As April 15 Tax Day deadline approaches, Microsoft cybersecurity experts have reported a spike in phishing campaigns targeting U.S. taxpayers. These campaigns use tax-related stuffs to lure victims, often using URL shorteners, QR codes, and malicious attachments.

How It Happens

A phishing email that appears to be from the IRS. (Source: Microsoft)

These campaigns, primarily aimed at individuals and organizations in the United States. The phishing emails often pose as official IRS communications, asking receipts to click on links or download files that may contain malware. Notable threats include the RaccoonO365 phishing-as-a-service (PhaaS) platform, remote access trojans (RATs) like Remcos, and malware variants such as Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader.

Noteworthy Phishing Campaigns

On February 6, 2025, Microsoft identified a large-scale phishing campaign targeting thousands of users. The threat actors sent IRS-themed emails attached with PDF containing malicious links. When clicked, these links redirect users to fake DocuSign pages hosting BRc4 and Latrodectus malware. If the access got blocked, a harmless PDF was provided to increase the legitimacy. This campaign, attributed to the Storm-0249 group.

A PDF attachment pretending to be a DocuSign document

Another campaign between February 12 and 28, 2025, targeted over 2,300 organizations, predominantly from the engineering, IT, and consulting sectors. These phishing emails contains QR codes embedded in PDF attachments, leading users to fake Microsoft 365 login pages designed to steal credentials. This campaign was attributed to RaccoonO365 PhaaS platform.

PDF with the QR code(Source: Microsoft)

In a separate incident on February 13, 2025, phishing emails masquerading as IRS notifications targeted U.S. users. The emails contained links to malicious Excel files. If users enabled macros, AHKBot malware was activated, potentially compromising sensitive data.

The Bottom Line

To stay safe, users are advised to remain vigilant of unsolicited tax-related emails and deploy advanced phishing prevention tools. Moreover, the IRS reiterates that it does not initiate contact via email, text, or social media to request personal or financial information. Suspicious messages should be reported to authorities immediately.

Source: hxxps[://]www[.]microsoft[.]com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/

Follow us on X and Linkedin for the latest cybersecurity news