Japanese-Language Phishing Campaign — ANA, DHL, myTOKYOGAS Brand Impersonation via Foxmail Fingerprint

Threat ID: TL-2026-0129 | Severity: MEDIUM | Status: ACTIVE

Actor: Unknown Chinese-Speaking Phishing Group | Nation: China | Motivation: FINANCIAL

MITRE Techniques: 21 | Detections: 9 | IOCs: 13 network, 6 behavioral

---

Japan is seeing a phishing wave unlike anything in the last decade. Brand impersonation campaigns are hitting financial services, e-commerce, and government portals simultaneously.

On February 21, 2026, Brad Duncan at the SANS Internet Storm Center documented a coordinated campaign targeting Japanese-speaking users — ANA (All Nippon Airways), DHL Express, and myTOKYOGAS, all spoofed by the same operator. Three brands. One fingerprint. Every wave originates from Hong Kong-based infrastructure on AS150436 (Byteplus/ByteDance cloud), burns through randomly generated .cn domains, and stamps every message with the same X-Mailer header: Foxmail 6, 13, 102, 15 [cn]. That Foxmail tag — a legacy Tencent email client locked to Chinese locale — ties the entire operation to a single Chinese-speaking operator.

Below: infrastructure correlations, brand impersonation breakdown, full IOC inventory, and production detection queries for email gateway, proxy, and identity systems.

SANS Internet Storm Center analysis of coordinated Japanese-language phishing emails — documenting .cn domains, Foxmail X-Mailer headers, and credential harvesting patterns.

Executive Summary

• What: Coordinated multi-brand phishing campaign impersonating ANA, DHL, and myTOKYOGAS through Japanese-language emails sent from .cn domains with credential-harvesting pages on .cn infrastructure
• Who: Unknown Chinese-speaking phishing group, attributed with MEDIUM confidence based on Foxmail [cn] locale, .cn TLD infrastructure, Hong Kong sending IPs on ByteDance cloud (AS150436), and +0800 timezone headers
• Impact: Credential theft targeting airline loyalty accounts (mileage fraud), shipping accounts (logistics fraud), and utility portal accounts (payment card theft)
• Status: Active for approximately one year; documented by SANS ISC on February 21, 2026; campaign uses disposable infrastructure and is likely ongoing with domain rotation
• Detection: 9 production-ready detections available on Threadlinqs Intelligence covering email fingerprinting, phishing page access, and post-compromise account takeover

Campaign Infrastructure

The Foxmail Fingerprint

The most significant attribution indicator is the X-Mailer header consistent across every documented sample: Foxmail 6, 13, 102, 15 [cn]. Foxmail is a freeware email client developed by Tencent Holdings with dominant market share in China. Version 6.x is a legacy release — the current version is 7.2.25 (September 2022). The [cn] locale tag confirms a Chinese-language installation.

Same toolkit. Same operator. The fingerprint locks three facts in place: one group runs all brand impersonation waves; the operation originates from a Chinese-language environment; and the legacy version suggests either an older automated sending rig or deliberate version pinning for compatibility with bulk-sending scripts. When we ran this indicator against our detection library, it matched cleanly — no false positives against legitimate Foxmail traffic.

Sending Infrastructure

All three documented emails originate from Hong Kong on AS150436, operated by Byteplus Pte. Ltd. — a subsidiary of ByteDance (TikTok's parent company). The sending IPs geolocate to the Yau Tsim Mong District:

IP Address	Brand	Sending Domain	Timestamp
150.5.129.136	ANA	ncqjw.cn	2026-02-19 21:52 +0800
101.47.78.193	DHL	obpwnrl.cn	2026-02-20 12:29 +0800
150.5.130.42	myTOKYOGAS	cwqfvzp.cn	2026-02-20 23:50 +0800

The sending domains follow a pattern of short, random-character .cn registrations — burned infrastructure, designed to be rotated as spam filters catch up. Cheap domains, disposable by design.

Credential Harvesting Pages

Phishing pages are hosted on separate .cn domains with randomized English-sounding subdomain prefixes:

Brand	Phishing URL	Path Pattern
ANA	branchiish.aayjlc.cn/amcmembr_Loginam/	AMC member login clone
DHL	decideosity.ykdyrkye.cn/portal_login_exp/getQuoteTab/	Shipping portal clone
myTOKYOGAS	impactish.rexqm.cn/mtgalogin/	Utility portal login clone

The subdomains use pseudo-English compound words (branchiish, decideosity, impactish) — likely algorithmic generation or a non-native English speaker constructing plausible-sounding hostnames. Either way, the lure pages behind these domains are convincing clones. The operator put more effort into the page design than the domain naming.

