W-2 Tax Form Lure Pairs a Populated PDF with a Payroll Portal Link

Tax form phishing is effective because it exploits a process employees already expect. Every organization distributes W-2s. Every employee needs them. When a W-2 arrives in an inbox, the default response is to open it. This case took that exploitation further by attaching a PDF that actually contained real tax form data, complete with a Social Security number, wages, and an employer name.

The email arrived at a regional bank from a free Yahoo address. The subject line was simply "W-2." The body was minimal: no greeting, no employer signature, no explanatory context. Just a link to my-estub[.]com, a payroll portal operated by Paperless Pay Corporation, and a PDF attachment styled as a W-2 tax form.

Original Yahoo authentication (SPF, DKIM, DMARC) passed at the point of origin. However, the message was routed through a Votiro content-disarm relay (votiro-relay1.prod.votiro[.]com, IP 44.206.213[.]130, PTR ec2-44-206-213-130.compute-1.amazonaws[.]com), which sanitized the attachment but broke DKIM and SPF alignment in the process. Downstream authentication checks showed SPF neutral and DKIM failure, which is expected behavior when a content-disarm gateway modifies the message in transit. The DMARC policy for yahoo[.]com is p=quarantine, and multiple mailboxes quarantined the message.

The Populated W-2 PDF

The attached PDF (137,864 bytes, MD5 c3069d381efe2c50035c838e6a61c110) was not a blank form or a simple lure. Text extraction revealed a fully populated W-2 with real-looking data: an employer name, an employee name matching the sender's display name, a partially visible Social Security number, and wage figures. This is significant because most tax-form phishing uses blank or obviously templated documents. A populated form with plausible data creates immediate credibility.

The PDF contained AcroForm fields and annotations, indicating interactive form elements. Static analysis found no embedded JavaScript, no /SubmitForm actions, and no /URI entries. However, compressed XObject streams and form fields were present whose internal names were not fully enumerable by automated extraction. The absence of obvious exploit mechanisms does not eliminate the risk that interactive fields could be designed to prompt users to fill and submit data through an external channel.

A metadata anomaly adds context. The document's creation date references 2014, but the modification timestamp matched the delivery date, indicating the PDF was generated or reprocessed immediately before sending. This pattern is consistent with a phishing kit that populates a template with real data and exports a fresh PDF per campaign.

The link to my-estub[.]com/Employee/iTaxFormsHandler.ashx points to a legitimate payroll portal (Paperless Pay Corporation, domain registered in 2010). Automated link scanning returned a "clean" verdict. But the combination of an unsolicited email from a free Yahoo address linking to a third-party payroll portal is a classic credential-harvesting vector. If the landing page prompts for login credentials, recipients who trust the W-2 context may enter their employer payroll credentials without verification.

See Your Risk: Calculate how many threats your SEG is missing

MITRE ATT&CK Mapping

• Phishing: Spearphishing Attachment (T1566.001): The email delivers a populated W-2 PDF designed to establish trust and potentially collect sensitive data through interactive form fields. MITRE Reference
• Phishing: Spearphishing Link (T1566.002): The embedded link directs recipients to a third-party payroll portal that could harvest credentials. MITRE Reference

How Adaptive AI Detects Tax Form Lures

Authentication breaks caused by content-disarm relays create a challenging detection scenario. The original sender's authentication passed, but downstream evidence is degraded. A traditional SEG sees the failed DKIM and may either reject the message (causing false positives for legitimate CDR-processed mail) or accept it (missing the phishing).

Themis, the IRONSCALES Adaptive AI, evaluates the full context: free-webmail sender, first-time contact, tax-themed subject, minimal body content, and an attachment with interactive fields. These behavioral signals persist regardless of authentication state. The relay-aware analysis distinguishes between legitimate CDR processing and actual authentication failures.

The IRONSCALES community-driven threat intelligence network surfaces these campaigns early. When multiple banks or organizations report similar W-2 lures from Yahoo addresses, the pattern becomes actionable intelligence for all protected environments. Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways, and tax-season lures represent a recurring seasonal spike.

Hardening Recommendations

1. Block or quarantine tax form emails from free webmail addresses. Legitimate W-2 distribution does not originate from Yahoo, Gmail, or Hotmail accounts.
2. Train employees to verify payroll documents through internal channels. W-2s should be retrieved directly from the employer's HR system or known payroll provider, never through emailed links.
3. Inspect PDF metadata timestamps. A document with a creation date years before delivery but a modification date matching the send date indicates automated generation.
4. Account for CDR relay effects in authentication policies. Votiro and similar gateways legitimately break DKIM/SPF. Build detection rules that do not rely solely on post-relay authentication results.
5. Monitor for interactive PDF form fields. AcroForm elements in tax documents delivered via email should trigger enhanced scrutiny, even when static analysis finds no obvious exploits.

Indicators of Compromise