{
	"id": "8aea586e-d8bd-43d4-86c7-b91428c16b1b",
	"created_at": "2026-04-06T00:06:26.209516Z",
	"updated_at": "2026-04-10T03:21:57.546069Z",
	"deleted_at": null,
	"sha1_hash": "9ef876e655c670f280df227af8ea5ec2c825e45b",
	"title": "Beware of Email Scams Related to Current Events | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2791885,
	"plain_text": "Beware of Email Scams Related to Current Events | FortiGuard\r\nLabs\r\nPublished: 2022-03-23 · Archived: 2026-04-02 12:39:12 UTC\r\nMalicious email and phishing scams are usually topical and follow a pattern of current events, and they typically\r\nare crafted around calendar and/or trending issues as attackers realize that victims are interested in all things\r\nrelevant to the moment. Threat actors are aware that not all recipients will bite, but some will, hence the origin of\r\nthe term “phishing.”\r\nThreat actors often put in the least amount of work possible for a maximum return, sending out phishing emails to\r\nthousands of targets. Even if less than one percent of victims respond, the return on investment is still significant\r\ndue to the gain of personally identifiable information (PII) and/or establishing a foothold within an organization\r\nusing stolen credentials, malware, or other means.\r\nThis blog highlights some examples we’ve encountered that may help users better spot suspicious emails. Recent\r\nexamples observed by FortiGuard Labs include emails related to tax season and the Ukrainian conflict, which\r\nreflect the timeliness of current and newsworthy events at the time of writing.\r\nAffected Platforms: Windows\r\nImpacted Users: Windows users\r\nImpact: Compromised machines are under the control of the threat actor. Stolen personally identifiable\r\ninformation (PII), credential theft, monetary loss, etc.\r\nSeverity Level: Medium\r\nTax Season Phishing Scams\r\nTax season comes around annually, like other seasonal events or holidays. Targeting calendar-based events enables\r\nthreat actors to prepare ahead of time and have a new selection of targets on rotation.\r\nThe following set of examples highlights two IRS/tax-themed scams.  The first is a malicious email pretending to\r\noriginate from the U.S. Internal Revenue Service (IRS) containing a maliciously crafted Microsoft Excel file to\r\ndeliver malware (Emotet). The second is a phishing scam that asks a recipient to send personally identifiable\r\ninformation (PII) via written correspondence to a phone number.\r\nIRS-themed email delivering Emotet\r\nThis attack starts with an IRS impersonation email that contains a ZIP attachment called “W-9 form.zip”. The\r\nemail is sent to the target, and a password is provided within the body of the email for convenient extraction. The\r\nzipped attachment contains a file, “W-9 form.XLM.” The XLM extension is simply an Excel file that contains\r\nExcel 4.0 macros:\r\nhttps://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nPage 1 of 13\n\nFigure 1. Fake IRS email with malicious attachment\r\nFor those not familiar with Form W-9 (Request for Taxpayer Identification Number and Certification), it is used\r\nby U.S. individuals to provide a correct taxpayer identification number (TIN) to payers (or brokers) who are\r\nrequired to file information returns with the IRS. Red flags that this is a phishing scam include the non-capitalization of “assistant” and the incorrect usage of “Treasure” instead of “Treasury” in the signature body. It\r\nshould also be noted that the IRS does not communicate with U.S. taxpayers via email and instead uses the\r\ntraditional postal service for all communications.\r\nAnalysis\r\nUpon observation, and in a similar fashion to our recent Emotet blog, the XLM file asks the user to enable macros\r\nupon opening the file.\r\nThe XLM file contains the following obfuscated Excel 4.0 macro:\r\nhttps://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nPage 2 of 13\n\nFigure 2. Screenshot of Excel 4.0 macro\r\nThe document contains five hidden sheets: \"Vfrbuk1\", \"Sheet\", \"Lefasbor1\", \"EFALGV\", “Je1” and “Je2”. Sheet\r\nEFALGV contains the main code, which uses the other sheets to compile commands. It does this without user\r\ninteraction, performing its behind-the-scenes magic to download a copy of Emotet from multiple remote locations:\r\nhttps://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nPage 3 of 13\n\nFigure 3. Hidden Sheets\r\nAnother variation observed was sent to a State Attorney General’s office in the United States. The “From” address\r\nis clearly seen in the email. It was sent from an automotive tire shop located in Japan, which is most likely\r\ncompromised and serves as an open mail relay:\r\nFigure 4. Variation of the same scam\r\nMicrosoft Takes Action\r\nMicrosoft announced in January 2022 that Excel 4.0 macros are disabled by default starting in Excel (Build\r\n16.0.14427.10000). The move came as no surprise because the feature is continuously abused by threat actors.