A new zero-day email scam imitating Xero branding has been detected by MailGuard.
This email is supposed to look like a Xero invoice notification. The text advises the recipient that their credit card will be debited, and offers a link to view their bill.
The link in the message actually goes to an MS Word document on a compromised website that contains malware in macro code.
In order to try and outwit scam filters, the criminals behind this attack have used hundreds of link variants that point to documents hosted in different locations.
As you can see in the screenshot at the top of the page, this message purports to come from a sender called "Xero Billing Notifications" and the scammers have used the sender address ‘subscription.notifications@xeroform.org’ to try to lend authenticity to their bogus message. But of course, this is not really a Xero domain; ‘xeroform.org’ was actually just created yesterday through a domain registrar in China.
At the time that MailGuard intercepted this attack, not other security vendors were detecting this scam email.
Please keep an eye out for this scam and if you see a message like this in your inbox delete it immediately.
One Email
If your company is using an online platform like Xero, then you already know the benefits of cloud-based technology. Doing business online opens up opportunities for collaboration on an unprecedented level, but with that opportunity comes significant risk. Cybercriminals utilise sophisticated AI technology to monitor business and social networks and they exploit the data they collect to infiltrate organisations. All criminals need to break into your business is a cleverly worded email; if they can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive email security.
Talk to an expert at MailGuard today about making your company's network secure: click here.
Stay up-to-date with new posts on the MailGuard Blog by subscribing to free updates. Click on the button below:
