Fake request for tax preparation

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.

Sublime rule (View on GitHub)

 1name: "Fake request for tax preparation"
 2description: "Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1250
 8  and any(beta.ml_topic(body.current_thread.text).topics,
 9          .name == "Financial Communications"
10  )
11  // there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
12  and (
13    length(body.links) == 0
14    or length(filter(body.links,
15                     (
16                       .display_text is null
17                       and .display_url.url == sender.email.domain.root_domain
18                     )
19                     or .href_url.domain.domain == "aka.ms"
20                     or network.whois(.display_url.domain).days_old < 30
21              )
22    ) == length(body.links)
23  )
24  and length(attachments) == 0
25  and (strings.ilike(subject.subject, "*tax*") or length(subject.subject) < 15)
26  and strings.icontains(body.current_thread.text, "tax")
27  and (
28    strings.like(body.current_thread.text,
29                 "*return*",
30                 "*record*",
31                 "*CPA*",
32                 "*filing*",
33                 "*extension*"
34    )
35    or strings.ilike(body.current_thread.text,
36                     "*tax preparer*",
37                     "*tax*processing*"
38    )
39  )
40  and (
41    strings.ilike(body.current_thread.text,
42                  "*necessary documents*",
43                  "*required documents*",
44                  "*paperwork*",
45                  "*in search of*",
46                  "*tax service*",
47                  "*professional help*",
48                  "*prepare*tax return*",
49                  "*service*tax return*",
50                  "*seeking*tax preparer*",
51                  "*assist*processing*tax*",
52                  "*schedule*call*",
53                  "*zoom meeting*",
54                  "*discuss*fees*",
55                  "*W2*",
56                  "*CPA*"
57    )
58    // suspicious patterns
59    or (
60      strings.icontains(body.current_thread.text, sender.display_name)
61      and 2 of (
62        (
63          length(headers.reply_to) > 0
64          and all(headers.reply_to,
65                  .email.domain.root_domain != sender.email.domain.root_domain
66          )
67        ),
68        (
69          headers.return_path.email is not null
70          and headers.return_path.email != sender.email.email
71        ),
72        headers.return_path.domain.root_domain in ("amazonses.com")
73      )
74    )
75  )
76  and (
77    (
78      profile.by_sender().prevalence in ("new", "outlier")
79      and not profile.by_sender().solicited
80    )
81    or (
82      profile.by_sender().any_messages_malicious_or_spam
83      and not profile.by_sender().any_messages_benign
84    )
85  )
86  and not profile.by_sender().any_messages_benign  
87attack_types:
88  - "BEC/Fraud"
89  - "Malware/Ransomware"
90tactics_and_techniques:
91  - "Social engineering"
92detection_methods:
93  - "Content analysis"
94  - "Natural Language Understanding"
95  - "Sender analysis"
96id: "e36b85b3-ffc6-5d73-b865-7dbdf9b4b1a0"
to-top