\r\nOther welcome news from Microsoft is the restricted usage of macros in Access, Excel, PowerPoint, Visio, and\r\nWord by default starting in April 2022 via the disablement of VBA macros (also abused by Emotet). Based on the\r\nexamples shown above, we can see this did not deter the attacker one bit from abusing Excel 4.0 macros.\r\nAlso, administrators are able to control the usage of Excel 4.0 macros via group policy settings, as well as cloud\r\nand ADMX policies. This feature was introduced in July 2021. For more details, please visit Microsoft’s tech\r\ncommunity page - “Restrict usage of Excel 4.0 (XLM) macros with new macro settings control”.\r\nIt’s important to note that these potential victims were not targeted. Emotet utilizes what is colloquially known in\r\nthe industry as a “spray and pray” tactic to spread via malicious email campaigns. Emotet is known to have\r\ndelivered other malware variants in the past, with the most disruptive being ransomware. Some ransomware as a\r\nservice (RaaS) groups have specific policies to not deploy ransomware to government sectors, defense industry,\r\nand other critical infrastructures (hospitals, etc.). However, actual attacks are often carried out by RaaS affiliates\r\nwho may or may not abide by the policy set by RaaS groups. \r\nRequest to Fill and Send a W-8 orm via a Fax Number\r\nhttps://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nPage 4 of 13\n\nA different scam recently observed is an email with the subject line of: “NEW YEAR-NON-RESIDENT ALIEN\r\nTAX EXEMPTION UPDATE.” This example contains an attachment, titled “W8-ENFORM.PDF.” While not\r\nmalicious, this PDF file is essentially a photocopy of the IRS W-8 form. It is simply the W8 form from the IRS\r\nwith an appended number added by the bad actors at the end of the document. \r\nRed flags within the body of the email are the improper usage of grammar, typos, and punctuation:\r\nFigure 5. W-8 themed tax scam\r\nThis scam uses social engineering verbiage to target nonresident aliens of the United States based on “official”\r\nrecords discovery. However, in a weird miscue, the email contains a contradictory statement:\r\n “if you are a USA citizen and resident, this W8BEN-FORM is not meant for you…”\r\nThe email continues with instructions to reply back and to state on the attached form that the recipient is, indeed, a\r\nU.S. citizen/resident. After this step is completed, the bad actor provides a different form to complete. \r\nhttps://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nPage 5 of 13\n\nFigure 6. W-8 Form\r\nhttps://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nPage 6 of 13\n\nFigure 7. W8 Form with added phone number to document\r\nOnce this form is filled out, all PII included on this form appears to be sent to an 806 phone number, which is the\r\narea code for the state of Texas. As of the time of writing this number has an active fax service, which most likely\r\nis internet-based and can receive the content and distribute as an attachment to the malicious actor anywhere in the\r\nworld. It is possible, if there are a lot of respondents, they could be using OCR (Optical Image Recognition) image\r\ntechnology to store victim data in a database for later use.\r\nIt is important to again note that the IRS does not handle any official correspondence via email. Official W-9\r\nforms are available on the IRS Web page. Official W8 forms can be found here.\r\nRefugee War Scams\r\nSpam commonly uses techniques such as current events (sports, tax season), using money as an incentive to click,\r\nplaying on our natural greed (tax refunds, free money) and using the threat of running out of time to get us to take\r\nimmediate action.\r\nIn the example below,  all three techniques are employed, albeit in a more unusual way – with an impassioned plea\r\nto give money to others with the subject line “URGENT RESPONSE REQUIRED! (UKRAINE).” \r\nWhile the email does not contain a malicious attachment or link, the scammer is asking for a response. This is\r\nlikely to contain a follow up message for further information. Perhaps the threat actor may engage in dialog with\r\nthe victim and will ask the victim to send payment via wire transfer, third-party payment processors (such as\r\nhttps://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nPage 7 of 13\n\nVenmo, Zelle, etc.), or via cryptocurrency. The email address of the sender uses a gmail.com email address to\r\nlikely evade spam filters.