Microsoft has recently issued a warning about an increase in phishing campaigns that are exploiting tax-related themes to distribute malware and steal sensitive information. These campaigns are utilizing various tactics such as URL shorteners, QR codes, and malicious attachments to bypass detection by security systems. By leveraging phishing-as-a-service (PhaaS) platforms like RaccoonO365, attackers are distributing remote access trojans like Remcos RAT, as well as other post-exploitation malware such as Latrodectus, AHKBot, and GuLoader.
One specific phishing campaign that was identified in February 2025 targeted hundreds of individuals in the United States. The attackers sent out tax-themed phishing emails, many of which contained PDF attachments with links redirecting recipients to fake Docusign pages. These fake pages were designed to deceive victims into downloading malware like BRc4 or Latrodectus through JavaScript files and MSI installers. In a clever twist, the victim’s system or IP address determined whether they were redirected to a harmless PDF or exposed to harmful malware. Subsequently, Microsoft detected a second wave of phishing emails aimed at more than 2,300 U.S. organizations, with a particular emphasis on sectors such as IT, engineering, and consulting.
In a different approach to phishing, some of these fraudulent emails included QR codes that linked to fake Microsoft 365 login screens. By tricking users into entering their credentials on these pages, the attackers were able to steal valuable login information. Additionally, some campaigns utilized AHKBot and GuLoader to introduce additional malware into the victim’s system. AHKBot infections typically started with malicious Microsoft Excel files containing macros that, when activated, would download an AutoHotKey script. This script would then capture screenshots and send them to remote servers. On the other hand, GuLoader would deliver a .bat file that installed the Remcos remote access trojan.
These phishing campaigns are part of a wider trend in cybercrime that has seen an increase in phishing and social engineering attacks targeting both Europe and the United States. Researchers have also observed a rise in campaigns utilizing QR codes to camouflage malicious URLs, often redirecting victims through open redirects on legitimate websites. To combat these threats effectively, cybersecurity experts recommend implementing phishing-resistant authentication methods and utilizing security tools that can block malicious domains and websites.
Overall, the surge in phishing campaigns exploiting tax-related themes and using sophisticated tactics like URL shorteners, QR codes, and malicious attachments underscores the growing need for enhanced cybersecurity measures. Organizations and individuals must remain vigilant and proactive in protecting their sensitive information from falling into the hands of cybercriminals. Vigilance, awareness, and robust cybersecurity defenses are crucial in the ongoing fight against phishing attacks and other cyber threats.