www.proofpoint.com
Open in
urlscan Pro
2a02:e980:107::cf
Public Scan
URL:
https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax
Submission: On January 31 via api from TR — Scanned from DE
Submission: On January 31 via api from TR — Scanned from DE
Form analysis 3 forms found in the DOM
/us
<form action="/us" data-region="us" data-language="en">
<input type="text" name="search_block_form" placeholder="Search">
<input type="submit">
</form><form id="mktoForm_10895" data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us"
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" data-asset-type="Blogs Subscribe" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoFieldWrap mk-form__checkbox-field">
<div class="blog-subscribe__select-box">Select</div><label for="blogInterest" id="LblblogInterest" class="mktoLabel mktoHasWidth mk-form__checkbox-label" style="width: 150px;">
<div class="mktoAsterix">*</div>Blog Interest:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 200px;"><input name="blogInterest" id="mktoCheckbox_185044_0" type="checkbox" value="All"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_0 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_0" id="LblmktoCheckbox_185044_0">All</label><input name="blogInterest" id="mktoCheckbox_185044_1" type="checkbox" value="Archiving and Compliance"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_1 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_1" id="LblmktoCheckbox_185044_1">Archiving and Compliance</label><input name="blogInterest" id="mktoCheckbox_185044_2" type="checkbox" value="CISO Perspectives"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_2 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_2" id="LblmktoCheckbox_185044_2">CISO Perspectives</label><input name="blogInterest" id="mktoCheckbox_185044_3" type="checkbox" value="Cloud Security"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_3 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_3" id="LblmktoCheckbox_185044_3">Cloud Security</label><input name="blogInterest" id="mktoCheckbox_185044_4" type="checkbox" value="Corporate News"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_4 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_4" id="LblmktoCheckbox_185044_4">Corporate News</label><input name="blogInterest" id="mktoCheckbox_185044_5" type="checkbox" value="Email and Cloud Threats"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_5 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_5" id="LblmktoCheckbox_185044_5">Email and Cloud Threats</label><input name="blogInterest" id="mktoCheckbox_185044_6" type="checkbox" value="Engineering Insights"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_6 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_6" id="LblmktoCheckbox_185044_6">Engineering Insights</label><input name="blogInterest" id="mktoCheckbox_185044_7" type="checkbox" value="Information Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_7 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_7" id="LblmktoCheckbox_185044_7">Information Protection</label><input name="blogInterest" id="mktoCheckbox_185044_8" type="checkbox" value="Insider Threat Management"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_8 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_8" id="LblmktoCheckbox_185044_8">Insider Threat Management</label><input name="blogInterest" id="mktoCheckbox_185044_9" type="checkbox" value="Remote Workforce Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_9 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_9" id="LblmktoCheckbox_185044_9">Remote Workforce Protection</label><input name="blogInterest" id="mktoCheckbox_185044_10" type="checkbox" value="Security Awareness Training"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_10 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_10" id="LblmktoCheckbox_185044_10">Security Awareness Training</label><input name="blogInterest" id="mktoCheckbox_185044_11" type="checkbox" value="Security Briefs"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_11 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_11" id="LblmktoCheckbox_185044_11">Security Briefs</label><input name="blogInterest" id="mktoCheckbox_185044_12" type="checkbox" value="Threat Insight"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_12 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_12" id="LblmktoCheckbox_185044_12">Threat Insight</label></div><span id="InstructblogInterest" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="10895" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax"><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor" value="374440793.1706715271">
</form><form data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us"
