Tax-themed Email Campaigns Target 2019 Filers

Share with your network!


Every year, Proofpoint observes a seasonal uptick in tax-related malware and phishing campaigns leading up to annual tax filing deadlines. In 2017, these campaigns focused on phishing and increasingly sophisticated social engineering, as well as banking Trojans and ransomware. In 2018, we observed sophisticated email campaigns that featured urgent tax-themed lures and convincing spoofs of IRS branding. Epitomizing one of the major trends of 2018, these campaigns distributed a variety of RATs including Orcus Rat, Remcos RAT, and NetWire. With tax season again upon us, we have seen a similar bump in tax-related campaigns both in the US and internationally. Malware payloads generally reflected the mix in the broader landscape, with a focus on RATs, downloaders, and banking Trojans, while common phishing emails remained pervasive.

Malware Campaigns

NetWire is a multiplatform RAT typically delivered via spammed email attachments that contain Microsoft Office files with embedded executables, including .jar files. Many NetWire campaigns primarily target verticals like financial services, businesses, and educational institutions. Recent NetWire campaigns in September and October of 2018, and later in early February 2019, targeted users in Australia, Canada, and the United States and employed tax-related lures with social engineering invoking a sense of urgency or creating an air of legitimacy with subject lines that included:

  • Notice of Outstanding Income Tax Demand…
  • IRS Update for 1099 Employees
  • 2018 EF Tax Incentive Billing
  • Your IRAS 2018 Tax Report

Campaign: “Australian Tax Office” lure dropping Netwire

On October 2, 2018, Proofpoint observed a campaign distributing thousands of messages with attached Microsoft Word documents. The documents contained macros that, when executed, installed NetWire malware (Figure 1). These documents also exploited CVE-2017-11882 (Equation Editor) on vulnerable devices.

Actors purported to be from the “Australian Taxation Office,” the legitimate Australian government tax agency. However, the emails were actually sent from an AOL account with a spoofed display name.

Figure 1: Lure document attached to fake Australian Tax Office emails with embedded macros that, when enabled, install NetWire RAT

Campaign: Canada Post lure dropping NetWire

Threat actors spoofing Canada Post and New Zealand Inland Revenue Department email addresses sent a campaign involving tens of thousands of messages using tax-related lures between September 26 and 28, 2018. The emails contained attached Microsoft Word documents with macros that, if enabled, downloaded NetWire.

Additional NetWire campaigns

We also observed several other campaigns that utilized tax-themed lures and convincing branding and graphical elements to deceive email recipients (Figure 2).

Figure 2: Malicious document attachment with fake error dialog that instructs the user to “Enable Editing” to view the document, which will instead download and install The NetWire RAT

Figure 3 shows another NetWire lure that purports to be from the Indian government demanding payment for outstanding taxes. In this case, victims follow a link with a URL shortener to download NetWire.

Figure 3: A campaign in early February 2019 used socially engineered tax-themed lures and spoofed email addresses to convince recipients to click on malicious URLs, which download Microsoft Office documents that contain the NetWire RAT

Fake Professor campaign

Figures 4 and 5 show an example email and faked document, respectively, used to install an instance of Remcos RAT on victim machines. Between January 10 and 11, 2019, Proofpoint researchers observed emails purporting to be from a fictitious professor sent to accounting and business services organizations. The documents included a retouched fake W2 and other supporting fake documents designed to convince the recipient that the sender was an actual individual submitting tax return information for preparation. When opened and the content enabled, macros in the attached Microsoft Word documents download and install Remcos RAT.

Figure 4: Email with specific references of legitimate tax forms like the “W2”, “1098”, and “1099R”. This  email used a personalized subject line, spoofed sender address, and fake tax-related documents


Figure 5: Spoofed tax form used to convince recipients that the actor is a legitimate tax preparer

Additional malware campaigns

Tax-themed email lures are not limited to the United States. Figure 6, for example, shows an email targeting Singapore residents with messages purporting to be from the local taxation authority. When recipients open the attached Microsoft Word document and enable content, malicious macros download and install the Ave Maria RAT.

Figure 6: Email with spoofed “Inland Revenue Authority of Singapore” sender address and tax-themed subject line

Tax-themed lures are also used to distribute banking Trojans such as The Trick. In particular, in the example from Figure 7 the threat actors target US victims with IRS form names despite foreign top-level domains. Other campaigns observed by Proofpoint researchers leverage stolen branding and seemingly legitimate privacy language to convince victims to open an attached spreadsheet with malicious macros that install The Trick when they are enabled.

Figure 7: An email from a campaign in early February 2019 that features a tax-themed subject line, and that contains URLs that download malicious Microsoft Word documents with macros, that once enabled, install “The Trick” banking Trojan

Tax-Related Phishing Campaigns

This year, we also observed a significant increase in tax-related phishing campaigns, in which actors sent thousands of emails with HTML attachments or URLs that linked victims to spoofed login pages and online forms with stolen branding from the IRS and other local tax authorities. To ensure that the phishing attempts remained undetected, actors often redirected victims to the official tax authority websites after stealing their credentials. As a result, many victims were likely unaware that they had just disclosed their tax information to phishers.

These campaigns impersonated legitimate tax authorities from around the world. Actors created convincing imitations of the websites of several official tax authorities: the US Internal Revenue Service, Canada Revenue Agency, and the New Zealand Inland Revenue Department, among others. Examples appear in Figures 8-15.

Domestic Phishing

Figure 8: A fake login page with stolen IRS branding that is used for credential phishing

Figure 9: IRS-themed credential phishing page with stolen branding, featuring a socially engineered message at the top of the form to incite a sense of urgency

Figure 10: Another IRS-themed phishing page using stolen branding designed to steal a range of personal information

International Tax Phishing

Figure 11: Fake HMRC web form used for credential phishing (UK)

Figure 12: Fake Canada Revenue Agency page used for credential phishing (Canada)

Figure 13: Fake “myGOV” login portal used for credential phishing to steal tax information. This portal login is indistinguishable from its genuine counterpart (Australia)

Figure 14: Fake “Ministry of Public Action and Accounts” login page used for credential phishing (France)

Figure 15: Fake Inland Revenue tax refund phishing page (New Zealand)


As in years past, Proofpoint researchers observed the expected seasonal increase in tax-themed campaigns. 2019 saw a continuation of a trend towards high numbers of RATs first observed in 2018. Regardless of the payload, however, actors utilized social engineering techniques in subject lines, spoofed emails addresses, and “decoy” links that led to the websites of legitimate government tax offices, many of which were outside of the U.S. In fact, the campaigns we tracked spanned a range of geographies, demonstrating the effectiveness of tax themes as nearly universal lures. As tax day approaches, filers should stay vigilant, and be wary of increasingly convincing lures, stolen branding, and more.








Indicators of Compromise (IOCs)



IOC Type


Australian Tax Office|2 October 2018




build(2).doc for October 2-3, 2018 NetWire cmpaign

Netwire|Canada Post| 26-28 September 2018




Build.doc for September 26- 30 Netwire Campaign

NetWire|Canada Post|26-28 September 2018



Build.doc for September 26-28 NetWirecampaign

Netwire|Canada Post|26-28 September 2018




build (1).doc for “NetWire” campaign

Ave Maria | "Your IRAS 2018 Tax Report!!!" | 26-27 February 2019



Sg2018taxreport.doc.docm for the February 26-27 “Ave Maria” Campaign



March Tax Phishing Campaign



Credential Phishing login page for March tax phishing campaign