricted or offers dramatic language intended to make you act without thinking. The promised 'Secure Account' button is the trap — it redirects to a credential-harvesting page disguised to look like a legitimate email sign-in form.

How The Scam Proceeds

If you type your email address and password into the phishing page, attackers capture those credentials and can:

• Take over the inbox and read or delete messages.
• Send phishing or scam messages to your contacts (often posing as you).
• Use password reset flows to take control of linked services (social networks, stores, banking, cloud storage, etc.).
• Commit fraud, request money from your contacts, or distribute malware and malicious links.
• Sell logins and personal data on underground markets.

How To Spot Phishing Emails

• Unexpected 'security alert' about recent logins that you didn't request.
• Urgent language and threats of disconnection or account suspension.
• A prominent button or link labeled 'Secure Account' / 'Review Activity' that points to an unfamiliar URL.
• Poorly written text or subtle inconsistencies in logos, sender addresses, or formatting (though some campaigns look very polished).

The Risks Of Spam Email

These spam runs may also include attachments or links that deliver malware. Common malicious attachment types seen in campaigns like this include: archives (ZIP, RAR), executables (.exe, .run), Office documents (Word, Excel), PDFs, OneNote files, and JavaScript. Some file types require extra user actions — for example, Office docs may ask you to enable macros, and OneNote files may rely on embedded links — but once those actions are taken, the malware installation chain can start.

Conclusion

The 'Review Your Recent Activity' campaign is a clear example of attackers weaponizing fear and urgency to harvest credentials and spread malware. Remember: legitimate providers will rarely demand immediate verification through unsolicited email links, and genuine security alerts can be verified by signing directly into your account via the provider's official site or contacting support. Vigilance, unique passwords, and 2FA are your best defenses. If you've already been compromised, act quickly — change passwords, enable 2FA, scan your systems, and notify affected providers.