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" data-asset-type="Blogs Subscribe" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Skip to main content Products Solutions Partners Resources Company ContactLanguages Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Main Menu Aegis Threat Protection Platform Disarm BEC, phishing, ransomware, supply chain threats and more. Sigma Information Protection Platform Defend your data from careless, compromised and malicious users. Identity Threat Defense Platform Prevent identity risks, detect lateral movement and remediate identity threats in real time. Intelligent Compliance Platform Reduce risk, control costs and improve data visibility to ensure compliance. Premium Services Leverage proactive expertise, operational continuity and deeper insights from our skilled experts. New threat protection solution bundles with flexible deployment options AI-powered protection against BEC, ransomware, phishing, supplier risk and more with inline+API or MX-based deployment Learn More Solutions by Topic Combat Email and Cloud Threats Protect your people from email and cloud threats with an intelligent and holistic approach. Change User Behavior Help your employees identify, resist and report attacks before the damage is done. Combat Data Loss and Insider Risk Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. Modernize Compliance and Archiving Manage risk and data retention needs with a modern compliance and archiving solution. Protect Cloud Apps Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. Prevent Loss from Ransomware Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. Secure Microsoft 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. Defend Your Remote Workforce with Cloud Edge Secure access to corporate resources and ensure business continuity for your remote workers. Authenticate Your Email Protect your email deliverability with DMARC. Why Proofpoint Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. Solutions by Industry Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses Partner Programs Channel Partners Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. Archive Extraction Partners Learn about Proofpoint Extraction Partners. Global System Integrator (GSI) and Managed Service Provider (MSP) Partners Learn about our global consulting and services partners that deliver fully managed and integrated solutions. Technology and Alliance Partners Learn about our relationships with industry-leading firms to help protect your people, data and brand. Social Media Protection Partners Learn about the technology and alliance partners in our Social Media Protection Partner program. Proofpoint Essentials Partner Programs Small Business Solutions for channel partners and MSPs. Partner Tools Become a Channel Partner Channel Partner Portal Resource Library Find the information you're looking for in our library of videos, data sheets, white papers and more. Blog Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. Podcasts Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. New Perimeters Magazine Get the latest cybersecurity insights in your hands – featuring valuable knowledge from our own industry experts. Threat Glossary Learn about the latest security threats and how to protect your people, data, and brand. Events Connect with us at events to learn how to protect your people and data from ever‑evolving threats. Customer Stories Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. Webinars Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Security Hubs Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub About Proofpoint Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. Why Proofpoint Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. Careers Stand out and make a difference at one of the world's leading cybersecurity companies. News Center Read the latest press releases, news stories and media highlights about Proofpoint. Privacy and Trust Learn about how we handle data and make commitments to privacy and other regulations. Environmental, Social, and Governance Learn about our people-centric principles and how we implement them to positively impact our global community. Support Access the full range of Proofpoint support services. Learn More English (Americas) English (Europe, Middle East, Africa) English (Asia-Pacific) Español Deutsch Français Italiano Português 日本語 한국어 Products Overview Email Security and Protection Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business Advanced Threat Protection Targeted Attack Protection in Email Threat Response Emerging Threats Intelligence Security Awareness Training Assess Change Behavior Evaluate Overview Information Protection Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover Cloud Security Isolation Cloud App Security Broker Web Security Overview Identity Threat Detection and Response Spotlight Shadow Overview Compliance and Archiving Automate Capture Patrol Track Archive Discover Supervision Overview Premium Services Managed Email Threat Protection Managed Information Protection Managed Security Awareness Managed Abuse Mailbox Recurring Consultative Services Technical Account Managers Threat Intelligence Services People-Centric Security Program Products Solutions Partners Resources Company English (Americas) English (Europe, Middle East, Africa) English (Asia-Pacific) Español Deutsch Français Italiano Português 日本語 한국어 Login Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Contact Aegis Threat Protection Platform Disarm BEC, phishing, ransomware, supply chain threats and more. Sigma Information Protection Platform Defend your data from careless, compromised and malicious users. Identity Threat Defense Platform Prevent identity risks, detect lateral movement and remediate identity threats in real time. Intelligent Compliance Platform Reduce risk, control costs and improve data visibility to ensure compliance. Premium Services Leverage proactive expertise, operational continuity and deeper insights from our skilled experts. Overview Email Security and Protection Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business Advanced Threat