A large email scam centered on a fake Xero invoice was detected by the firm Mailguard, the second such campaign using the popular cloud-based accounting software this month.
The target receives an email with a Word document attached that is labeled as an invoice that contains malicious macros. The fake invoice is well crafted and contains the target's name along with an email address that appears to be from Xero, but is actually domain recently registered in China.
Once opened the document does not try to illicit any type of payment from the victim, but contains a note informing the person that money will be deducted from their account in accordance with their supposed contract with Xero. Xero is a commonly used software platform so the cybercriminals social engineering plan is banking on either the target having used the software at some point, or is at least familiar enough with it to become curious enough to open the attachment.
Mailguard did not say what type of malware is being dropped by the macro, but did say that a macro can be used to install anything from a trojan to ransomware.