Credential Phishing Attack Poses as a Secure Message Shared by the IRS

In this attack, the email posed as a ShareFile secure message supposedly being sent from the Internal Revenue Service (IRS). The message stated that in order to view the encrypted message, the recipient needed to click on a “View Your Message” button and sign in using their email credentials. The email was sent from a freely-available Gmail account and the sender’s display name was set to “IRS Notification,” making it appear to be a legitimate tax-related message. To hide all of the targets of the attack, the attacker BCC’d all of the recipients instead of including them in a normal To field.

Had the recipient clicked on the link in the email, they would have been directed to a phishing page posing as a ShareFile login portal. The phishing page directed a visitor to “login with your domain provider” and displayed the logos for a number of various webmail providers.

The URL found in the email is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. The email was sent from a Gmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.  

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious. All of the recipients receiving the email were BCC’d, a common pattern when attackers send similar attacks to many recipients.

The theme of this email–the sharing of tax documents at the beginning of tax season–may result in a higher success rate since it will likely be of greater interest to targeted employees. Because the phishing link was hidden behind a button, an employee that received the email may click on the link without recognizing it is malicious. If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.