Circulation of this latest email follows a similar scam email containing the same fake Xero invoice which previously hit the market.
MailGuard says the criminals behind the scam are leveraging the trust users place in the Xero brand to try and get people to open a malware file attachment.
“Xero is a popular cloud-based accounting software and this is the second time this month that it has been impersonated by scammers,” the security firm says.
As MailGuard points out, you can see from the screenshot that although the sender display name on the email is "Xero Billing Notifications" the actual sender address behind it is subscription[dot]notifications[at]xerohost[dot]net, which is not an authentic Xero domain.
In fact, MailGuard says this domain — xerohost[dot]net — was only registered on a Chinese domain registry the day before it discovered the scam.
So, here’s other observations about this latest scam from MailGuard:
The attachment on this email is a Word document, which seems like a harmless format to most people. Unfortunately, it’s possible to conceal malicious code in .doc macros.
Macros are small software fragments that are embedded in .doc files. Macros are designed to automate tasks in documents, but because they can work in the background without a user’s knowledge they make useful malware vehicles for cyber crime.
Scammers can hide a trojan or a dropper in macro code, which will download and activate other malicious software. The code in the macro itself may not be particularly harmful, but the malware it covertly installs could be a virus, spyware or ransomware.
Microsoft has disabled dangerous macros by default in newer editions of Office. There’s no legitimate reason for a company to be sending you an invoice document with macros in it, so they’re a red flag for scams.
To avoid being tricked by one of these scams, you should immediately delete any emails that look suspicious or ask you to open or download files that you weren’t expecting.
The rule of thumb is that any attachment to an email has the potential to be harmful. If the message originates from an unknown source, there’s no way of knowing what sort of damaging malware it might be carrying.
This fake Xero email was prevented from reaching the inboxes of MailGuard clients, but there are thousands of these messages going out today, so please keep an eye out for them and share this warning with your network.