Italian Revenue Agency Phishing: Cloned SPID Portal Uses Pre-filled Emails to Target Public Sector

Italian Revenue Agency Phishing: Cloned SPID Portal Uses Pre-filled Emails to Target Public Sector CERT-AGID has detected and mitigated a sophisticated phishing campaign targeting the Italian Revenue Agency–Collection (Agenzia delle Entrate–Riscossione). The attack utilizes a fraudulent SPID login page featuring the AgID logo and pre-filled victim email addresses. Specifically targeting Public Administrations and private enterprises, the campaign employs personalized links to reduce cognitive friction, leading users directly to the password entry field without requiring manual identification.

The Cloning Mechanism: How the Trap Operates

The phishing page precisely replicates the SPID authentication interface of the Italian Revenue Agency. Documentation from CERT-AGID reveals that the fraudulent screen displays the logo of AgID (Agency for Digital Italy), a detail designed to bolster the site's perceived legitimacy. This visual reproduction constitutes a calculated form of brandjacking: abusing the visual identity of a government entity to normalize the malicious operation in the eyes of the victim. The most significant technical detail is the personalization of the malicious links. The victim’s email address is pre-filled on the phishing page through parameters embedded in the received URL. This configuration fundamentally alters the user interaction flow: the user is not required to enter their identifier, only their password. By reducing the number of fields to be completed, the attackers lower the victim's guard and accelerate the completion of the action, minimizing the window for anomaly detection. This campaign stands out from standard tax-related phishing due to its refined preparation and explicit targeting. Rather than indiscriminate distribution via opaque contact lists, this operation is directed preferentially toward public entities. This specificity suggests a preliminary reconnaissance phase by the attackers to isolate institutional and corporate targets.

Targeting Public Administrations: Why the Public Sector is at Risk

"What distinguishes this campaign from previous ones is its specific focus on Public Administrations, in addition to private companies." — CERT-AGID

Public Administrations represent high-value targets for credential theft due to their structural significance. Access to institutional email, protocol systems, and internal databases allows for substantial lateral movement once initial credentials are compromised. Furthermore, the wide range of digital services accessible through a single set of SPID credentials drastically amplifies the potential impact of a single identity theft. CERT-AGID has not specified how the institutional email addresses used for pre-filling were collected. It remains unknown whether these addresses originated from previous breaches or systematic scraping techniques. This gap is significant as it affects the assessment of the threat actor's capabilities: the availability of verified, active addresses indicates non-trivial reconnaissance skills. The campaign's effectiveness relies heavily on the accuracy of the data pre-inserted into the login form. The concentration on the public sector raises critical questions regarding the protection of institutional accounts. While no formal attribution to specific groups has been made, the operation demonstrates a clear intent to infiltrate regulated and protected perimeters. The absence of public attribution prevents placing this operation within a broader threat landscape but confirms the persistent vulnerability of the human factor in high-activity digital administrative contexts.

The Efficacy of Pre-filled Email Parameters

"The fraudulent web page presents users with a fake login screen for the Revenue Agency's reserved area that simulates the real SPID login form, complete with the AgID logo." — CERT-AGID Link personalization transforms a generic attack into an apparently legitimate experience. A user receiving the communication finds a URL that already displays their email address in the corresponding field. As CERT-AGID documents: "the victim's email address is already pre-filled thanks to link personalization." This element leverages familiarity (the system 'knows' who I am) and reduces cognitive load (one less field to fill). The result is a shortcut in the decision-making process leading to password submission. In high-volume work environments, this optimization of the malicious interface can bypass the attention-based defenses of even experienced users. Pre-filling acts as an anchor of authenticity that neutralizes the warning signs usually associated with unexpected authentication requests, making the attack appear fluid and consistent with normal operations. Technically, link personalization requires the email address to be encoded as a GET parameter before the message is distributed. This architecture implies that each recipient receives a potentially unique URL, complicating pattern-based detection by static filtering systems. Automating this process allows the attack to scale while maintaining a high level of personalization for each designated victim.

Mitigation and Strategic Recommendations

Entities subscribed to the CERT-AGID feed have already received the campaign's Indicators of Compromise. For administrations and companies managing SPID access, the following actions are prioritized: Verify integration with the CERT-AGID IoC feed. Utilizing these indicators allows for the implementation of preventive blocks on proxies and email gateways. IoC-based protection remains the fastest line of defense to break the infection chain. Train staff to recognize pre-filled login screens. An authentication page that presents an email address without prior manual entry should be treated as an anomaly. This shift in perspective is critical: pre-filling is not evidence of legitimacy, but a potential signal of a manipulated link. Enforce Multi-Factor Authentication (MFA). The theft of a password alone must not grant access to the service. Verification of MFA configurations on institutional services is essential to neutralize the effectiveness of credentials stolen through phishing. Realign alert response procedures. Administrations must ensure that internal reporting channels are prepared to handle suspected compromises. Prompt credential resets are the only way to limit damage once a password has been entered on a malicious site.

Detection Limits and Unresolved Questions

The operational brief from CERT-AGID does not provide precise timelines for the start of the campaign or the volume of emails distributed. This lack of data makes it difficult to estimate the real impact across the national territory. The number of entities actually contacted and the success rate of the attack remain undisclosed. Any actual compromise of systems or sensitive data has not been confirmed, leaving the damage assessment open. CERT-AGID has notified the relevant Agency and requested the deactivation of the hosting site, but the current status of the domain is not specified. The site may have already been taken down or could still be active on takedown-resistant infrastructure. The lack of data regarding the source of the pre-filled email addresses remains a critical point in determining if the actor is exploiting previously exposed databases of public employees.

Why This Tactical Model Persists

The combination of brandjacking, pre-filled partial credentials, and public sector targeting constitutes a successful economic model for attackers. The investment in preparing these personalized pages suggests a favorable cost-benefit ratio, likely based on the high value of credentials that grant access to critical institutional services. Functional dependence on centralized digital services via SPID increases the attack surface. A single compromised credential can open multiple gateways. Email pre-filling exploits this centrality by presenting an interface that mirrors the daily experience of millions of users. Future resilience will depend on the ability to decouple aesthetic familiarity from technical security. In conclusion, the campaign documented shows that phishing is evolving toward interface engineering that increases its lethality. For administrations, the challenge is no longer just filtering obviously suspicious communications, but building defenses against authentication experiences that are nearly indistinguishable from legitimate ones. Resilience increasingly depends on rigorous technical procedures and a security culture that does not mistake the convenience of pre-filling for the reliability of the source.

Frequently Asked Questions

Was AgID compromised in this campaign?

No. The AgID logo was abused on the phishing page to increase perceived credibility. There is no evidence of a breach or compromise of AgID's actual systems.

How does the link pre-fill my institutional email?

Your email address is included as a parameter within the malicious URL. When the victim clicks the link, a script on the fraudulent page reads the parameter and automatically populates the login field.

Was any data stolen as a result of this attack?

CERT-AGID has not confirmed any actual account compromises. The technical characteristics of the threat have been documented, and mitigation procedures have been initiated to prevent further credential theft.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://cert-agid.gov.it/news/agenzia-delle-entrate-campagna-di-phishing-mirata-alle-pubbliche-amministrazioni/