Akankasha Dewan 18 July 2019 14:37:10 AEST 3 MIN READ

Plain-text email contains multi-staged phishing invoice scam

Invoices can be very costly indeed – and not always in the traditional sense. A recent phishing invoice email scam detected by MailGuard is designed to trick victims into revealing their confidential data.

First intercepted on 16th July 2019 around midday (AEST), the email appears to have been sent by a single compromised sender. The plain-text email is short, and notifies the recipient of an invoice in the form of a PDF attachment. A signature is included in the email, along with the supposed sender’s details such as their email address and contact numbers. Here is a screenshot of the email:


Unsuspecting recipients who open the PDF attachment are led to a page featuring fake OneDrive graphics and a link, simulating a protected file, as per the below:


Clicking on the button to ‘view document’ leads recipients to the user is directed to a phishing URL before being redirected to a second URL which is the actual phishing web page.

Here, the user is requested to sign in using Office 365 or Outlook or any other email address:

OneDrive 18

Once the credentials are inserted, the user is finally redirected to the real OneDrive web page.

The email in itself is not very well-designed compared to some of the more sophisticated scams we see here at MailGuard. The email is in a plain text format and doesn’t directly address the recipient by name; a red flag to anyone conscious of email security concerns. The graphics used in the later stages of the scam, however, are designed using high quality graphical elements. This is all done to boost the credibility of the phishing pages, and convince recipients that they are actually from Microsoft Office 365.

The interesting thing about this attack is that it demonstrates how easy it is for criminals to operate these sort of scams. A simple email of this kind could be based on inexpensive malware, bought through a dark web portal, and run from a phone.

MailGuard urges all cyber users to be vigilant when accessing their emails and look out for tell-tale signs of malicious emails.

Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.

Phishing continues to be one of the most prevalent forms of cyber-crime. The vast majority of online scams - more than 90% - are perpetrated using email, so it’s wise to always be skeptical of messages from unfamiliar senders asking you to log into your accounts.

What to look out for

As a precaution, avoid clicking links in emails that:

  • Are not addressed to you by name, have poor English or omit personal details that a legitimate sender would include (e.g. – tracking ID).
  • Are from businesses you’re not expecting to hear from.
  • Ask you to download any files, especially with an .exe file extension.
  • Take you to a landing page or website that does not have the legitimate URL of the company the email is purporting to be sent from.

One email

Cybercriminals use email scams to infiltrate organisations with malware and attack them from the inside. 
All criminals need to break into your business is a cleverly worded message. If they can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive email security.
Talk to an expert at MailGuard today about making your company's network secure: click here.


Stay up-to-date with new posts on the MailGuard Blog by subscribing to free updates. Click on the button below:

Keep Informed with Weekly Updates