Client’s should look out for phishing emails appearing to originate from RoundCube Webmail. The emails claim that your email services or delivery of emails has been suspended or blocked and require you to sign in or click a link in order to fix the suspension or block.
Phishing emails are designed to steal login usernames and passwords for your account and should be deleted.

What To Look Out For

Example 1 – “You have some pending messages”
This example states that you have some undelivered emails due to an ‘authentication error’, and requires you to click on a link to ‘release’ the messages:

suspicious "roundcube" phishing emails
  1. The email is from an unrelated sender, generally trying to impersonate a “post master” or similar kind of email address, to give a feeling of authenticity. Do be aware that this will sometimes appear to have come from one of your own email addresses, however in reality this is not the case, with the sender having “spoofed” the sending email address.
  2. The title and body of the email generally states that your emails have not been delivered for one reason or another. Keep an eye out for bad spelling or grammar, as these are dead giveaways that the email is not legitimate.
  3. A link will usually be provided under the guise of “click here to release messages”, etc.
    We can see by hovering our mouse over the link that the link instead is pointing somewhere totally different.
    suspicious "roundcube" phishing emails
    In this case, the link points to a Firebase Cloud Storage location, where you would be directed to a .html file that would impersonate or pretend to be a login page.


Do NOT click any links in these kinds of emails. If you have clicked any links like this, Conetix recommends scanning your computer/device with an antivirus solution and changing any passwords you may have entered on the pages you visited.

Example 2 – “Your Account Has Been Compromised”
In this example, the email deviates from the last in a few ways by pretending to be the ‘good guy’ by advising you that your email account has already been compromised, and has had it’s email send & receive functionality disabled.

suspicious "roundcube" phishing emails
  1. In this example, the sender actually appears to have come from your own domain (which we have blurred out due to privacy), however as mentioned previously this is simply the sender “spoofing” or pretending to have sent from your email domain.
  2. This email also makes use of ‘personalizing’ the email to you by using your name in the email. This is generally done by taking the first name from the email address itself – eg. “john.doe@email”, where they would take the “John” and use that.
    Again, this is just a tactic to make you believe the email might be legitimate.
  3. Once again, you are shown a button to “Protect and Secure” your account. Again in this case, the link appears to be directing to a different domain/website altogether.

    suspicious "roundcube" phishing emails

    As you can see from the above image of the link, the linked website is totally foreign from your own website/domain.


If you are ever uncertain on whether an email you have received is legitimate or not, please get in touch with the Conetix support team.


Do not click on any links in suspicious email, and do not reply to the email.

Was this article helpful?

Related Articles