IRS email impersonations are widespread across all industries. These attacks vary in scale and victim, targeting both individuals and companies as a whole. This particular attack follows the growing trend of utilising social engineering strategies for malicious engagement, allowing attackers to easily bypass email security solutions that focus on a link or attachment-based threat vectors.
Summary of attack
- Platform: Office 365
- Mailboxes:5K-50K
- Bypassed Email Security: Office 365
- Victims: Employees
- Payload: Link
- Technique: Impersonation
What was the attack?
The attacker impersonates the IRS by crafting an automated email informing the applicant that they have been approved for the $1400 stimulus payment. The email contains a link hidden embedded within the text that reads “Claim your refund now”. By clicking on the link, the recipient is led to the attacker’s carefully crafted landing page. Here the recipient is prompted to fill out the form which attackers can then retrieve to commit fraud.
This impersonation is especially convincing as the attacker’s landing page is identical to the IRS website including the popup alert that states “THIS U.S. GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY”, a statement that also appears on the legitimate IRS website.
The attacker also attempts to conceal the URL as to not alert the recipient that the URL leads to a form hosted on an amazon domain. This was to obscure the landing page in an attempt to forge legitimacy.
Why did this attack bypass existing email security?
Phishing attempts that utilise social engineering are much lower in volume, target specific persons, and can be hosted on domains
This attack likely bypassed email gateways because the existing gateways only take threat examples from ongoing and current attacks that are in high volume. Phishing attempts that utilise social engineering are much lower in volume, target specific persons, and can be hosted on domains that can be quickly taken down.
Abnormal was able to detect this attack through analysing 42804+ signals. This message received an attack score of 85 for several reasons. The first was the suspicious link embedded within the text of the email that led to the phishing page. Another signal was the unusual sender that has never been seen before sending to this particular organisation.
In addition to this, the language of the email was analysed, and found suspicious financial vocabulary indicating a possible attempt to steal money from the recipient.