Qantas-Themed Phishing Scam Bypasses Email Defenses to Harvest Credit Cards and PII

A meticulously crafted phishing campaign impersonating Qantas Airways has successfully slipped past multiple secure email gateways (SEGs), including Microsoft ATP, Proofpoint, and Mimecast, to target Australian employees with credential and credit card theft. The campaign, first observed in early February 2025, mimicked Qantas-branded marketing emails and lured victims to credential phishing pages masquerading as legitimate reward programs.

Security researchers at Cofense Intelligence warn that the attackers’ tactics represent a troubling escalation in phishing sophistication, particularly in their ability to convincingly spoof corporate branding, manipulate email trust signals, and evade industry-standard detection tools.

“This campaign wasn’t just a phishing blast—it was a coordinated, multi-stage social engineering effort built for believability,” said a threat intelligence analyst familiar with the operation. “It highlights how even high-assurance email defenses can be sidestepped with enough attention to design, detail, and deception.”

How the Qantas Spoof Worked

The phishing emails closely mirrored legitimate Qantas promotional communications, down to the color palette, typography, and the use of functional headers like “List-Unsubscribe” — a technique often exploited to mimic marketing norms and reassure recipients of authenticity. However, while Qantas unsubscribe links normally resolve to qantas.com, the spoofed versions redirected to suspicious URLs such as subscriptions.pstmrk.it, a tactic that may have been used to track recipients or validate active email accounts.

Each email carried links with randomized but Qantas-referencing domains that funneled users to phishing sites using a shared “auth/auhs1” endpoint. These credential collection portals were deployed with short lifespans — sometimes disappearing within 24 hours — likely to evade blacklist-based defenses and threat-sharing networks.

Inside the Multi-Step Phishing Funnel

Upon landing on the spoofed site, victims were ushered through a step-by-step process designed to feel routine: entering names, emails, phone numbers, and even their shipping address. The campaign included a birthday field as a faux security measure, which attackers can weaponize for password resets or future spear-phishing.

But the heart of the scam lies in step six, where victims were prompted to input credit card details — the true payload for attackers. Following this, a fake multi-factor authentication prompt was triggered, potentially to stall suspicion and delay reporting.

Targeting and Timing

While the spoofed emails reached users globally, most targets were Australian employees, as evidenced by the use of Australian Dollar (AUD) rewards and references tailored to Qantas’ domestic audience. The attackers even referenced Qantas’ anniversary — albeit inaccurately, stating it was celebrating its 103rd year in 2025 instead of the actual milestone reached in 2023.

“We’re seeing phishing evolve from crude one-offs into campaigns that mimic not just the brand but the behavior of real marketing teams,” said a security operations leader at an Australian enterprise affected by the campaign. “The only giveaway here was a missed anniversary — and that’s not something every employee would notice.”

Security Industry Response

The fact that such a well-packaged campaign circumvented multiple SEGs is raising questions about overreliance on signature- and reputation-based email filtering.

“Brand spoofing at this level is a call to arms for layered security,” said the researcher. “Organizations must combine robust email filtering with user education, domain monitoring, and anomaly detection to stay ahead.”

The Qantas-themed campaign has reportedly tapered off since mid-March, but researchers warn that the infrastructure and tactics could easily be repurposed for future spoofing efforts — perhaps targeting other airlines or reward-based schemes.

As phishing grows more bespoke, enterprises and individuals alike will need to rethink what a “suspicious email” looks like — because soon, it may look perfect.