Cybersecurity analysts have uncovered a phishing campaign that uses fake “cloud storage payment” emails to send victims through a chain of deceptive redirects — ultimately landing them at the controversial Freecash site. The scam doesn’t directly harvest login credentials, but instead appears designed to generate revenue for threat operators through affiliate marketing schemes.

The campaign starts with an email styled to look like a legitimate notification from a cloud storage provider. In the sample observed by researchers, the subject line claims a user’s “Cloud Account has been locked” and warns that photos and videos will be removed because of a supposed payment failure. The body of the message urges the recipient to “Update Payment Details” via a link.

Although the message mimics real account renewal notices, it is a phishing lure. The link included in the email points to a Google Cloud Storage (GCS) URL — a legitimate hosting service — which helps build false trust. Threat actors often abuse GCS and similar services to host phishing pages because they are seen as trustworthy by users and spam filters alike.

After the initial click, the victim’s browser is redirected through several malicious domains, including one that has been seen in prior phishing campaigns. These include feed.headquartoonjpn[.]com and hx5.submitloading[.]com, which are blocked by security tools for their role in phishing and malware activity.

The final destination in the redirect chain is freecash[.]com. Freecash is known in some circles for advertising “get paid to scroll” or similar rewards, but its affiliate model means visitors may be pushed into various offers or sign-ups that financially benefit the scam operators rather than the users themselves.

Unlike many phishing attacks, this threat does not immediately request passwords or other sensitive login information. Instead, by funneling traffic to affiliate offers, the perpetrators profit when victims engage with those external promotions — such as VPN subscriptions or unrelated services — often with little connection to the original cloud-storage claim.

How to Stay Safe

Security experts warn users to treat unsolicited emails like this with suspicion:

• Never click links in unexpected emails that request updates to payment or account details.
• Verify directly with the official service by opening your cloud storage account using a browser or app you trust.
• Use up-to-date anti-malware and phishing detection software that can block harmful redirects before they load.
• Be especially wary of messages with urgent language about lost data or blocked accounts — these are common tactics used to trick users into acting without thinking.

This campaign highlights how cybercriminals adapt common fears — like losing precious files — into sophisticated phishing traps, not always to steal credentials directly, but often to generate affiliate income through misleading routes.