Microsoft has issued an urgent alert about widespread tax-themed phishing campaigns that are actively exploiting the tax season to deliver malware and steal user credentials. These sophisticated attacks make use of PDF attachments, QR codes, URL shorteners, and phishing-as-a-service (PhaaS) platforms to bypass traditional defenses and trick unsuspecting users.
๐ How These Tax-Scam Phishing Emails Work
According to Microsoft, these phishing campaigns leverage malicious PDFs and QR codes to redirect users to fake login pages—typically mimicking Microsoft 365 or DocuSign—to harvest credentials or deploy malware.
Attackers are using URL shorteners like Rebrandly, QR codes, and even legitimate file-hosting services to obfuscate their payloads and stay under the radar of email security tools.
One key platform used in these campaigns is RaccoonO365, a PhaaS offering first uncovered in December 2024. It’s been instrumental in facilitating credential theft and malware delivery via fake Microsoft login pages.
๐ง Malware Used in These Campaigns
These phishing campaigns are delivering a variety of malicious payloads, including:
-
Remcos RAT – A remote access trojan used for surveillance and control
-
Latrodectus – A sophisticated loader malware used for further payload delivery
-
GuLoader – Downloader used to install additional malware
-
AHKBot – A botnet tool capable of stealing data and screenshots
-
BruteRatel C4 (BRc4) – An advanced post-exploitation red-teaming framework
๐ Campaign Timeline and Notable Incidents
๐ February 6, 2025
Microsoft observed a wave of phishing emails targeting U.S. users with tax-related lures. The campaign attempted to deploy Latrodectus and BRc4 and has been attributed to Storm-0249, a well-known initial access broker linked to malware like BazaLoader, IcedID, and Emotet.
๐ February 12–28, 2025
Another campaign targeted over 2,300 U.S.-based organizations, focusing on the IT, engineering, and consulting sectors. These emails had empty message bodies but included PDF attachments with QR codes linked to the RaccoonO365 platform.
๐งช Technical Details: Infection Chains
-
PDF to QR to Malware: PDFs with embedded QR codes redirect users to phishing sites that mimic Microsoft 365 portals. Once credentials are entered, attackers gain access to sensitive accounts.
-
.LNK Files and PowerShell Scripts: Users are tricked into opening ZIP files with malicious shortcut files (.lnk) that execute PowerShell commands to download GuLoader, which then drops Remcos RAT.
-
Excel Macros and AHKBot: Malicious Excel files prompt users to enable macros, triggering the download of AutoHotKey scripts used to steal screenshots and exfiltrate them to attacker-controlled servers.
⚠️ Evolving Tactics and Emerging Threats
These campaigns are just part of a broader trend of multi-vector phishing attacks that include:
-
Fake Windows 11 Pro installers spreading Latrodectus via BruteRatel
-
Malicious SVG files used to evade spam filters and redirect users
-
Hijacked MailChimp accounts used for mass phishing distribution
-
Browser-in-the-Browser (BitB) attacks targeting Counter-Strike 2 players
-
Fake security alerts on spoofed Microsoft and Apple support pages
-
Trojanized software downloads delivering Gh0st RAT
-
Bank-themed phishing campaigns like Masslogger targeting Romanian firms
๐ก️ Microsoft’s Security Recommendations
To protect against these tax-season phishing attacks, Microsoft recommends the following steps:
✅ Enable phishing-resistant multi-factor authentication (MFA)
✅ Use secure browsers with malicious URL blocking
✅ Turn on network protection to block access to harmful domains
✅ Train users to recognize phishing emails, especially those with urgent tax-related messages or QR codes
✅ Monitor for redirection tricks using URL shorteners and open redirects
✅ Inspect QR codes before scanning and educate staff about modern phishing methods
๐ Final Thoughts
As phishing attacks grow increasingly deceptive, especially during high-risk times like tax season, it's crucial for both individuals and organizations to remain vigilant. With advanced tools like PhaaS platforms and stealthy malware loaders, cybercriminals are ramping up their efforts to steal credentials and compromise systems.
Stay updated, stay alert—and always double-check before you click.