They are claiming to come from several government agencies.
These include the Italian Revenue Agency, the German Federal Ministry of Finance, and the United States Postal Service.
This is all part of a malicious campaign designed to infect targeted recipients with a variety of malware.
The bulletin Proofpoint released on matter reads, in part, as follows:
“Between October 16 and November 12, 2019, Proofpoint researchers observed the actor sending malicious email messages to organizations in Germany, Italy, and the United States, targeting no particular vertical but with recipients that were heavily weighted towards business and IT services, manufacturing, and healthcare.
These spoofs are notable for using convincing stolen branding and lookalike domains of European taxation agencies and other public-facing entities such as Internet service providers. Most recently, the actor has attacked US organizations spoofing the United States Postal Service. The increasing sophistication of these lures mirrors improved social engineering and a focus on effectiveness over quantity appearing in many campaigns globally across the email threat landscape.”
In the US, emails claiming to be from the post office come with an attached Word Document called “USPS_Delivery.doc.” If a recipient clicks on the document to open it, they’ll receive a message that the file has been encrypted for additional security and in order to view it, they’ll be required to “enable content.”
Naturally, clicking on the “enable content” button does nothing of the sort. Instead, it installs whatever malware the senders have associated with the email in question.
The identity of the threat actor is not known at this time, but this is a serious issue that you should immediately alert all employees about in order to minimize the risk to your company.