Blox Tales #16: IRS COVID Relief Phishing

Abhishek Iyer
Written by Abhishek Iyer
Threat Research /
Blox Tales #16: IRS COVID Relief Phishing

Each Blox Tale will take a look at a targeted email attack, outline why it made its way into an inbox, and provide guidance for organizations looking to stop such attacks. In this blog, we’ll focus on a credential phishing email that claimed to contain an important document about COVID relief funds from the Internal Revenue Service (IRS). Clicking the link in the email led readers to a SharePoint form that asked for email credentials, social security numbers, driver license numbers, and tax numbers.

A summary of the attack flow is given below:


Fig: Summary of the IRS COVID relief phishing attack

The Attack

A few days ago, we saw a credential phishing attempt to hit multiple customer inboxes. This email claimed to contain an important document about IRS COVID relief funds and included a link to view the document. Clicking the link led victims to a SharePoint form that they were told to complete before accessing the document. This form asked for email credentials along with other personal information such as social security numbers, driver license numbers, and tax numbers.

A screenshot of the email is given below:


Fig: Phishing email disguised as information about IRS COVID relief funds

Why The Attack Got Through

This email got past existing Office 365 email security controls because it didn’t follow the tenets of more traditional phishing attacks.

1. Socially engineered email

The email language and context included multiple emotional triggers to induce the required response from victims. The email subject was ‘IRS Covid Relief Fund Update’ and the sender name was ‘IRS Covid Relief Funds’, both very specific and related to topics that elicit quick actions from victims. Invoking the IRS is also an ‘authority’ trigger that will prompt quicker action from some.


Fig: Phishing email header including sender name and subject

The email language includes urgency triggers by talking about ‘important’ updates, and ends with a simple but effective request: asking victims to click the link if they want to view the document. The email also includes a boilerplate confidentiality footer to make it seem more legitimate.

A closer look reveals some grammatical irregularities in the email, as well as a non-capitalized ‘Irs’ in the email sender name, both of which can be red flags to anyone who stops and reads the email closely. The attackers bank on victims not reading the email closely and following through with the intended action instead.

2. Phishing page hosted on compromised SharePoint account

When victims clicked the link in the email, they were led to a SharePoint form that asked for email credentials along with a host of other personal information. Closer inspection revealed that the SharePoint account belonged to an employee of the Reproductive Medicine Associates of Connecticut (RMACT). Adversaries likely compromised the employee’s account and exploited their SharePoint account for the IRS COVID relief phishing attack.


Fig: The phishing page hosted on a compromised user’s SharePoint account

Since the phishing link pointed to a legitimate SharePoint page, it got past any email security filters designed to block known bad domains. The familiar Microsoft branding on the page might also put victims’ minds at ease as they subconsciously buy into the legitimacy of the email. It’s worth noting the irony-laden footer asking people not to share passwords or give away personal information.

There are clear ‘eye test’ red flags on this page as well. Discerning readers will stop short of sharing the wealth of personal information asked in this SharePoint form. However, given the context of the communication - IRS sharing COVID relief fund details - victims might rationalize the extent of personal information asked in the form.


Fig: Success message at the end of the phishing flow (but no COVID relief fund document in sight)

Guidance and Recommendations

Here are some points of guidance for individuals or organizations looking to protect themselves against targeted email attacks:

1. Be wary of PII/PCI sharing requests out of context

The phishing page for this attack asked for personal information that the IRS would never ask over email. Even when the email looks real, be wary of entering your SSN, tax number, and similar details over email. Perform a second factor of authentication by calling or texting the email sender to confirm the requests are legitimate.

2. Subject sensitive emails to rigorous eye tests

Whenever possible, engage with emails related to money and data in a rational manner. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email.

3. 2FA is necessary but not sufficient

Adversaries compromised an RMACT employee’s SharePoint account for this attack. Adopting two-factor authentication (2FA) would have prevented the compromise, or at least minimized its impact. However, 2FA would not have been enough to stop the phishing email from fulfilling its objective since the context (IRS document about COVID relief funds) doesn’t require 2FA to seem legitimate.

4. Augment native email security with complementary threat detection

To augment existing email security capabilities (e.g. Exchange Online Protection for Office 365 or the Advanced Protection Program for G Suite), organizations should invest in technologies that take a materially different approach to threat detection. Rather than searching through static lists and blocking known bad domains, these technologies should learn from custom organizational data and be able to stop socially engineered threats that contain zero-day payloads (or lack payloads altogether).

How Armorblox Detected The Attack

Armorblox was able to detect the email attack based on the following insights:

1. Language, intent, and tone

Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email header and body to detect urgency, financial topics, and an unusual request made in the email (which are all common traits in business email compromise attacks).

2. Low communication history

Armorblox detected that the sender email in question had a low communication history with the target’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.

3. Low domain frequency

Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organization-specific model also detected that the attacker’s domain had not communicated with the target company as a whole.

4. Suspicious phishing URL

Armorblox detected the presence of a suspicious URL in the email, based on factors including but not limited to threat intel sources, suspicious redirections, language used associated with the link, and so on.

Based on the insights above, along with many other detection signals, Armorblox flagged the email as a credential phishing threat. The email was automatically deleted based on predetermined remediation actions for the credential phishing detection category.

If you found this attack overview interesting, you might also like to read our earlier Blox Tale focusing on an Amazon credential phishing attempt.

Stay tuned for more Blox Tales! If you’re interested to learn how Armorblox augments native Office 365 email security, download our whitepaper below.

Get Whitepaper

Read This Next