Protection Targeted Attack Protection in Email Threat Response Emerging Threats Intelligence Security Awareness Training Assess Change Behavior Evaluate Overview Information Protection Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover Cloud Security Isolation Cloud App Security Broker Web Security Overview Identity Threat Detection and Response Spotlight Shadow Overview Compliance and Archiving Automate Capture Patrol Track Archive Discover Supervision Overview Premium Services Managed Email Threat Protection Managed Information Protection Managed Security Awareness Managed Abuse Mailbox Recurring Consultative Services Technical Account Managers Threat Intelligence Services People-Centric Security Program New threat protection solution bundles with flexible deployment options AI-powered protection against BEC, ransomware, phishing, supplier risk and more with inline+API or MX-based deployment Learn More Solutions by Topic Combat Email and Cloud Threats Protect your people from email and cloud threats with an intelligent and holistic approach. Change User Behavior Help your employees identify, resist and report attacks before the damage is done. Combat Data Loss and Insider Risk Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. Modernize Compliance and Archiving Manage risk and data retention needs with a modern compliance and archiving solution. Protect Cloud Apps Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. Prevent Loss from Ransomware Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. Secure Microsoft 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. Defend Your Remote Workforce with Cloud Edge Secure access to corporate resources and ensure business continuity for your remote workers. Authenticate Your Email Protect your email deliverability with DMARC. Why Proofpoint Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. Solutions by Industry Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses Partner Programs Channel Partners Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. Archive Extraction Partners Learn about Proofpoint Extraction Partners. Global System Integrator (GSI) and Managed Service Provider (MSP) Partners Learn about our global consulting and services partners that deliver fully managed and integrated solutions. Technology and Alliance Partners Learn about our relationships with industry-leading firms to help protect your people, data and brand. Social Media Protection Partners Learn about the technology and alliance partners in our Social Media Protection Partner program. Proofpoint Essentials Partner Programs Small Business Solutions for channel partners and MSPs. Partner Tools Become a Channel Partner Channel Partner Portal Resource Library Find the information you're looking for in our library of videos, data sheets, white papers and more. Blog Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. Podcasts Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. New Perimeters Magazine Get the latest cybersecurity insights in your hands – featuring valuable knowledge from our own industry experts. Threat Glossary Learn about the latest security threats and how to protect your people, data, and brand. Events Connect with us at events to learn how to protect your people and data from ever‑evolving threats. Customer Stories Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. Webinars Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Security Hubs Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub About Proofpoint Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. Why Proofpoint Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. Careers Stand out and make a difference at one of the world's leading cybersecurity companies. News Center Read the latest press releases, news stories and media highlights about Proofpoint. Privacy and Trust Learn about how we handle data and make commitments to privacy and other regulations. Environmental, Social, and Governance Learn about our people-centric principles and how we implement them to positively impact our global community. Support Access the full range of Proofpoint support services. Learn More Zeigen Sie weiterhin Inhalte für Ihren Standort an United StatesUnited KingdomFranceDeutschlandEspaña日本AustraliaItaliaFortsetzen Blog Threat Insight Security Brief: ‘Tis the Season for Tax Hax SECURITY BRIEF: ‘TIS THE SEASON FOR TAX HAX Share with your network! January 30, 2024 Tommy Madjar and Selena Larson WHAT HAPPENED Proofpoint researchers recently identified the return of TA576, a cybercriminal threat actor that uses tax-themed lures specifically targeting accounting and finance organizations. This actor is typically only active the first few months of the year during U.S. tax season, generally targeting organizations in North America with low-volume email campaigns. In all campaigns, the actor will email requests for tax preparation assistance and will attempt to deliver remote access trojans (RATs). In the first two observed campaigns in January 2024, the actor used a compromised account to send benign emails purporting to request tax assistance. While the sender account was compromised, the emails featured a reply-to address with a recently registered domain that is likely owned by the threat actor. The threat actor provided a backstory and asked for pricing and availability. If the target replied, the threat actor responded with a malicious Google Firebase (web.app) URL. Tax-themed