Microsoft is warning of a number of phishing campaigns which might be leveraging tax-related themes to deploy malware and steal credentials.
“These campaigns notably use redirection strategies resembling URL shorteners and QR codes contained in malicious attachments and abuse respectable providers like file-hosting providers and enterprise profile pages to keep away from detection,” Microsoft stated in a report shared with The Hacker Information.
A notable facet of those campaigns is that they result in phishing pages which might be delivered by way of a phishing-as-a-service (PhaaS) platform codenamed RaccoonO365, an e-crime platform that first got here to mild in early December 2024.
Additionally delivered are distant entry trojans (RATs) like Remcos RAT, in addition to different malware and post-exploitation frameworks resembling Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4).
One such marketing campaign noticed by the tech big on February 6, 2025, is estimated to have despatched lots of of emails focusing on the US forward of the tax submitting season that tried to ship BRc4 and Latrodectus. The exercise has been attributed to Storm-0249, an preliminary entry dealer beforehand recognized for distributing BazaLoader, IcedID, Bumblebee, and Emotet.
The assaults contain using PDF attachments containing a hyperlink that redirects customers to a URL shortened by way of Rebrandly, in the end main them to a pretend Docusign web page with an choice to view or obtain the doc.
“When customers clicked the Obtain button on the touchdown web page, the end result trusted whether or not their system and IP deal with have been allowed to entry the following stage primarily based on filtering guidelines arrange by the menace actor,” Microsoft stated.
If entry is allowed, the person is shipped a JavaScript file that subsequently downloads a Microsoft Software program Installer (MSI) for BRc4, which serves as a conduit for deploying Latrodectus. If the sufferer will not be deemed a beneficial sufficient goal, they’re despatched a benign PDF doc from royalegroupnyc[.]com.
Microsoft stated it additionally detected a second marketing campaign between February 12 and 28, 2025, the place tax-themed phishing emails have been despatched to greater than 2,300 organizations within the U.S., notably geared toward engineering, IT, and consulting sectors.
The emails, on this case, had no content material within the message physique, however featured a PDF attachment containing a QR code that pointed to a hyperlink related to the RaccoonO365 PhaaS that mimics Microsoft 365 login pages to trick customers into coming into their credentials.
In an indication that these campaigns are available numerous types, tax-themed phishing emails have additionally been flagged as propagating different malware households like AHKBot and GuLoader.
AHKBot an infection chains have been discovered to direct customers to websites internet hosting a malicious Microsoft Excel file that, upon opening and enabling macros, downloads and runs a MSI file with the intention to launch an AutoHotKey script, which then downloads a Screenshotter module to seize screenshots from the compromised host and exfiltrate them to a distant server.
The GuLoader marketing campaign goals to deceive customers into clicking on a URL current inside a PDF e-mail attachment, ensuing within the obtain of a ZIP file.
“The ZIP file contained numerous .lnk recordsdata set as much as mimic tax paperwork. If launched by the person, the .lnk file makes use of PowerShell to obtain a PDF and a .bat file,” Microsoft stated. “The .bat file in flip downloaded the GuLoader executable, which then put in Remcos.”
The event comes weeks after Microsoft warned of one other Storm-0249 marketing campaign that redirected customers to pretend web sites promoting Home windows 11 Professional to ship an up to date model of Latrodectus loader malware by way of the BruteRatel red-teaming software.
“The menace actor doubtless used Fb to drive visitors to the pretend Home windows 11 Professional obtain pages, as we noticed Fb referrer URLs in a number of instances,” Microsoft stated in a collection of posts on X.
“Latrodectus 1.9, the malware’s newest evolution first noticed in February 2025, reintroduced the scheduled activity for persistence and added command 23, enabling the execution of Home windows instructions by way of ‘cmd.exe /c .'”
The disclosure additionally follows a surge in campaigns that use QR codes in phishing paperwork to disguise malicious URLs as a part of widespread assaults geared toward Europe and the U.S., leading to credential theft.
“Evaluation of the URLs extracted from the QR codes in these campaigns reveals that attackers usually keep away from together with URLs that immediately level to the phishing area,” Palo Alto Networks Unit 42 stated in a report. “As an alternative, they typically use URL redirection mechanisms or exploit open redirects on respectable web sites.”
These findings additionally come within the wake of a number of phishing and social engineering campaigns which have been flagged in latest weeks –
- Use of the browser-in-the-browser (BitB) method to serve seemingly sensible browser pop-ups that trick gamers of Counter-Strike 2 into coming into their Steam credentials with the doubtless purpose of reselling entry to those accounts for revenue
- Use of knowledge stealer malware to hijack MailChimp accounts, allowing menace actors to ship e-mail messages in bulk
- Use of SVG recordsdata to bypass spam filters and redirect customers to pretend Microsoft login pages
- Use of trusted collaboration providers like Adobe, DocuSign, Dropbox, Canva, and Zoho to sidestep safe e-mail gateways (SEGs) and steal credentials
- Use of emails spoofing music streaming providers like Spotify and Apple Music with the purpose of harvesting credentials and cost data
- Use of pretend safety warnings associated to suspicious exercise on Home windows and Apple Mac gadgets on bogus web sites to deceive customers into offering their system credentials
- Use of pretend web sites distributing trojanized Home windows installers for DeepSeek, i4Tools, and Youdao Dictionary Desktop Version that drop Gh0st RAT
- Use of billing-themed phishing emails focusing on Spanish corporations to distribute an data stealer named DarkCloud
- Use of phishing emails impersonating a Romanian financial institution to deploy an data stealer referred to as Masslogger focusing on organizations situated in Romania
To mitigate the dangers posed by these assaults, it is important that organizations undertake phishing-resistant authentication strategies for customers, use browsers that may block malicious web sites, and allow community safety to stop functions or customers from accessing malicious domains.
