I recently came across a phishing emails with a link leading to a subdomain of citi.com, owned by Citibank. Further investigation shows that this particular subdomain is used by Citibank for marketing emails.
![](https://freshphish.info/wp-content/uploads/2023/05/citibank01.jpg)
You can see the link, rewritten by an email security system, links to l.info16.citi.com, shown in brackets at the end of the link.
Here is the page I was redirected to from the landing page on Citibank to a subdomain of windows.net.
![](https://freshphish.info/wp-content/uploads/2023/05/citibank02.png)
I notified Citibank of the phish landing page on their servers and it appears they and Microsoft have taken it down from their respective pages.
–Matt