Fake request for tax preparation

calendar Jul 16, 2025  ยท
Share on: linkedin copy

Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.

Sublime rule (View on GitHub)

 1name: "Fake request for tax preparation"
 2description: "Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1250
 8  and any(beta.ml_topic(body.current_thread.text).topics,
 9          .name == "Financial Communications"
10  )
11  // there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
12  and (
13    length(body.links) == 0
14    or length(filter(body.links,
15                     (
16                       .display_text is null
17                       and .display_url.url == sender.email.domain.root_domain
18                     )
19                     or .href_url.domain.domain == "aka.ms"
20                     or network.whois(.display_url.domain).days_old < 30
21              )
22    ) == length(body.links)
23  )
24  and length(attachments) == 0
25  and (strings.ilike(subject.subject, "*tax*") or length(subject.subject) < 15)
26  and strings.icontains(body.current_thread.text, "tax")
27  and (
28    strings.like(body.current_thread.text,
29                 "*return*",
30                 "*record*",
31                 "*CPA*",
32                 "*filing*",
33                 "*extension*"
34    )
35    or strings.ilike(body.current_thread.text,
36                     "*tax preparer*",
37                     "*tax*processing*"
38    )
39  )
40  and (
41    strings.ilike(body.current_thread.text,
42                  "*necessary documents*",
43                  "*required documents*",
44                  "*paperwork*",
45                  "*in search of*",
46                  "*tax service*",
47                  "*professional help*",
48                  "*prepare*tax return*",
49                  "*service*tax return*",
50                  "*seeking*tax preparer*",
51                  "*assist*processing*tax*",
52                  "*schedule*call*",
53                  "*zoom meeting*",
54                  "*discuss*fees*",
55                  "*W2*",
56                  "*CPA*"
57                  
58                  
59    )
60    // suspicious patterns
61    or (
62      strings.icontains(body.current_thread.text, sender.display_name)
63      and 2 of (
64        (
65          length(headers.reply_to) > 0
66          and all(headers.reply_to,
67                  .email.domain.root_domain != sender.email.domain.root_domain
68          )
69        ),
70        (
71          headers.return_path.email is not null
72          and headers.return_path.email != sender.email.email
73        ),
74        headers.return_path.domain.root_domain in ("amazonses.com")
75      )
76    )
77  )
78  and (
79    (
80      profile.by_sender().prevalence in ("new", "outlier")
81      and not profile.by_sender().solicited
82    )
83    or (
84      profile.by_sender().any_messages_malicious_or_spam
85      and not profile.by_sender().any_messages_benign
86    )
87  )
88  and not profile.by_sender().any_messages_benign  
89
90attack_types:
91  - "BEC/Fraud"
92  - "Malware/Ransomware"
93tactics_and_techniques:
94  - "Social engineering"
95detection_methods:
96  - "Content analysis"
97  - "Natural Language Understanding"
98  - "Sender analysis"
99id: "e36b85b3-ffc6-5d73-b865-7dbdf9b4b1a0"
to-top