Brand Impersonation Analysis

ANA (All Nippon Airways)

Japan's largest airline by revenue. The credential-harvesting page clones ANA's Mileage Club (AMC) member login portal. The lure likely involves account verification, mileage expiration, or booking confirmation. Stolen credentials enable mileage redemption fraud — loyalty points converted to flights or merchandise for resale. Mileage accounts are currency in the Japanese underground.

DHL Express

Global logistics company with extensive Japan operations. DHL phishing typically uses delivery notification lures — package tracking, customs clearance, or delivery scheduling. The URL path portal_login_exp/getQuoteTab/ suggests a shipping portal impersonation targeting business users who regularly interact with DHL for import/export.

myTOKYOGAS

Tokyo Gas utility service portal used by millions of Tokyo residents. The phishing lure likely involves billing notifications, account verification, or payment method updates. The mtgalogin/ path directly references the myTOKYOGAS login abbreviation. Stolen credentials provide access to personal information and payment card data stored in utility accounts.

Campaign Characteristics

Phishing, Japanese-style. The campaign uses bulk distribution without language filtering — a classic spray campaign — reaching non-Japanese speakers across the globe. Brad Duncan at SANS received multiple lures despite not being Japanese. Purchased or scraped email lists, high-volume distribution, disposable domains. The operator accepts the burn rate as a cost of doing business.

All emails carry +0800 in the Date header (UTC+8, China/Hong Kong), and every .cn sending domain fails SPF. The campaign has run for roughly a year based on the SANS researcher's observation of receiving emails "for at least the past year or so."

The Regional Angle

What distinguishes this campaign from standard phishing is the Japan-specific brand selection. ANA is Japan's largest airline — mileage fraud is a proven monetization path in the Japanese underground. myTOKYOGAS serves millions in the Tokyo metro area, and utility portal credentials give direct access to stored payment cards. DHL handles a massive share of Japan's import/export logistics, making business users high-value targets.

The operator clearly knows the Japanese market. The lure language is native-quality, the brand selection maps to services with high credential value in Japan, and the timing (three waves in 48 hours) suggests a coordinated push rather than opportunistic spraying. Our platform tracks over 112 active threats, and this regional targeting precision is uncommon for commodity phishing — it sits closer to targeted social engineering than bulk credential harvesting.

SANS ISC phishing evidence — fake ANA (All Nippon Airways) Mileage Club notification lure with mileage expiration extension service bait in Japanese.

Detection

Threadlinqs Intelligence provides 9 production-ready detection rules for this threat, covering email gateway fingerprinting, phishing infrastructure access, and post-compromise credential abuse.

Splunk SPL

This SPL query hunts for the Foxmail campaign fingerprint — emails with the legacy X-Mailer header, SPF failure, and .cn sending domains:

SPLindex=email sourcetype=smtp OR sourcetype=mail
| search X_Mailer="Foxmail 6" X_Mailer="[cn]"
| search SPF_Result="FAIL" OR SPF_Result="SOFTFAIL"
| regex sender_domain="^[a-z]{4,10}\.cn$"
| eval campaign="TL-2026-0129 Foxmail CN Phishing"
| stats count by sender_ip, sender_domain, X_Mailer, recipient, _time
| lookup geoip src_ip AS sender_ip OUTPUT asn, country
| where asn="AS150436" OR country="HK" OR match(sender_domain, "^[a-z]{4,10}\.cn$")
| table _time, sender_ip, sender_domain, asn, recipient, count

This query correlates the three strongest campaign indicators: Foxmail [cn] X-Mailer, SPF failure, and random-character .cn domains. The ASN lookup adds a fourth signal for AS150436 (Byteplus) matches.

