If you looked at the headers of any such emails, you'll find it was sent from an address other than the HMRC (they used 'fake From:')
Most good AntiVirus programs should be able to detect "faked" email header information and raise a warning. But, with the increase in people using web browsers to view emails these days, the payload often stays on the server until the viewer actually downloads it.
And even after downloading it, the current malware being used in the HMRC scams is updated multiple times per day and pretty much all the AV solutions out there are useless (even if they do update their virus definitions multiple times per day).
One such virus last year went through over 5000 variations. (That's over 13 variances of the same virus in a single day. There is no anti-virus that can protect you against that in real time these days... Only learned behaviour from us as users will protect us).
It's part of a known phishing/malware attack and the payloads (the zip files) usually contain various variants of malware.
Organisations should never ever ever send you attachments. They should direct you to go to their website, log in and download.
The only time you should ever ever ever ever trust getting an attachment these days is if you have specifically been speaking with someone (you know or know of) and they say "I am going to email you an attachment, it will come from this address and I'll send it to that address" etc.
Any email that comes out of the blue with an attachment is decidedly dodgy...
If ever in doubt, before opening any files, use a site such as http:virustotal.com and upload the suspect file to that site.
This site will scan the file using multiple AV/AS vendors and give you a better confidence than a scan from a single program...
If it is a new virus, you will also help have it analysed quicker..