Mimecast Logo
Get a Quote

    Services Australia Impersonation Drives Year-Round Credential Theft Operation

    17 October 2025

    By Ankit Gupta, Hiwot Mendahun and the Mimecast Threat Research Team

    Key Points
    • MCTO3001 - Threat operation with Services Australia and Centrelink impersonation campaigns across multiple sectors
    • Infrastructure abuse of legitimate email services (SendGrid, Mailgun, Office 365) with Australian Gov display name
    • Campaign objective: Credential harvesting and data theft through government authority impersonation

    Campaign Overview

    The Mimecast Threat Research team continues to track MCTO3001, a sustained credential harvesting operation that has specifically targeted Australian organizations since 2023. MCTO3001 operates year-round with evolving lure themes, exploiting the authority and trust associated with government communications. The threat actors behind MCTO3001 employ a consistent tactical approach, predominantly utilizing compromised email accounts alongside legitimate bulk email services including SendGrid, Mailgun, and Office 365 infrastructure.

    A defining characteristic of MCTO3001 is the systematic use of .gov.au or reference to gov display names paired with non-government sending infrastructure. Email headers consistently show forged or completely absent recipient fields in the "To:" headers, indicating email header manipulation designed to evade detection while maintaining the appearance of official government correspondence. The operation strategically impersonates Services Australia, leveraging detailed knowledge of Australian benefit systems including Superannuation, Medicare, JobSeeker payments, and Family Tax Benefits.


    Latest Campaign Analysis

    The latest MCTO3001 phishing campaign targets Australian users, particularly those with Centrelink accounts. The primary lure used in this campaign is an email that claims a "detected sign-in" or suspicious login attempt has occurred on the recipient’s Centrelink account.

    The email, crafted to closely mimic official Centrelink or myGov communications, urges the recipient to verify their account by clicking a provided link. This social engineering tactic leverages urgency and fear, prompting users to act quickly and without due caution.

    Once the victim clicks the link, they are directed to a fake MyGov login page designed to harvest their credentials

    Australian-Government-Impersonation-Campaign-1.png Australian-Government-Impersonation-Campaign-2.png

    A key technical feature of this campaign is the abuse of Portmap.io, a legitimate reverse tunnelling service. Portmap.io allows users to expose local servers to the internet by creating public-facing URLs that forward traffic to a machine behind NAT or firewalls.

    Threat actors like MCTO3001 exploit this service to rapidly deploy phishing sites without the need to register new domains or purchase hosting. Each phishing instance can use a unique, randomly generated subdomain and port (e.g., hxxps://michdev-44475[.]portmap[.]io:44475/wett/tat/), making it difficult for defenders to block or blacklist the infrastructure. The use of Portmap.io also complicates attribution, as the true origin of the phishing server is hidden behind the service’s infrastructure, and these tunnels allows attackers to quickly rotate or dismantle their infrastructure to evade detection and takedown efforts.


    Mimecast Protection

    Mimecast has implemented detection capabilities specifically targeting MCTO3001's Australian government impersonation patterns, including analysis of Services Australia communication styles and benefit suspension terminology.


    Targets

    Broad targeting across multiple Australian industries and sectors

    IOCs

    Malicious URLs:

    • hxxps://myatoclaimc[.]replit[.]app/
    • hxxps://gqr[.]sh/Tbdf
    • hxxps://theuniversaldynamic[.]com/shared/
    • hxxps://primeraeventsmanagementcompany[.]com/ads
    • hxxps://myatoclaima[.]replit[.]app/
    • hxxps://nwenwi[.]replit[.]app
    • hxxps://digitalpath[.]co[.]in/ads
    • hxxps://myaunamend[.]replit[.]app
    • hxxps://aunewclmmmm[.]replit[.]app
    • hxxps://tirini[.]net/pqoieer/
    • hxxps://luyret[.]replit[.]app
    • hxxps://auclaimnow[.]replit[.]app
    • hxxps://aunewmyclmm[.]replit[.]app

    Common Subject Line Patterns:

    • You have a notice regarding 2024-2025 lodgment
    • Important Update Available in myGov
    • Australian Taxation Team
    • New 2025 Centralink update
    • Your eft refund is ready
    • New Inbox Message
    • Refund Notice Update!!!
    • New Message
    • myGov: Pending Payment Alert
    • A New Notice in your myGov
    • New Payment Message
    • New 2025 Message
    • We've sent a tax information notice
    • New 2025 income Assessment
    • Access Your Updated Statement via myGov

    Recommendations

    Proactive Threat Hunting:


    Security Awareness:

    • Educate users focusing on Services Australia and Centrelink impersonation tactics,
    • Conduct phishing simulations incorporating Services Australia urgent account suspension scenarios specifically targeting education sector employees
    • Emphasize that legitimate government communications are typically delivered through secure government portals

    Keep your edge in threat intelligence

    Join thousands of security professionals who rely on our curated alerts, expert analysis, and campaign IOCs to defend against the latest cyber threats.

    Sign up successful

    Thank you for signing up to receive updates for our threat intelligence notifications.

    We will be in touch!

    Back to Top