Second Criminal-Intent Email Purporting to be Xero This Month

Posted by Emmanuel Marshall on 27 December 2017 13:13:30 AEDT

Cybercriminals don’t take vacations; MailGuard intercepted a large-scale email scam this morning, pretending to contain a Xero branded invoice.

The criminals behind this scam are leveraging the trust users place in the Xero brand to try and get people to open a malware file attachment. Xero is a popular cloud-based accounting software and this is the second time this month that it has been impersonated by scammers. 

Scams of this type hinge on the brand recognition and reputation of the company they are impersonating. Because Xero is widely used, there are a large number of potential recipients of this email who might click on the attachment without checking its legitimacy.

Your Xero Invoice INV-5145324 - Mozilla Thunderbird_029.png

You can see from the screenshot above that although the sender display name on the email is ‘Xero Billing Notifications’ the actual sender address behind it is subscription[dot]notifications[at]xerohost[dot]net, which is not an authentic Xero domain.

In fact, this domain - xerohost[dot]net - was only registered yesterday on a Chinese domain registry.

Harmful Macros

The attachment on this email is a word document, which seems like a harmless format to most people. Unfortunately, it’s possible to conceal malicious code in .doc macros.

Macros are small software fragments that are embedded in .doc files. Macros are designed to automate tasks in documents, but because they can work in the background without a user’s knowledge they make useful malware vehicles for cybercrime.

Scammers can hide a trojan or a dropper in macro code, which will download and activate other malicious software. The code in the macro itself may not be particularly harmful, but the malware it covertly installs could be a virus, spyware or ransomware.

Microsoft has disabled dangerous macros by default in newer editions of their Office software. There’s no legitimate reason for a company to be sending you an invoice document with macros in it, so they’re a red flag for scams. 

Self Defence

To avoid being tricked by one of these scams, you should immediately delete any emails that look suspicious or ask you to open or download files that you weren’t expecting.

The rule of thumb is that any attachment to an email has the potential to be harmful. If the message originates from an unknown source, there’s no way of knowing what sort of damaging malware it might be carrying.

This fake Xero email was prevented from reaching the inboxes of MailGuard clients, but there are thousands of these messages going out today, so please keep an eye out for them and share this warning with your network.

Protect Your Business

If your company is using a solution like Xero or Office 365 then you already know the benefits of cloud-based technology. Doing business online opens up opportunities for collaboration on an unprecedented level, but with that opportunity comes significant risk. 

Cybercriminals utilise sophisticated AI technology to monitor business and social networks and they exploit the data they collect to infiltrate organisations. All criminals need to break into your business is a cleverly worded email; if they can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's cloud-based email and web filtering security. Talk to an expert at MailGuard today about making your company more secure: click here.

Stay up-to-date with new posts on the MailGuard Blog by subscribing to free updates. Click on the button below:

Keep Informed with Weekly Updates



Topics: Macro Malware cybercrime email scams Threat Update

Back to Blog


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all