Email titled “Refund Notice” uses malicious password-protected attachment to infect systems

Posted by Akankasha Dewan on 27 May 2020 17:12:49 AEST

MailGuard has intercepted a fraudulent email that uses a malicious attachment disguised as an invoice to infect systems.

Titled “Refund Notice”, the email is in plain-text, and contains no body except a “document password”. The email’s “From” field doesn’t contain a display name. Instead, only an email address is included. We discovered that the email actually originates from a large number of compromised email addresses. An attachment is included in the email, in the form of a .XLS file. Here is what the email looks like:


Scam 2705_Social

Unsuspecting recipients who open the attachment are informed that “this invoice is encrypted with DocuSign”. Several instructions are provided for them to follow if they wish to include the invoice in its entirety, including one that directs them to “enable content’ as macros have been "disabled", as per the below:

attach_2020-05-27_10-51 (002)

Enabling macros potentially leads to the activation of a malicious malware that can infect files and systems.

We strongly advise all recipients to delete these emails immediately without opening any attachments. Please share this alert with your social media network to help us spread the word around this email scam.

This attack is a good reminder of how easy it is for criminals to operate these sort of scams. A simple plain-text, short email of this kind could be based on inexpensive malware, bought through a dark web portal, and run from a phone.

The fraudulent email contains several typical elements that attempt to trick recipients into falling for the scam, including the fact that the .XLS attachment is password-protected. This is a classic technique used by the fraudsters behind the scam to convey legitimacy and a false sense of security.

Despite this, the email in itself contains several tell-tale signs that commonly belong to fraudulent emails and should help eagle-eyed recipients point to its illegitimacy. These include the lack of a personalised address, display name.


As a precaution, MailGuard urges you not to open attachments within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

Don't get scammed

If your company’s email accounts aren’t protected, emails like the one above are almost certainly being received by your staff. Cybercriminals know people can be tricked; that’s why they send out millions of scam messages and put so much effort into making them look convincing.

People are not machines; we're all capable of making bad judgement calls. Without email filtering protecting your business, it’s just a matter of time before someone in your organisation has a momentary lapse of judgement and clicks on the wrong thing.

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates



Topics: email scams fraud fastbreak

Back to Blog


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all