Xero branding imitated in breaking email scam

Posted by Emmanuel Marshall on 19 February 2018 12:42:06 AEDT

A new zero-day email scam imitating Xero branding has been detected by MailGuard.

This email is supposed to look like a Xero invoice notification. The text advises the recipient that their credit card will be debited, and offers a link to view their bill.

The link in the message actually goes to an MS Word document on a compromised website that contains malware in macro code.

In order to try and outwit scam filters, the criminals behind this attack have used hundreds of link variants that point to documents hosted in different locations.

As you can see in the screenshot at the top of the page, this message purports to come from a sender called "Xero Billing Notifications" and the scammers have used the sender address ‘subscription.notifications@xeroform.org’ to try to lend authenticity to their bogus message. But of course, this is not really a Xero domain; ‘xeroform.org’ was actually just created yesterday through a domain registrar in China.

At the time that MailGuard intercepted this attack, not other security vendors were detecting this scam email.

Please keep an eye out for this scam and if you see a message like this in your inbox delete it immediately.


One Email

If your company is using an online platform like Xero, then you already know the benefits of cloud-based technology. Doing business online opens up opportunities for collaboration on an unprecedented level, but with that opportunity comes significant risk. Cybercriminals utilise sophisticated AI technology to monitor business and social networks and they exploit the data they collect to infiltrate organisations. All criminals need to break into your business is a cleverly worded email; if they can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive email security.
Talk to an expert at MailGuard today about making your company's network secure: click here.


Stay up-to-date with new posts on the MailGuard Blog by subscribing to free updates. Click on the button below:

Keep Informed with Weekly Updates




Topics: Macro Malware xero email scam xero invoice cybercrime Xero scam emails brandjacking Threat Update

Back to Blog


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all