Emotet is in the news again according to the latest information from email security firm Cofense.  Emotet is notorious for spreading via phishing campaigns and this latest phishing campaign sees them impersonating the IRS.

By all outward appearances, the emails look legitimate. The Emotet gang knows that with so many people feeling harried during tax season, potential victims are much less likely to look closely at incoming emails that claim to have tax documents since they’re expecting tax documents anyway.

While the particulars vary from one email to the next, the general gist of emails associated with this campaign goes as follows. “Hi, we’re the IRS, and we’re contacting your business with some completed tax forms,” or, in some variants, “We’re contacting you with some tax forms you need to fill out and send back to us.”

Again, given the timing of tax season, this is not at all out of the ordinary. A surprising percentage of email recipients are opening the included attachments.

Simply opening the emails won’t doom you, but if you enter the password required to unlock the file attached to the email, you will doom yourself. Emotet will be installed in the background along with whatever additional malicious payload the hackers want to inflict on you.

In addition to that the malware will rifle through your address book, absconding with the email addresses belonging to your contacts. It does this so it can use those addresses in future reply-chain attacks, thus extending the longevity of the campaign.

There’s no good defense against this kind of attack except for vigilance.  The standard email defenses apply here.  Never open an attachment from someone you don’t know.  In cases where the recipient seems to be a government agency, call to verify that they have, sent you something that needs your attention, and examine the email closely.

Be careful out there.