Watch out — those IRS tax forms could actually just be malware

In one campaign, the attackers would impersonate the IRS and share a fake W-9 tax form via email. The fax form is actually the Emotet malware, capable of stealing sensitive data from the infected endpoints and using it to further distribute itself. Emotet can also serve as a dropper, allowing the threat actors to distribute different types of malware, ransomware included. 

Word and OneNote files

In this campaign, the attackers would send a malware-laden Word document, inflated to 500MB+ in order to avoid triggering the antivirus programs. However, given that Microsoft blocked macros from internet-downloaded Office files, chances are this campaign won’t be that successful. 

The second campaign is different in the fact that instead of Word files, these attackers are distributing OneNote files with malicious add-ons. 

These are yet to be fully blocked when downloaded from the internet, so the success rate will probably be somewhat higher. In this campaign, the attackers would share a NoteBook (a OneNote file) that’s “protected” (seems to be blurred out) and requiring the user to click “Unlock” or “View” or a similar call to action. However, what they would really be doing is triggering the add-on, which would download the Emotet malware.

The second major difference is that these files wouldn’t come from the fake IRS but rather fake partners, clients, or businesses the victims otherwise engage with. 

Usually, tax forms are distributed as a .PDF file, and not as a .DOCX file, which is probably the best way to spot a cyberattack. Furthermore, OneNote is not exactly the most popular productivity tool out there, so getting a NoteBook file should be a red flag right from the start.

• Here are the best ID theft protection tools today

Via: BleepingComputer