According to cybersecurity vendor Proofpoint, the email phishing campaigns — discovered between October 16 and November 12 — impersonate the German Federal Ministry of Finance and the Italian Ministry of Taxation using malicious Microsoft Word attachments, which when opened, downloads and installs the Maze ransomware payload onto the target’s system. In addition to luring unsuspecting victims with notifications of tax refunds and law enforcement procedures to avoid tax penalties, the threat actor was found to leverage lookalike domains, verbiage, and stolen branding in the emails to increase the likelihood of social engineering the recipients. Other phishing emails attempted to deliver malware by spoofing a German internet service provider, 1&1 Internet AG, and the United States Postal Service (USPS) to distribute the IcedID banking Trojan. Proofpoint researchers stated the operations heavily targeted recipients employed in business and IT services, manufacturing, and healthcare verticals. The campaigns’ consistent use of overlapping techniques — such as the use of .icu domains and identical email addresses for the DNS records of the domains used — have led the researchers to attribute the work to a single actor. “Although these campaigns are small in volume, currently, they are significant for their abuse of trusted brands, including government agencies, and for their relatively rapid expansion across multiple geographies,” Proofpoint’s Threat Intelligence Lead Christopher Dawson said. Asked if the phishing attacks could be the work of APT19, APT32, or Cobalt Group, Dawson said the tactics, techniques, and procedures (TTPs) employed by the group had no overlap with those of existing actors. The fact that attackers are able to take advantage of effective tax-themed lures to carry out financially motivated operations underscores the highly-targeted nature and evolving sophistication of these campaigns. “The increasing sophistication of these lures mirrors improved social engineering and a focus on effectiveness over quantity appearing in many campaigns globally across the email threat landscape,” the researchers concluded.