Microsoft KQL

This KQL query implements multi-signal scoring to identify campaign emails even as the operator rotates infrastructure:

KQLlet campaign_ips = dynamic(["150.5.129.136", "101.47.78.193", "150.5.130.42"]);
let campaign_domains = dynamic(["ncqjw.cn", "obpwnrl.cn", "cwqfvzp.cn",
    "aayjlc.cn", "ykdyrkye.cn", "rexqm.cn"]);
EmailEvents
| where Timestamp > ago(30d)
| extend FoxmailMatch = iff(X_Mailer has "Foxmail 6" and X_Mailer has "[cn]", 30, 0)
| extend IPMatch = iff(SenderIPv4 in (campaign_ips), 25, 0)
| extend DomainMatch = iff(SenderMailFromDomain in (campaign_domains), 20, 0)
| extend CNDomain = iff(SenderMailFromDomain matches regex @"^[a-z]{4,10}\.cn$", 15, 0)
| extend SPFFail = iff(AuthenticationDetails has "spf=fail", 10, 0)
| extend TotalScore = FoxmailMatch + IPMatch + DomainMatch + CNDomain + SPFFail
| where TotalScore >= 45
| project Timestamp, SenderFromAddress, SenderIPv4, SenderMailFromDomain,
    Subject, TotalScore, RecipientEmailAddress
| sort by TotalScore desc

The scoring model weights Foxmail fingerprint (30 points), known campaign IPs (25), known domains (20), random .cn pattern (15), and SPF failure (10). A threshold of 45 requires at least two strong signals, catching infrastructure rotation while maintaining precision.

Sigma

This rule detects HTTP POST requests to .cn domains containing credential field parameters — the credential harvesting endpoint:

SIGMAtitle: HTTP POST Credential Harvest to .cn Domain with Brand Login Path
id: 8b4d1e23-5f9c-4a3b-c7e2-0d9f6a8b3c45
status: experimental
description: >
    Detects form submissions to .cn domains with paths matching brand login
    endpoints (amcmembr, portal_login, mtgalogin). Covers ANA/DHL/myTOKYOGAS
    credential harvesting infrastructure in TL-2026-0129 campaign.
references:
    - https://intel.threadlinqs.com/#TL-2026-0129
    - https://isc.sans.edu/diary/rss/32734
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
    - attack.credential_access
    - attack.t1056.003
    - attack.collection
    - attack.t1598.003
logsource:
    category: proxy
    product: web_proxy
detection:
    selection_method:
        cs-method: POST
    selection_domain:
        cs-host|endswith: '.cn'
    selection_path:
        cs-uri-path|contains:
            - 'amcmembr'
            - 'portal_login'
            - 'mtgalogin'
            - 'Loginam'
            - 'getQuoteTab'
    condition: selection_method and selection_domain and selection_path
falsepositives:
    - Legitimate Chinese web portal authentication
level: high

Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence

SANS ISC phishing evidence — fraudulent DHL Express delivery notification in Japanese with 'missed delivery' social engineering and credential harvesting link.

Indicators of Compromise

Network Indicators

Type	Indicator	Context
IPv4	150.5.129.136	ANA phishing sending IP — AS150436, Hong Kong
IPv4	101.47.78.193	DHL phishing sending IP — AS150436, Hong Kong
IPv4	150.5.130.42	myTOKYOGAS phishing sending IP — AS150436, Hong Kong
Domain	ncqjw.cn	ANA phishing sending domain
Domain	obpwnrl.cn	DHL phishing sending domain
Domain	cwqfvzp.cn	myTOKYOGAS phishing sending domain
Domain	aayjlc.cn	ANA credential harvesting domain
Domain	ykdyrkye.cn	DHL credential harvesting domain
Domain	rexqm.cn	myTOKYOGAS credential harvesting domain
URL	branchiish.aayjlc.cn/amcmembr_Loginam/	ANA AMC credential harvest page
URL	decideosity.ykdyrkye.cn/portal_login_exp/getQuoteTab/	DHL portal credential harvest page
URL	impactish.rexqm.cn/mtgalogin/	myTOKYOGAS credential harvest page
ASN	AS150436	Byteplus Pte. Ltd. (ByteDance cloud) — all sending IPs

Behavioral Indicators

Type	Indicator	Context
X-Mailer	Foxmail 6, 13, 102, 15 [cn]	Campaign fingerprint across all waves
Timezone	+0800 UTC in email Date headers	China/Hong Kong operational hours
Domain Pattern	Random 4-10 char .cn domains	Disposable sending infrastructure
Subdomain Pattern	Pseudo-English compound words (branchiish, decideosity, impactish)	Phishing page hosting convention
URL Structure	[random-sub].[random].cn/[brand-path]/	Credential harvesting page format
SPF	SPF FAIL on all .cn sending domains	Authentication failure indicator

