Microsoft is warning of several phishing campaigns that are leveraging tax-related themes to deploy malware and steal credentials.
“These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection,” Microsoft said in a report shared with The Hacker News.
A notable aspect of these campaigns is that they lead to phishing pages that are delivered via a phishing-as-a-service (PhaaS) platform codenamed RaccoonO365, an e-crime platform that first came to light in early December 2024.
Also delivered are remote access trojans (RATs) like Remcos RAT, as well as other malware and post-exploitation frameworks such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4).
One such campaign spotted by the tech giant on February 6, 2025, is estimated to have sent hundreds of emails targeting the United States ahead of the tax filing season that attempted to deliver BRc4 and Latrodectus. The activity has been attributed to Storm-0249, an initial access broker previously known for distributing BazaLoader, IcedID, Bumblebee, and Emotet.
The attacks involve the use of PDF attachments containing a link that redirects users to a URL shortened via Rebrandly, ultimately leading them to a fake Docusign page with an option to view or download the document.
“When users clicked the Download button on the landing page, the outcome depended on whether their system and IP address were allowed to access the next stage based on filtering rules set up by the threat actor,” Microsoft said.
If access is allowed, the user is sent a JavaScript file that subsequently downloads a Microsoft Software Installer (MSI) for BRc4, which serves as a conduit for deploying Latrodectus. If the victim is not deemed a valuable enough target, they are sent a benign PDF document from royalegroupnyc[.]com.
Microsoft said it also detected a second campaign between February 12 and 28, 2025, where tax-themed phishing emails were sent to more than 2,300 organizations in the U.S., particularly aimed at engineering, IT, and consulting sectors.
The emails, in this case, had no content in the message body, but featured a PDF attachment containing a QR code that pointed to a link associated with the RaccoonO365 PhaaS that mimics Microsoft 365 login pages to trick users into entering their credentials.
In a sign that these campaigns come in various forms, tax-themed phishing emails have also been flagged as propagating other malware families like AHKBot and GuLoader.
AHKBot infection chains have been found to direct users to sites hosting a malicious Microsoft Excel file that, upon opening and enabling macros, downloads and runs a MSI file in order to launch an AutoHotKey script, which then downloads a Screenshotter module to capture screenshots from the compromised host and exfiltrate them to a remote server.
The GuLoader campaign aims to deceive users into clicking on a URL present within a PDF email attachment, resulting in the download of a ZIP file.
“The ZIP file contained various .lnk files set up to mimic tax documents. If launched by the user, the .lnk file uses PowerShell to download a PDF and a .bat file,” Microsoft said. “The .bat file in turn downloaded the GuLoader executable, which then installed Remcos.”
The development comes weeks after Microsoft warned of another Storm-0249 campaign that redirected users to fake websites advertising Windows 11 Pro to deliver an updated version of Latrodectus loader malware via the BruteRatel red-teaming tool.
“The threat actor likely used Facebook to drive traffic to the fake Windows 11 Pro download pages, as we observed Facebook referrer URLs in multiple cases,” Microsoft said in a series of posts on X.
“Latrodectus 1.9, the malware’s latest evolution first observed in February 2025, reintroduced the scheduled task for persistence and added command 23, enabling the execution of Windows commands via ‘cmd.exe /c .'”
The disclosure also follows a surge in campaigns that use QR codes in phishing documents to disguise malicious URLs as part of widespread attacks aimed at Europe and the U.S., resulting in credential theft.
“Analysis of the URLs extracted from the QR codes in these campaigns reveals that attackers typically avoid including URLs that directly point to the phishing domain,” Palo Alto Networks Unit 42 said in a report. “Instead, they often use URL redirection mechanisms or exploit open redirects on legitimate websites.”
These findings also come in the wake of several phishing and social engineering campaigns that have been flagged in recent weeks –
- Use of the browser-in-the-browser (BitB) technique to serve seemingly realistic browser pop-ups that trick players of Counter-Strike 2 into entering their Steam credentials with the likely goal of reselling access to these accounts for profit
- Use of information stealer malware to hijack MailChimp accounts, permitting threat actors to send email messages in bulk
- Use of SVG files to bypass spam filters and redirect users to fake Microsoft login pages
- Use of trusted collaboration services like Adobe, DocuSign, Dropbox, Canva, and Zoho to sidestep secure email gateways (SEGs) and steal credentials
- Use of emails spoofing music streaming services like Spotify and Apple Music with the goal of harvesting credentials and payment information
- Use of fake security warnings related to suspicious activity on Windows and Apple Mac devices on bogus websites to deceive users into providing their system credentials
- Use of fake websites distributing trojanized Windows installers for DeepSeek, i4Tools, and Youdao Dictionary Desktop Edition that drop Gh0st RAT
- Use of billing-themed phishing emails targeting Spanish companies to distribute an information stealer named DarkCloud
- Use of phishing emails impersonating a Romanian bank to deploy an information stealer called Masslogger targeting organizations located in Romania
To mitigate the risks posed by these attacks, it’s essential that organizations adopt phishing-resistant authentication methods for users, use browsers that can block malicious websites, and enable network protection to prevent applications or users from accessing malicious domains.
