High Severity

Fake request for tax preparation

Labels

BEC/Fraud

Malware/Ransomware

Social engineering

Content analysis

Natural Language Understanding

Sender analysis

Description

Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.

References

No references.

Sublime Security

Created Mar 27th, 2024 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(body.current_thread.text) < 1250
and any(beta.ml_topic(body.current_thread.text).topics,
        .name == "Financial Communications"
)
// there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
and (
  length(body.links) == 0
  or length(filter(body.links,
                   (
                     .display_text is null
                     and .display_url.url == sender.email.domain.root_domain
                   )
                   or .href_url.domain.domain == "aka.ms"
                   or network.whois(.display_url.domain).days_old < 30
            )
  ) == length(body.links)
)
and length(attachments) == 0
and (strings.ilike(subject.subject, "*tax*") or length(subject.subject) < 15)
and strings.icontains(body.current_thread.text, "tax")
and (
  strings.like(body.current_thread.text,
               "*return*",
               "*record*",
               "*CPA*",
               "*filing*",
               "*extension*"
  )
  or strings.ilike(body.current_thread.text,
                   "*tax preparer*",
                   "*tax*processing*"
  )
)
and (
  strings.ilike(body.current_thread.text,
                "*necessary documents*",
                "*required documents*",
                "*paperwork*",
                "*in search of*",
                "*tax service*",
                "*professional help*",
                "*prepare*tax return*",
                "*service*tax return*",
                "*seeking*tax preparer*",
                "*assist*processing*tax*",
                "*schedule*call*",
                "*zoom meeting*",
                "*discuss*fees*",
                "*W2*",
                "*CPA*"
                
                
  )
  // suspicious patterns
  or (
    strings.icontains(body.current_thread.text, sender.display_name)
    and 2 of (
      (
        length(headers.reply_to) > 0
        and all(headers.reply_to,
                .email.domain.root_domain != sender.email.domain.root_domain
        )
      ),
      (
        headers.return_path.email is not null
        and headers.return_path.email != sender.email.email
      ),
      headers.return_path.domain.root_domain in ("amazonses.com")
    )
  )
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.