“Action Required” Notifications Deliver Malware

Official “Action Required” notifications alert users of pending tasks, account verifications, system issues, device security updates, expired payment methods, or other concerns that require immediate attention. However, cyber threat actors use these notifications as a common social engineering tactic to lure potential victims into clicking links, capture login credentials, steal personal or financial information, and distribute malware. These deceptive alerts use alarming language and impersonate trusted organizations or major banks to create a sense of urgency and panic.

The NJCCIC observed multiple “Action Required” campaigns sent to New Jersey State employees. Common lures include required account updates, expired or suspended cloud service subscriptions, Ledger wallet verifications, near-capacity or full mailbox storage, blocked emails due to storage portal errors, and unusual activity on payment cards. Although phishing is the primary goal, several campaigns intend to deliver malware.

In one campaign, cyber threat actors lure targets with a password expiration notice. The message appears to come from “Mail Delivery System” with an “EXTERNAL” email warning tag for a domain that originates outside the organization. Cyber threat actors create urgency by claiming the target’s password will expire today and recommend keeping the existing password by clicking the link. If clicked, the target is directed to a fake login portal designed to steal account credentials and deliver malware. Once the page loads, malicious scripts may silently download malicious payloads, such as infostealers or remote access trojans (RATs), to infect devices, grant persistent backdoor access, steal data, and install ransomware.

Recommendations

  • Exercise caution with communications from known senders or legitimate services or platforms.
  • Confirm requests from senders using contact information obtained from verified, official sources before taking action, such as clicking links or opening attachments.
  • Navigate directly to legitimate websites and verify before submitting account credentials, providing personal or financial information, or downloading files.
  • Enable multi-factor authentication (MFA) and keep systems and browsers up to date.
  • If victimized, disconnect from the internet and run anti-virus/anti-malware scans.
  • If sensitive information was entered, change passwords for compromised accounts, monitor for unauthorized activity, and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources.

Report malicious cyber activity to the NJCCIC and the FBI’s IC3.

Published in the NJCCIC Weekly Bulletin June 4, 2026