\r\nFigure 8. Email Screenshot\r\nBitcoin Variation\r\nThe screenshot below highlights a brazenly opportunistic scam with the subject line “URGENT DONATION\r\nRESPONSE FOR WAR REFUGEE CAMP IN UKRAINE.” It purports to originate from a trusted organization,\r\nThe United Nations. Red flags are the forged email address of the UN High Commissioner “info@seca[.]cam” in\r\nthe “From” line, as well as some grammatical and punctuation errors. Another red flag is that the seca[.]cam\r\ndomain was only registered a few weeks ago, on February 23, 2022.\r\nhttps://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nPage 8 of 13\n\nFigure 9. Refugee scam soliciting for Bitcoin\r\nChecking the Bitcoin wallet address, we can see that this is an active wallet that had its first transaction on\r\nSeptember 29th, 2021. Since the first discovery of the campaign on the 7th of March, several transactions have\r\nbeen made to this wallet. Its current value at time of writing is $46.82 USD, with total transactions valued at\r\n$712.79 USD. Assuming that this wallet was used for malicious purposes, it appears that various campaigns have\r\nnetted the threat actor a modest profit. However, it can also be safely surmised that this might not be the scammers\r\nonly wallet. As with the IRS, it is also important to mention that the U.N. will never send unsolicited emails for\r\ndonations.  For further details, please reference the U.N. Fraud Alert page.\r\nhttps://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nPage 9 of 13\n\nFigure 10. Bitcoin wallet details\r\nConclusion\r\nEmotet and the War in Ukraine\r\nWith the current tragic situation in Ukraine unfolding, internal chatter within ransomware groups have surfaced.\r\nSome ransomware groups side with Russia and other groups side with the West. A well-known RaaS group (which\r\nused Emotet)—that we will not publicize for obvious reasons—has made a very strong statement that any attacks\r\ndirected towards Russia will be met with a retaliatory act towards the West.\r\nAs the situation is fluid, and with potentially compromised government sectors likely being infected or targeted\r\nwith ransomware at this very moment either for monetary or political reasons, this threat is not out of the question.\r\nThe point is that important sectors such as government agencies are no longer exempt from attacks, especially\r\nfrom Emotet threat actors, regardless of bias or opinion.\r\nPhishing scams aren’t going anywhere. They are a part of the threat landscape and will likely always be a\r\ncomponent of an attackers’ arsenal. This is because the return on investment for an attacker is very high. A crafted\r\nemail containing specific language designed to trick users into opening an attachment, following a link,\r\nresponding with confidential or sensitive information, etc. will always work on a percentage of targets. This is\r\nbecause of the one major weakness security software cannot address: the human element.\r\nTraining programs constantly remind and teach users how to spot malicious email/phishing/spearphishing scams\r\nfor a good reason. Out of thousands of recipients, it only takes a few to respond to make it all worthwhile to an\r\nattacker. And when the right person falls prey it can unleash a trove of information to the attacker that can be\r\nexploited for various purposes. Although such scams are well known and publicized, they are still pervasive for\r\none simple fact—they work and will continue to work for the foreseeable future.\r\nThings to Consider:\r\nhttps://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nPage 10 of 13\n\n1. Think twice when enabling macros (they are disabled by default for good reason) especially in tax form\r\nXLM files.\r\n2. The IRS will never send correspondence via email (including attachments) without first obtaining your\r\nconsent. IGNORE all unsolicited emails purporting to be from the IRS as they are not real.\r\n3. The IRS has a dedicated webpage to report scams along with an FAQ page - Report Phishing | Internal\r\nRevenue Service (irs.gov)  (Note: Scams mentioned in this blog have been sent to the IRS before\r\npublication)\r\n4. The UN will also never send unsolicited emails for donations. According to the UN website, “The United\r\nNations strongly recommends that the recipients of solicitations, such as those described above exercise\r\nextreme caution in respect of such solicitations” Please see the U.N Fraud Alert page for further details.\r\nIGNORE all unsolicited emails purporting to be from the UN as they are not real. (Note: Scams mentioned\r\nin this blog have been sent to the UN before publication)\r\n5. Unsolicited emails asking for donations of any kind via email (especially via cryptocurrency) is a red flag\r\nregardless of cause.