Microsoft is warning of various phishing promotions that are embracing tax-related themes to install malware and grab credentials.
” These promotions notably use redirection methods such as URL shorteners and QR codes contained in malicious parts and abuse legitimate companies like file-hosting services and business profile pages to avoid detection”, Microsoft in a statement shared with The Hacker News.
A notable aspect of these campaigns is that they lead to phishing pages that are delivered via a phishing-as-a-service ( PhaaS ) platform codenamed , an e-crime platform that first came to light in early December 2024.
Also delivered are remote access trojans (RATs ) like Remcos RAT, as well as other malware and post-exploitation frameworks such as , AHKBot, , and ( BRc4 ).
One such plan spotted by the software giant on February 6, 2025, is estimated to have sent hundreds of emails targeting the United States ahead of the tax filing period that attempted to deliver BRc4 and Latrodectus. The exercise has been attributed to , an initial entry seller originally known for distributing BazaLoader, IcedID, Bumblebee, and Emotet.
The attacks involve the use of PDF attachments containing a link that redirects users to a URL shortened via Rebrandly, eventually leading them to a false Docusign page with an opportunity to view or download the report.
” When people clicked the Get button on the landing page, the result depended on whether their system and IP address were allowed to access the next level based on filtering rules set up by the threat actor”, Microsoft said.
If access is allowed, the user is sent a JavaScript file that subsequently downloads a Microsoft Software Installer ( MSI) for BRc4, which serves as a conduit for deploying Latrodectus. If the victim is not deemed a valuable enough target, they are sent a benign PDF document from royalegroupnyc [. ] com.
Microsoft said it also detected a second campaign between February 12 and 28, 2025, where tax-themed phishing emails were sent to more than 2, 300 organizations in the U. S., particularly aimed at engineering, IT, and consulting sectors.
The emails, in this case, had no content in the message body, but featured a PDF attachment containing a QR code that pointed to a link associated with the RaccoonO365 PhaaS that mimics Microsoft 365 login pages to trick users into entering their credentials.
In a sign that these campaigns come in various forms, tax-themed phishing emails have also been flagged as propagating other malware families like AHKBot and GuLoader.
AHKBot infection chains have been found to direct users to sites hosting a malicious Microsoft Excel file that, upon opening and enabling macros, downloads and runs a MSI file in order to launch an AutoHotKey script, which then downloads a Screenshotter module to capture screenshots from the compromised host and exfiltrate them to a remote server.
The GuLoader campaign aims to deceive users into clicking on a URL present within a PDF email attachment, resulting in the download of a ZIP file.
” The ZIP file contained various .lnk files set up to mimic tax documents. If launched by the user, the.lnk file uses PowerShell to download a PDF and a.bat file”, Microsoft said. ” The .bat file in turn downloaded the GuLoader executable, which then installed Remcos”.
The development comes weeks after Microsoft warned of another Storm-0249 campaign that redirected users to fake websites advertising Windows 11 Pro to deliver an updated version of Latrodectus loader malware via the BruteRatel red-teaming tool.
” The threat actor likely used Facebook to drive traffic to the fake Windows 11 Pro download pages, as we observed Facebook referrer URLs in multiple cases”, Microsoft in a series of posts on X.
” Latrodectus 1.9, the malware’s latest evolution first observed in February 2025, reintroduced the scheduled task for persistence and added command 23, enabling the execution of Windows commands via’ cmd. exe /c.'”
The disclosure also follows a surge in campaigns that use QR codes in phishing documents to disguise malicious URLs as part of widespread attacks aimed at Europe and the U. S., resulting in credential theft.
” Analysis of the URLs extracted from the QR codes in these campaigns reveals that attackers typically avoid including URLs that directly point to the phishing domain”, Palo Alto Networks Unit 42 in a report. ” Instead, they often use URL redirection mechanisms or exploit on legitimate websites”.
These findings also come in the wake of several phishing and social engineering campaigns that have been flagged in recent weeks-
- Use of the browser-in-the-browser ( BitB ) technique to serve seemingly realistic browser pop-ups that trick players of Counter-Strike 2 into entering their Steam credentials with the likely goal of reselling access to these accounts for profit
- Use of information stealer malware to , permitting threat actors to send email messages in bulk
- Use of to bypass spam filters and redirect users to fake Microsoft login pages
- Use of like Adobe, DocuSign, Dropbox, Canva, and Zoho to sidestep secure email gateways ( SEGs ) and steal credentials
- Use of like Spotify and Apple Music with the goal of harvesting credentials and payment information
- Use of fake security warnings related to suspicious activity on and devices on bogus websites to deceive users into providing their system credentials
- Use of distributing trojanized Windows installers for DeepSeek, i4Tools, and Youdao Dictionary Desktop Edition that drop
- Use of targeting Spanish companies to distribute an information stealer named
- Use of to deploy an information stealer called Masslogger targeting organizations located in Romania
To mitigate the risks posed by these attacks, it’s essential that organizations adopt phishing-resistant authentication methods for users, use browsers that can block malicious websites, and enable network protection to prevent applications or users from accessing malicious domains.