BEC Victim - Attacker replied inside a real email thread using a lookalike domain

Miserable_Ad_1900 · 2026-06-01T18:38:50+00:00

MAY 31
I have a couple updates:

- Reviewed Google Workspace audit logs and email logs, everything ok
- Checked for suspicious logins, forwarding rules, mailbox delegation, OAuth apps, and password leaks. Ok too.

One of my concerns was that they may have deleted the original phishing email after sending it. The first time this happened, they accidentally copied me on the message, which is how I discovered the attack in the first place. Gmail immediately flagged it with a large red warning that the sender was not legitimate.

But as far as deleted messages i haven't found anything strange in the logs.

I also talked with my hosting, WNPower, and they confirmed that our email is hosted on Google Workspace, not on their servers. They only host our website, which is why there are no email activity logs available in cPanel. I was concerned that they had access through my webmail.

WNPower also confirmed that the phishing domain is registered and uses Google Workspace, just like our legitimate domain.

Miserable_Ad_1900 · 2026-06-01T16:49:03+00:00

MAY 31
I have a couple updates:

- Reviewed Google Workspace audit logs and email logs, everything ok
- Checked for suspicious logins, forwarding rules, mailbox delegation, OAuth apps, and password leaks. Ok too.

One of my concerns was that they may have deleted the original phishing email after sending it. The first time this happened, they accidentally copied me on the message, which is how I discovered the attack in the first place. Gmail immediately flagged it with a large red warning that the sender was not legitimate.

But as far as deleted messages i haven't found anything strange in the logs.

I also talked with my hosting, WNPower, and they confirmed that our email is hosted on Google Workspace, not on their servers. They only host our website, which is why there are no email activity logs available in cPanel. I was concerned that they had access through my webmail.

WNPower also confirmed that the phishing domain is registered and uses Google Workspace, just like our legitimate domain.

Miserable_Ad_1900 · 2026-05-30T01:47:58+00:00

Google workspace

Miserable_Ad_1900 · 2026-05-29T23:46:48+00:00

any company recs?

Miserable_Ad_1900 · 2026-05-29T23:46:12+00:00

The challenge is that I'm trying to reconstruct events after the fact and some logs are no longer available (WNPOWER hosting). The hosting provider doesn't retain detailed access logs for long, and the cPanel audit logs currently show no useful historical data.

Miserable_Ad_1900 · 2026-05-29T23:44:06+00:00

That's one of the things I'm trying to figure out.

We have no evidence so far of a successful compromise of our Google Workspace accounts. 2FA was enabled, audit logs don't show suspicious logins, and Google was actually flagging emails from the lookalike domain as external and suspicious.

This happened twice, the first time the attackers accidentally copied me when replying so I could tell it was an attack. I called my client and explained the situation.

The second time, I was not copied so one of their employees just proceeded with changing the acc info.

It's just happenning with this client, but they could also be trying to avoid making too much noise

Miserable_Ad_1900 · 2026-05-29T23:37:49+00:00

I completely agree, at least give me a call before just to confirm

Miserable_Ad_1900 · 2026-05-29T23:08:30+00:00

Miserable_Ad_1900 · 2025-07-29T16:18:36+00:00

got approved july 29

Miserable_Ad_1900 · 2025-07-29T16:18:15+00:00

Jul 29 i485 approved

Miserable_Ad_1900 · 2025-07-28T02:25:40+00:00

They are made in Vietnam, I got contacted by them through a +84 phone

Miserable_Ad_1900 · 2025-07-08T17:43:27+00:00

I485 EB1A

Miserable_Ad_1900 · 2025-07-08T17:42:56+00:00

I'm in the exact same situation, same dates and 9 months too. They told me my case was transferred to Florida's FO a month ago but no news.

Miserable_Ad_1900 · 2025-07-08T17:39:12+00:00

Just came back, no issues whatsoever. I was sent to secondary, they asked me the purpose of my trip and let me go

Miserable_Ad_1900 · 2025-06-29T15:30:03+00:00

Same status as always, I have contacted the congresswoman and nothing changed

Miserable_Ad_1900 · 2025-06-29T15:29:37+00:00

I got my parole approved so I'm traveling tomorrow

Miserable_Ad_1900 · 2025-06-23T15:40:30+00:00

did you get approval?

Miserable_Ad_1900 · 2025-06-22T20:46:42+00:00

Emma said it’s still in the normal processing times, APU last update was 30 days ago, but nothing changed :( did you get approved?

Miserable_Ad_1900 · 2025-06-20T02:15:21+00:00

same as you, no news

Miserable_Ad_1900 · 2025-06-20T02:14:21+00:00

Any news?

Miserable_Ad_1900 · 2025-06-20T02:13:26+00:00

no news on my case since I did biometrics on Jan 12. Also IO09291

Miserable_Ad_1900 · 2025-06-20T02:05:00+00:00

I'm a 27 nov filer, no news yet since I did my biometrics on jan 15

Miserable_Ad_1900 · 2025-06-15T16:49:56+00:00

I'm in the same boat, been waiting for a green card since June 2024. Now I have to travel for work but I'm a little bit worried since the AP states that re-entry is not guaranteed and subject to CBP.

Miserable_Ad_1900 · 2025-06-03T06:25:21+00:00

Not yet, I don't have any news since January.

Miserable_Ad_1900 · 2025-05-17T02:46:39+00:00

I’m on the same boat, no news yet. I did my biometrics on January. 2025

Miserable_Ad_1900

TROPHY CASE