What to look out for today
1) “Tax/authority” emails targeting finance teams. A campaign is using convincing emails that impersonate a tax authority and pushes a fake “utility”/software download to install a remote access trojan (RAT). While the example reported targets India, the theme is common and travels well: finance teams, accountants and payroll are routinely targeted with urgent “filing”, “refund”, “penalty” and “verification” lures.
2) Business website/server compromise risk. A maximum-severity Adobe ColdFusion flaw is reported as being actively exploited. If you (or a supplier) run ColdFusion for internal apps, customer portals or old web systems, this is the type of issue that can quickly become a foothold for data theft and ransomware.
Why this matters to smaller businesses
- Finance access is high value: one successful click can lead to mailbox access, invoice fraud, payroll diversion, or wider network access.
- Old web apps are often “quiet critical”: ColdFusion often sits behind legacy line-of-business systems. If it’s compromised, attackers may get databases, customer data, or an easy path to encrypting servers.
- Supplier ripple effects: even if you don’t use ColdFusion, your web agency, hosting provider, or SaaS vendor might—leading to outage, data exposure, or knock-on phishing using stolen contact lists.
Warning signs
- Emails to finance/payroll that demand urgency: “final notice”, “penalty”, “account will be suspended”, “refund held”, “KYC required”.
- Requests to download and run a “tax tool”, “installer”, “validation utility”, or “secure viewer” from an email link.
- Unexpected “secure portal” links that ask for Microsoft 365/Google sign-in when you weren’t expecting it.
- Website/admin portal behaving oddly: sudden slowness, unexplained logins, new admin accounts, or changes you didn’t author.
- Unplanned server restarts, scheduled tasks you don’t recognise, or security tools being disabled (often spotted by your IT provider/MSP first).
How attackers may exploit the situation
- Spear-phishing into a remote access trojan (RAT): once installed, attackers can steal saved passwords, read emails, and move laterally to accounting systems and shared drives.
- Account takeover: compromised finance mailboxes are used to change supplier bank details or insert themselves into live invoice threads.
- Server/app compromise leading to disruption: exploited internet-facing systems are a common first step to data theft and ransomware.
What to do today
- Brief finance/payroll in 5 minutes: no one should install software from an email to “complete a filing” or “validate” anything. If in doubt, forward to IT and verify via a known good phone number.
- Harden payment-change processes: require call-back verification (using a number from your supplier master data, not the email) for any bank detail changes.
- Check your exposure: ask IT/your web agency whether you run ColdFusion anywhere (including old internal apps and hosted systems) and whether it’s internet-facing.
- Make sure logging/alerting is on: confirm you have alerts for suspicious mailbox rules/forwarding and admin account creation.
Ask your IT provider
- Do we run Adobe ColdFusion on any servers (on-prem or hosted)? If yes, is it internet-facing and who owns patching responsibility?
- Are we monitoring for new mailbox forwarding rules, suspicious inbox rules, and unusual sign-ins for finance users?
- What is our current ability to contain a compromised user quickly (disable account, revoke sessions, isolate device) within 30 minutes?
- Do we have an agreed process for urgent verification of supplier payment change requests and payroll updates?
Patch watch - only one short paragraph, and only if relevant
Adobe ColdFusion is reported as being actively exploited (CVE-2026-48282). This is worth prioritising if you run ColdFusion directly or via a third-party web/app supplier—ask for confirmation of patch status and whether additional monitoring has been applied to ColdFusion servers.
| Today’s focus | Who should care most | Impact if hit |
|---|---|---|
| Tax/authority-themed finance phishing | Finance, payroll, ops, anyone approving payments | Invoice fraud, payroll diversion, account takeover |
| ColdFusion exploitation (supplier/legacy app risk) | IT/MSP, web agencies, orgs with older internal apps | Data theft, outage, ransomware entry point |
One action today
Send a same-day note to finance/payroll: do not install any “tax/verification utility” from email links, and verify any payment or bank-detail change by calling a known good number.
Related Actions On Cyber resource
Actions On Cyber checklist: Payment change & invoice fraud call-back controls (finance process quick-check)
Sources
- Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT (The Hacker News)
- Max severity Adobe ColdFusion flaw now exploited in attacks (BleepingComputer)
This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.