As U.S. Tax Day (April 15) approaches, Microsoft has identified a spike in phishing attacks exploiting tax-related themes to steal credentials and deploy malware. Cybercriminals are using deceptive tactics such as QR codes, URL shorteners, and legitimate platforms like file-hosting services to evade detection and lure victims.
These campaigns utilize phishing-as-a-service (PhaaS) platforms like RaccoonO365, and deliver malware including Remcos, GuLoader, La
Between February 12–28, attackers targeted over 2,300 organizations using QR-code-laced PDFs tied to RaccoonO365 phishing domains mimicking Microsoft 365 login pages. Display names like “Employee Tax Refund Report” added legitimacy to the deceptive messages.
On February 13, another campaign used IRS refund-themed emails to deliver AHKBot, which downloaded scripts and captured screenshots. This leveraged compromised Google Business redirectors and malicious Excel files with embedded macros.
In March, GuLoader and Remcos were deployed using rapport-building emails targeting CPAs. Victims were sent follow-up messages with malicious PDF attachments leading to ZIP downloads containing disguised shortcut files that executed malware via PowerShell.
To defend against such threats, Microsoft advises enforcing MFA, educating users on phishing awareness, and utilizing Defender for Office 365 with ZAP, Safe Links, and cloud-delivered protection. Defender for Endpoint’s EDR in block mode and automated investigation features also help contain threats.
Microsoft reaffirms that the IRS never initiates contact via email or social platforms, underscoring the importance of verification and vigilance during tax season.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
