Instead, the user downloads a malware package which records security certificates from the browser and uploads them to a server in Singapore.
The US government has issued a warning about the attack, pointing out that all court subpoenas are delivered by hand, and that users should therefore consider any subpoena delivered by email to be suspicious.
"The emails in question appear to be sent from a similar address that is not owned and operated by the federal courts," government officials said. "Law enforcement authorities have been notified."
The attacks use a method known as 'spear phishing' designed to steal information from specific high-value targets.
The attacker targets chief executives, for example, delivering personalised emails which evade spam filters and can appear authentic.
"An interesting component of this scam is that it properly identified each chief executive and sent it to his email address directly," wrote Sans researcher John Bambenek. "It is very highly targeted."