lure used by TA576. If the URL was clicked, it redirected to the download of a zipped shortcut (LNK) file. If this shortcut was executed, it ran encoded PowerShell via the SyncAppvPublishingServer.vbs LOLBAS inject. The PowerShell command launched Mshta to run the HTML application (HTA) payload from a provided URL. Living Off The Land Binaries, Scripts and Libraries (LOLBAS) techniques are becoming increasingly popular among cybercriminal threats. Example shortcut target. The code takes a sequence of numerical values, subtracts a number from each (in this case 593), and converts each result to a character using the [char] type casting, and concatenates the characters into a string stored in the variable $k. Interestingly, the number subtracted differs from shortcut to shortcut. The HTA payload ran a PowerShell command to AES decrypt and decompress another command that downloaded an executable to the %appdata% folder and ran it. This technique is similar to one previously documented by SANS ISC. The executable in the TA576 campaign used the "Heaven's Gate" evasion technique to run Parallax RAT. Attack chain summary: Benign Message > Target Reply > Actor Reply with web.app URL > Redirect > ZIP > LNK > SyncAppvPublishingServer.vbs LOLBAS > PowerShell > MSHTA runs HTA from URL > Encrypted PowerShell > Obfuscated PowerShell > Download and Run EXE TA576’s 2024 campaigns are notable as this is the first time Proofpoint observed the actor delivering Parallax RAT. Additionally, the actor’s attack chain using LOLBAS techniques and multiple PowerShell scripts is distinctly different from previously observed campaigns that used URLs to zipped JavaScript payloads or macro-enabled Microsoft Word documents. ATTRIBUTION TA576 is a cybercriminal threat actor. Proofpoint has tracked TA576 since 2018 through spam email creation techniques, malware usage, malware delivery techniques and other characteristics. This actor uses tax lures containing similar characteristics and themes during the U.S. tax season to deliver and install RATs. TA576’s follow-on objectives are unknown. While the most frequently observed sectors targeted include accounting and financial entities, Proofpoint has also observed targeting of related industries such as legal. WHY IT MATTERS TA576's annual tax-themed campaigns serve as a recurring reminder that cybercrime threat actors will capitalize on seasonal events. They are also an early indicator that other threat actors are likely to incorporate this theme into their campaigns as tax season progresses. In fact, Proofpoint has observed at least one other threat actor – TA558 – and other unattributed threat clusters adopt tax themes this month, and researchers are expecting to see more through April 2024. Additionally, TA576’s unique attack chain demonstrates behaviors that are increasingly used by cybercrime threat actors, including “living off the land” techniques using existing scripts and services on a host to conduct malicious activities and chaining multiple PowerShell scripts together before the final payload execution. This is part of the trend featuring more creativity and attack chain experimentation among cybercrime threat actors. EXAMPLE EMERGING THREATS SIGNATURES 2044450 – ET MALWARE Parallax CnC Response Activity M18 2044449 – ET MALWARE Parallax CnC Activity M18 (set) 2047156 – ET MALWARE [ANY.RUN] Parallax RAT Check-In INDICATORS OF COMPROMISE Indicator Description First Observed bvillegas@mountain-alliance[.]com TA576 Reply-to Email Address 23 January 2024 hxxps://redirectit1[.]web[.]app/ URL in Emails 23 January 2024 hxxps://uploadfile2024[.]web[.]app/2023-FILES-MY1040-w2[.]zip Redirect Target Example 23 January 2024 hxxps://2023-w2[.]web[.]app/2023-w2[.]zip Redirect Target Example 23 January 2024 hxxps://g3w2host[.]web[.]app/G3w2 HTA Payload 23 January 2024 hxxps://sacmuo[.]web[.]app/ URL in Emails 24 January 2024 hxxps://files-accl[.]zohopublic[.]eu/public/workdrive-public/download/dcyo813923950520542f6bba4f49d89fddf2d?x-cli-msg=%7B%22isFileOwner%22%3Afalse%2C%22version%22%3A%221[.]0%22%7D Redirect Target Example 24 January 2024 hxxps://charitytechw[.]com/Knitste12 HTA Payload 24 January 2024 hxxps://charitytechw[.]com/sew1[.]exe PowerShell Payload Parallax RAT EXE 24 January 2024 193[.]142[.]146[.]101:20190 Parallax RAT C2 24 January 2024 f6c901d8959b26428c5fbb9b0c4a18be2057bb4d22e85bfe2442c0a8744a9ff6 Parallax RAT SHA256 24 January 2024 Previous Blog Post Subscribe to the Proofpoint Blog * Business Email: Select * Blog Interest: AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight Submit About * Overview * Why Proofpoint * Careers * Leadership Team * News Center * Nexus Platform * Privacy and Trust Threat Center * Threat Hub * Cybersecurity Awareness Hub * Ransomware Hub * Threat Glossary * Threat Blog Products * Email Security & Protection * Advanced Threat Protection * Security Awareness Training * Cloud Security * Archive & Compliance * Information Protection * Product Bundles Resources * White Papers * Webinars * Data Sheets * Events * Customer Stories * Blog * Free Trial Connect * +1-408-517-4710 * Contact Us * Office Locations * Request a Demo Support * Support Login * Support Services * IP Address Blocked? * Facebook * Twitter * linkedin * Youtube * English (US) * English (UK) * English (AU) * Español * Deutsch * Français * Italiano * Português * 日本語 * 한국어 © 2024. All rights reserved. Terms and conditions Privacy Policy Sitemap