Kimsuky activity used a phishing email impersonating South Korea's National Tax Service with an April filing and payment deadline notice as the lure. The message came through Mail.ru infrastructure and sent recipients to a spoofed Naver login flow on e-info.completeinfo.kro.kr, where the victim's Naver ID was prefilled and only the password was requested. The source highlights email authentication and header details, including ARC, SPF, DKIM, DMARC, and the Russian Mail.ru sending IP, to explain why the notice was suspicious. The campaign is framed as credential harvesting against Naver accounts rather than malware execution.