Akankasha Dewan 13 February 2019 17:15:27 AEDT 4 MIN READ

Cybercriminals deliver multiple malicious emails from compromised Optus accounts

Don’t be too quick to believe everything you read in an email, especially if it’s been sent by someone you weren’t expecting to hear from.

Multiple inboxes are being hit by malicious emails, all purporting to be from Optus and using the domain ‘optusnet.com.au’. MailGuard detected the first of these email scams last Friday, 8th Feb 2019, although it has been verified that these emails originally started hitting inboxes at a previous date. This email scam is currently ongoing.  

These emails appear in multiple variations, ranging from remittance advice to car insurance document scams. MailGuard understands they originate from a large number of compromised email addresses using the same domain.  

The format of these emails is similar, with most appearing in plain-text form. They advise the recipient of a document that is available for them, with a link to access the said document. In most cases, the links lead unsuspecting recipients to a malicious file download.

Below are the descriptions and screenshots of some of the more recent emails that have been hitting inboxes:

Friday, 08/02/2019:

Example 1: Remittance advice scam

Friday remittance

This email appears as a generic remittance advice email. The message body asks the recipient to "please find attached a remittance advice requiring your review". There is no attachment provided, rather a link to a Google Docs hosted Word document containing macros.

Example 2: Insurance email scam

The second example is for an "Insurance Certificate of Currency":

friday insurance

In this variation, the message body advises the recipient, that as requested, they can find attached a “Certificate of Currency" for car insurance. Once again, there is no attachment, rather a link to a Google Docs hosted Word document containing macros.

Monday, 11/02/2019:

monday accident

MailGuard understands that on this day, victims of this email scam received several variants of different subjects. However, they were all scams related to Insurance Cover documents. The example here has a very short body, stating "Please get assigned accident Documents as requested", along with a reference number. The included link in this case was to a .zip file containing a malicious Javascript file.

Tuesday, 12/02/2019:

tuesday purchase scam

Cybercriminals responsible for this email scam sent out another simple email with a link to a malicious file download on Tuesday. This time, the links were an FTP link to a .zip file, containing a malicious Javascript file. The body of the email thanks the recipient for their recent “Online purchase”, with a link to "download a PDF copy" of their invoice. The .zip file is password protected, with the password provided within the body of the email. This tactic works both as an attempt to legitimise the file and to prevent automatic scanning of the contents of the .zip archive.


Wednesday, 13/02/2019:

wednesdayy invoice

Another very simple email, with a subject of "Tax Invoice" body. This email includes a link to "detach or download your invoice" which is a .zip file, containing Javascript, hosted on Google Docs.

This email scam is a good reminder of how innocent-looking, plain emails can, in fact, be malicious, despite where they purport to be from. As simple as they may seem, these attacks are happening all too regularly, and with devastating effect. Unsuspecting employees who click on any of the links above or download any content can inflict significant financial and reputational damage on an organisation.

MailGuard urges all cyber users to be vigilant when accessing their emails, and look out for tell-tale signs of malicious emails:

Tell-tale signs of email scams

  • Do not address recipients directly (e.g. “Dear customer”)
  • Bad grammar or misuse of punctuation and poor-quality or distorted graphics
  • An instruction to click a link to perform an action (hover over them to see where you’re really being directed)
  • Obscure sending addresses (for example, Hotmail, gmail, Yahoo addresses should set alarms bells ringing)

Don't get scammed

If your company’s email accounts aren’t protected, emails like the one above are almost certainly being received by your staff.  Cybercriminals know people can be tricked; that’s why they send out millions of scam messages and put so much effort into making them look convincing.

People are not machines; we're all capable of making bad judgement calls. Without email filtering protecting your business, it’s just a matter of time before someone in your organisation has a momentary lapse of judgement and clicks on the wrong thing.


For a few dollars per staff member per month, add MailGuard's cloud-based email and web filtering solution to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network. Talk to an expert at MailGuard today about your company's cybersecurity needs: expert@mailguard.com.au

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update, or follow us on Twitter @MailGuard.

Keep Informed with Weekly Updates


^ Back to Top