Email Posing as Request for Tax Help Pivots from Response-based to Link-based Attack to Deliver Malware

This attack started with a text-based email from a sender that was requesting assistance filing their tax return. The sender wrote that the accounting firm they previously used to assist with their taxes shut down, so they needed to find a new tax service to help. The email included some flattery for the recipient, stating that after researching the recipient’s company online, they were certain that the recipient would “provide incredible value to our tax and accounting needs.” The sender ended the email by letting the recipient know they could provide their W-2 and 1099-R forms, as well as their tax return from the previous year. The email account listed as the sending address was hosted on a domain registered by the attacker. The message also included a reply-to address that was hosted on another maliciously-registered domain that was created to mimic the sending domain, but included one extra letter.

Had the recipient responded to the initial email, the attacker would have responded with a follow-up message containing a link they indicated would have directed the recipient to their previous year’s tax return and other tax forms. In reality, the link led to a site that downloaded a ZIP file containing a malicious PDF file.

Because the initial email in this attack was text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The domains hosting the sending email address and reply-to address were both valid and had not been previously flagged as being used for malicious purposes. Because the domains were registered by the attacker and didn’t spoof a legitimate domain, countermeasures like DMARC would not have been effective.

Content analysis can detect the presence of potentially suspicious requests, indicating when an email should undergo additional scrutiny. The email address that appears as the origin of the message was different from the reply-to address, which is a common tactic in response-based phishing attacks where the attacker wants the message to appear to come from a different account than the one they intend to use to communicate with the recipient.

Because requests like these are expected by some recipients working in the accounting sector, it would be difficult for them to ignore the potential for developing a new customer, making them more susceptible to falling victim. If the target clicked on the link in the second email, malware would be downloaded to their computer. If the malware was executed, an attacker could perform a variety of nefarious actions, including escalating it into a ransomware attack.