With tax season around the corner, we’re seeing a very expected uptick in tax-related malicious emails. This particular email was malware sent from a domain registered in Nigeria masquerading as a tax document.

This particular email was missed by Mimecast, but stopped by Avanan.

The attackers tried to obfuscate their approach by changing the Reply-to address to eservices@firs.gov, but the actual from address represents the IRS equivalent in Nigeria. 


Here's what the entire email looks like:

Avanan’s scan was able to determine with high confidence that the .html attachment was a Trojan malware. This Trojan attachment was able to get past this client’s SEG with ease. 

If the victim were to click the attachment, they would be presented with an innocent looking log-in page:


Once the information is filled out, the victim is redirected to this malicious page: 


This is why Mimecast was not able to flag this email as malicious. Avanan’s is able to protect users from threats like these because we take the extra step to analyze all links that are in an attachment.

PSA: The IRS will never email or call you first. They will only initiate correspondence via snail mail.

Subscribe to Our Attack Briefs for More Research