Download PDF version Contact company
Related Links

IRS email impersonations are widespread across all industries. These attacks vary in scale and victim, targeting both individuals and companies as a whole. This particular attack follows the growing trend of utilising social engineering strategies for malicious engagement, allowing attackers to easily bypass email security solutions that focus on a link or attachment-based threat vectors.

Summary of attack

  • Platform: Office 365
  • Mailboxes:5K-50K
  • Bypassed Email Security: Office 365
  • Victims: Employees
  • Payload: Link
  • Technique: Impersonation

What was the attack?

The attacker impersonates the IRS by crafting an automated email informing the applicant that they have been approved for the $1400 stimulus payment. The email contains a link hidden embedded within the text that reads “Claim your refund now”. By clicking on the link, the recipient is led to the attacker’s carefully crafted landing page. Here the recipient is prompted to fill out the form which attackers can then retrieve to commit fraud. 

This impersonation is especially convincing as the attacker’s landing page is identical to the IRS website including the popup alert that states “THIS U.S. GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY”, a statement that also appears on the legitimate IRS website.

The attacker also attempts to conceal the URL as to not alert the recipient that the URL leads to a form hosted on an amazon domain. This was to obscure the landing page in an attempt to forge legitimacy.

Why did this attack bypass existing email security?

Phishing attempts that utilise social engineering are much lower in volume, target specific persons, and can be hosted on domains

This attack likely bypassed email gateways because the existing gateways only take threat examples from ongoing and current attacks that are in high volume. Phishing attempts that utilise social engineering are much lower in volume, target specific persons, and can be hosted on domains that can be quickly taken down.  

Abnormal was able to detect this attack through analysing 42804+ signals. This message received an attack score of 85 for several reasons. The first was the suspicious link embedded within the text of the email that led to the phishing page.  Another signal was the unusual sender that has never been seen before sending to this particular organisation.

In addition to this, the language of the email was analysed, and found suspicious financial vocabulary indicating a possible attempt to steal money from the recipient.

Download PDF version Download PDF version

Related videos

Upgraded feature for Xesar - Now with smartphone as well!

Upgraded feature for Xesar - Now with smartphone as well!
Enhancing government security with proactive threat detection from Wavestore

Enhancing government security with proactive threat detection from Wavestore
Join the biggest hour for Earth

Join the biggest hour for Earth

In case you missed it

What are the new security applications in colleges and universities?
What are the new security applications in colleges and universities?

College campuses are meant to be places of learning, growth, and community. Fostering such an environment requires the deployment of policies and technologies that ensure safety an...

Real-time security analytics by Winston-Salem Police Department with Verkada
Real-time security analytics by Winston-Salem Police Department with Verkada

The Winston-Salem Police Department (WSPD), internationally accredited by the Commission on Accreditation for Law Enforcement Agencies (CALEA), is dedicated to proactive, data-driv...

Oil sector cybersecurity - overcoming challenges with Honeywell's csHAZOP
Oil sector cybersecurity - overcoming challenges with Honeywell's csHAZOP

A major European oil and gas company that acquires, explores, produces and supplies chemical and petroleum products had a cybersecurity challenge. Company leadership wanted a b...

Featured white papers
Security practices for hotels

Security practices for hotels

Download
Access control system planning phase 2

Access control system planning phase 2

Download
Honeywell GARD USB threat report 2024

Honeywell GARD USB threat report 2024

Download
SIA Identity and Biometrics Symposium

SIA Identity and Biometrics Symposium

Download
Facial recognition

Facial recognition

Download
Quick poll
Which feature is most important in a video surveillance system?
More case studies
Code Handle® door locks key-free door security saves everyone’s time at Augusta 29 Barcelona office

Code Handle® door locks key-free door security saves everyone’s time at Augusta 29 Barcelona office
HID Global Civil Registry Solution advances Antigua and Barbuda’s transformation to a digital society

HID Global Civil Registry Solution advances Antigua and Barbuda’s transformation to a digital society
Vimpex’s Hydrosense Water Leak Detection System protects Dublin Airport’s new Visual Control Tower

Vimpex’s Hydrosense Water Leak Detection System protects Dublin Airport’s new Visual Control Tower
Featured products
HID Signo™ Biometric Reader 25B - Multi-technology, mobile ready, fingerprint reader

HID Signo™ Biometric Reader 25B - Multi-technology, mobile ready, fingerprint reader
Anviz 8MP AI-Powered Mini Dome Network Camera with 360° Clarity

Anviz 8MP AI-Powered Mini Dome Network Camera with 360° Clarity
Verkada Monitored Alarm System

Verkada Monitored Alarm System