This post was authored by Earl Carter and Craig Williams.

With the April 15th US tax deadline only about 2 months away, a new wave of tax related phishing is underway. In this latest spear-phishing campaign, attackers are attempting to gain access to your system so that they can steal your banking and other online credentials. An interesting twist to this latest campaign is that they seem to be specifically targeting high level security professionals and CTOs in technical companies.

On Tuesday, Talos noticed the beginning of a phishing campaign in our telemetry data. The subject of the emails all revolve around payment confirmation or Federal taxes. Some of the common subjects include:

Payment Confirmation
Federal tax payment received
Federal TAX payment
Payment Service

These initial emails seemed to come from an email address that was related to the government, such as [email protected] or [email protected]. The attachment was a Word doc named receipt_4676373.doc, which included a malicious VBA script that automatically executed if you opened the attachment. The body claims that your confirmation number is 4676373 and is similar to the following:

By Wednesday, the campaign had changed the emails slightly. Now the source addresses are more widely varied. A few of the source addresses include, but are no longer limited to addresses with gov in them:

Federal Payment <[email protected]>
Confrim Federal Tax Payment <[email protected]>
Confrim Federal Tax Payment <[email protected]>
Federal TAX Payment <[email protected]>

The attachment changed to receipt_3458934.doc. The body of the message was also updated.  The claim number was changed to match 3458934 in the attachment name. Furthermore, the body now includes a line indicating a refund amount similar to "