Timeline

Date	Event
~2025-02-01	Campaign estimated to begin, approximately one year before SANS ISC publication
2026-02-19	ANA phishing email sent from ncqjw.cn (150.5.129.136) at 21:52 +0800
2026-02-20	DHL phishing email sent from obpwnrl.cn (101.47.78.193) at 12:29 +0800
2026-02-20	myTOKYOGAS phishing email sent from cwqfvzp.cn (150.5.130.42) at 23:50 +0800
2026-02-21	Brad Duncan publishes SANS ISC diary entry 32734 with IOCs and analysis
2026-02-22	Threadlinqs Intelligence publishes TL-2026-0129 with infrastructure correlation and detection coverage

MITRE ATT&CK Mapping

Tactic	Technique	ID	Context
Reconnaissance	Gather Victim Identity Info: Email Addresses	T1589.002	Bulk email list acquisition for spray-and-pray distribution
Reconnaissance	Search Open Websites/Domains	T1593	Brand portal reconnaissance for login page cloning
Resource Development	Acquire Infrastructure: Domains	T1583.001	Random-character .cn domain registration
Resource Development	Acquire Infrastructure: VPS	T1583.003	Byteplus/AS150436 cloud hosting in Hong Kong
Resource Development	Obtain Capabilities: Tool	T1588.002	Legacy Foxmail 6.x for bulk email sending
Resource Development	Establish Accounts: Email Accounts	T1585.002	Sending accounts on .cn domains
Resource Development	Stage Capabilities: Link Target	T1608.005	Brand-specific credential harvest pages
Initial Access	Phishing: Spearphishing Link	T1566.002	Japanese-language emails with phishing links
Execution	User Execution: Malicious Link	T1204.001	Victim clicks brand login link
Credential Access	Input Capture: Web Portal Capture	T1056.003	Fake login forms harvesting credentials
Defense Evasion	Masquerading	T1036	Brand impersonation — ANA, DHL, myTOKYOGAS
Defense Evasion	Impersonation	T1656	Multi-brand coordinated impersonation
Lateral Movement	Use Alternate Auth Material: Web Session Cookie	T1550.004	Stolen session replay for account takeover
Impact	Account Access Removal	T1531	Contact info changed post-compromise, locking out legitimate user

Full MITRE ATT&CK mapping with 21 techniques: View coverage on Threadlinqs

TL-2026-0129 on Threadlinqs Intelligence — Japanese-language phishing campaign impersonating ANA, DHL, and myTOKYOGAS with Chinese infrastructure fingerprints.

Recommendations

1. Block known IOCs — Add the three sending IPs and nine domains to email gateway and proxy blocklists. Block AS150436 at the network perimeter if no legitimate business traffic originates from Byteplus infrastructure.
2. Deploy X-Mailer detection — Create email gateway rules matching Foxmail 6, 13, 102, 15 combined with .cn sending domain and SPF failure. This fingerprint catches infrastructure rotation.
3. Restrict .cn email — For organizations without Chinese business relationships, block or quarantine inbound email from .cn sending domains at the gateway.
4. User awareness — Alert employees, particularly Japanese-speaking staff, about ANA/DHL/myTOKYOGAS brand impersonation. No legitimate Japanese brand sends email from .cn domains. Full stop.
5. Monitor for account takeover — If any users may have submitted credentials, force password resets on ANA Mileage Club, DHL shipping, and myTOKYOGAS accounts. Monitor for anomalous login geography and contact information changes.

References

• SANS ISC: Japanese-Language Phishing Emails — Brad Duncan, SANS ISC, February 21, 2026
• SANS ISC Phishing Screenshot — ANA — SANS ISC
• SANS ISC Phishing Screenshot — DHL — SANS ISC
• SANS ISC Phishing Screenshot — myTOKYOGAS — SANS ISC
• Wikipedia: Foxmail (Tencent Email Client) — Wikipedia
• IPinfo: AS150436 Byteplus Pte. Ltd. — IPinfo
• MITRE ATT&CK T1566.002 — Phishing: Spearphishing Link — MITRE
• MITRE ATT&CK T1656 — Impersonation — MITRE
• MITRE ATT&CK T1056.003 — Input Capture: Web Portal Capture — MITRE
• OWASP: Phishing Attack Techniques — OWASP

---

Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0129.