\r\n6. Responding to any email (even if it doesn’t contain a link or malicious attachment) from an untrusted\r\nsender will validate your email address to threat actors, either adding you to spam lists or subjecting to\r\nfuture attacks and scams.\r\nRemember:\r\nThreat actors are playing the numbers game. If they spam out 1,000 emails at a very minimal cost, and 10 people\r\nbite giving them valuable data, then the effort spent was well worth the return on investment.\r\nFortinet Coverage\r\nFortinet customers are protected from this campaign by FortiGuard Web Filtering, AntiVirus, FortiMail,\r\nFortiClient, FortiEDR, and CDR (content disarm and reconstruction) services, as follows:\r\nThe malicious macro inside the Excel sample (Emotet) can be disarmed by the FortiGuard CDR (content disarm\r\nand reconstruction) service.\r\nFortiEDR detects both the Excel file and Emotet-related files as malicious based on behavior.\r\nAll relevant URIs to campaigns mentioned in the blog are blocked by the FortiGuard Web Filtering service.\r\nThe malicious Excel sample and associated downloaded files are detected as:\r\n“XML/Dloader.802!tr, “W32/Emotet.C!tr\", “W32/Emotet.CV!tr”, and “W32/Emotet.1150!tr” are blocked by the\r\nFortiGuard AntiVirus service.\r\nThe IRS phishing email targeting nonresident aliens is detected as:\r\nIRS PDF/Fraud.10F1!phish\r\nUkraine Related Scams\r\nhttps://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nPage 11 of 13\n\nURGENT RESPONSE REQUIRED! (UKRAINE) campaign\r\necres231[.]servconfig[.]com\r\nIs classified as a spam server and is blocked by our Web Filtering client.\r\nURGENT DONATION RESPONSE FOR WAR REFUGEE CAMP IN UKRAINE campaign\r\nseca[.]cam\r\nis classified as a spam sender and is blocked by the Web Filtering client.\r\nFortinet has multiple solutions designed to help train users to understand and detect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nIn addition to these protections, we suggest that organizations also have their end users go through our FREE NSE\r\ntraining: NSE 1 – Information Security Awareness. It includes a module on Internet threats that is designed to help\r\nend users learn how to identify and protect themselves from various types of phishing attacks.\r\nIndicators of Compromise\r\nURLs (Emotet)\r\nhxxp://piajimenez.com/Fox-C/dS4nv3spYd0DZsnwLqov/\r\nhxxps://getlivetext.com/Pectinacea/AL5FVpjleCW/\r\nhxxp://inopra.com/wp-includes/3zGnQGNCvIKuvrO7T/\r\nhxxp://biomedicalpharmaegypt.com/sapbush/BKEaVq1zoyJssmUoe/\r\nhxxp://janshabd.com/Zgye2/\r\nhxxps://justforanime.com/stratose/PonwPXCl/\r\nSample SHA-256 involved in the attack: (Emotet)\r\ne5a1123894f01197d793d1fe6fa0ecc2bf6167a26ec56bab8c9db70a775ec6bc\r\n6fa0c6858688e1c0cbc9072c9d371f2183e0bf0c30a1187453cbbe080e0167ca\r\n06ac89a138858ed0f5eb5a30a43941b67697f8a3b47106170d879f3d51bc0e8d\r\n9f2686b83570b7940c577013d522b96ba19e148dac33b6983267470be6a6064b\r\n4c0ae17817c218c4b7973670f0458978efac4e6a67d1ec3abfb11ab587560d49\r\n0758b3cde229886a039202120cda4485426c56eed3596be75fbce0d38986bf03\r\n9a40dfc271fa3adf20e76cb6f7a27036c77adbe9882a8ef73bc977a0ea9c36ff\r\nfeec12c64c8bf47ae20dc197ac1c5f0c087c89e9a72a054ba82a20bf6266b447\r\n50351e6d541f57fccb0261514acb43cb905e4f6dde7e8716ce1b82df7d3c4867\r\n91795e5b49eabd94c9d8b70067f68f45f9bf56e36ec9d3529576e13569074113\r\n8ac29489154a4c39e74070063ce71bfada00cd9883466c1e28cd1e66cab1b56c\r\nhttps://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nPage 12 of 13\n\n7d4897d33893f0835a982424af2f3eb77463dad1ef96fcb4021eaf15fd28c9e9\r\n64d3d585c41577b0cfa2f9c63035a95ac785f9b5aeefeaba2490110c84aa7d00\r\n809c990279928640c23ecc27d134f73967c7ec7269e90bb8d916f9e35b69654f\r\n7536ed21e14ee026424d9c07edbcecb59706129d31f6be4e8788edd904df6a20\r\n8f05a6ee54b89de50e84fcd9db9191f3dd80c701a436ab4c81a1309b2d649368\r\n3a1f0cfbea0de5acca77595a6a5384c31859c255defa12449861e6755b41aa20\r\n6516d944f93186e7d422e7b93a476d4b04db0ed279ba93c4854d42387347d012\r\n9ca7f4e809a8d381fa0bc8e02627d597add2de4c5d57632cae422c59a1e971e2\r\nMany thanks to Fred Gutierrez and Geri Revay for their contributions to this blog.\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nhttps://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams"
	],
	"report_names": [
		"bad-actors-capitalize-current-events-email-scams"
	],
	"threat_actors": [],
	"ts_created_at": 1775433986,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ef876e655c670f280df227af8ea5ec2c825e45b.pdf",
		"text": "https://archive.orkl.eu/9ef876e655c670f280df227af8ea5ec2c825e45b.txt",
		"img": "https://archive.orkl.eu/9ef876e655c670f280df227af8ea5ec2c825e45b.jpg"
	}
}