An unusual malware dubbed “Voldemort” is disguising itself with phishing emails and Google Sheets to trick security systems and steal confidential data, Proofpoint security analysts warned on August 29.

In a comprehensive report, the California-based cybersecurity company stated that the malware surfaced on August 5 with a few hundred phishing emails daily but later surged to nearly 6,000 in a single day at its peak. So far, Voldemort has already reached over 70 target companies with over 20,000 emails.

Currently, around 18 different verticals have been attacked, with nearly a quarter of the organizations targeted being insurance companies. Further, aerospace, transportation, and university entities are at high risk, making up the rest of the top 50% of the targets.

The phishing emails notify victims about changes to their tax filings and contain links supposedly to the documents with the updated tax information. These messages impersonate taxing authorities in the USA, UK, France, Germany, and other countries and are also written in their respective language.

Proofpoint stated that the emails are sent to the intended victims based on their country of residence rather than the country in which the organization operates or the language that can be determined from the email address.

“For example, certain targets in a multi-national European organization received emails impersonating the [Internal Revenue Service] because their publicly available information linked them to the US. In some cases, it appears that the threat actor mixed up the country of residence for some victims when the target had the same (but uncommon) name as a more well-known person with a more public presence,” the company wrote in its report.

Clicking the email link directs a recipient to download a file that looks like a harmless PDF. However, while doing this, the malware manages to bypass security systems by using Google Sheets as a command-and-control server, which cannot be detected as suspicious because of the use of Google’s API and its embedded access data.

While the malware campaign’s ultimate objective remains unclear, Proofpoint believes that the nature of the capabilities and activity of Voldemort point to espionage. However, it is still a versatile threat to vulnerable systems, capable of deleting files, temporarily disabling itself, and becoming a backdoor for additional malware.

The company advises companies to limit access to external file-sharing services to trusted servers to protect against malicious activities. Connections to TryCloudflare should also be blocked if not actively needed, and suspicious PowerShell execution should be monitored.