You almost have to admire the gall it takes to use a fake email supposedly warning you about suspicious activity on your account, to trick you into clicking a link that then downloads malware giving someone access to your account. Almost.
I've just recently seen several examples of this email showing up in my inbox:
The first clue was that this supposedly came from the email address firstname.lastname@example.org, which doesn't make sense if it were officially a cPanel email. (Though the "from" name and email are easily spoofed, so can't be trusted at face value anyway.)
Hovering over the links for "This wasn't me", "This was me", and "Why am I getting this email?" (being very careful not click them!) allows the browser to show the address you would be sent to if that link is clicked. Chrome shows this in the lower left corner of the browser. These were the links used here:
Links used in automated emails can be normally long and difficult to read with the human eye... but one giveaway here was that the "this wasn't me" and the "this was me" link were identical. That doesn't make a lot of sense, given what the links are supposed to indicate.
As always, the best rule of thumb for any email like this, is to assume that it COULD be spam or phishing. If you are concerned that a notification is legitimate, always log in directly to your account and look for notifications there, or contact support associated with that account. Only click a link or button in an email if it's a message you were expecting and have good reason to trust.