FlagThis

Microsoft is warning of a surge in tax-themed phishing campaigns exploiting the upcoming tax season to steal credentials and deploy malware. These campaigns leverage various social engineering tactics, including malicious hyperlinks and attachments. Attackers are using IRS lures, QR codes, and other redirection techniques to trick victims into revealing sensitive information or installing malware.

These campaigns use malicious hyperlinks and attachments to deliver credential phishing and malware including RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), GuLoader, and Remcos. Redirection methods, such as URL shorteners and QR codes, are used to evade detection, along with the abuse of legitimate services like file-hosting sites.

Microsoft observed campaigns employing fake tax verification forms with embedded links, PDF attachments containing QR codes, redirects hosted on compromised websites, and abused cloud services. One campaign observed on February 6, 2025 targeted US users with IRS-themed emails containing PDF attachments. These attachments redirected victims to fake DocuSign sites ultimately delivering BRc4 and Latrodectus malware.

ImgSrc: www.microsoft.c

References :

• The Hacker News: Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware
• Source: Threat actors leverage tax season to deploy tax-themed phishing campaigns

Classification:

• HashTags: #TaxSeason #Phishing #Malware
• Company: Google
• Target: U.S. organizations
• Product: Google Chrome
• Feature: Phishing
• Malware: RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), Remcos
• Type: Phishing
• Severity: Medium