Microsoft Warns of Tax-Themed Phishing Campaigns

As Tax Day approaches on April 15, Microsoft has issued an urgent warning about several sophisticated phishing campaigns targeting U.S. taxpayers. These campaigns are leveraging tax-related themes to deploy malware and steal credentials through increasingly deceptive methods. Let’s explore the threats, how they operate, and what you can do to protect yourself and your business.

  The Warning

Microsoft has identified multiple phishing campaigns that use tax-themed emails to deliver malware and steal credentials. These attacks utilize redirection methods such as URL shorteners and QR codes contained in malicious attachments, while also abusing legitimate services like file-hosting platforms and business profile pages to avoid detection.

Every year, threat actors exploit tax season to steal personal and financial information, which can result in identity theft and monetary loss. They craft campaigns that mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. While these are well-known techniques, they remain highly effective if users and organizations don’t employ advanced anti-phishing solutions and conduct user awareness training.

  Recent Tax-Themed Phishing Campaigns

1. BruteRatel C4 and Latrodectus Campaign

On February 6, 2025, Microsoft observed a phishing campaign targeting the United States with tax-themed emails attempting to deliver BruteRatel C4 (BRc4) and Latrodectus malware. Microsoft attributes this campaign to Storm-0249, an access broker active since 2021 known for distributing various malware types.

The emails used subject lines such as:

• “Notice: IRS Has Flagged Issues with Your Tax Filing”
• “Unusual Activity Detected in Your IRS Filing”
• “Important Action Required: IRS Audit”

The emails contained PDF attachments with embedded links that redirected users to shortened URLs, ultimately leading to fake DocuSign pages. If users clicked the download button, they would receive either malicious JavaScript that downloaded BRc4 malware (which then installed Latrodectus) or a benign PDF as a decoy, depending on filtering rules set by the threat actor.

2. QR Code Phishing Campaign

Between February 12 and 28, 2025, tax-themed phishing emails were sent to over 2,300 organizations, primarily in the U.S. engineering, IT, and consulting sectors. These emails had empty bodies but contained PDF attachments with QR codes that linked to a domain associated with the RaccoonO365 phishing-as-a-service platform.

The URLs included the recipient’s email as a query parameter, making each PDF attachment unique. The QR codes directed users to fake Microsoft 365 sign-in pages designed to steal credentials.

3. AHKBot Malware Campaign

On February 13, 2025, Microsoft observed a campaign using IRS-themed emails targeting U.S. users. With the subject “IRS Refund Eligibility Notification,” these emails contained hyperlinks that directed users to download malicious Excel files through what appeared to be legitimate Google Business pages.

If users opened the Excel file and enabled macros, a malicious MSI file would be downloaded and executed, installing AHKBot malware. This included a Screenshotter module designed to capture screenshots from the compromised device and exfiltrate them to a remote server.

4. GuLoader and Remcos Campaign

On March 3, 2025, Microsoft observed a tax-themed campaign targeting CPAs and accountants in the United States. This sophisticated attack began with a benign rapport-building email asking for tax filing services, followed by a second email with a malicious PDF if the recipient replied.

The PDF contained an embedded URL that, when clicked, downloaded a ZIP file from Dropbox containing malicious .lnk files disguised as tax documents. These files used PowerShell to download additional malware, ultimately installing GuLoader and Remcos, a remote access trojan that provides attackers full control over compromised systems.

  Protecting Your Organization

Microsoft recommends the following protective measures:

For Organizations:

1. Educate users about protecting personal and business information, identifying phishing links, and reporting suspicious activities.
2. Enable Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365 to quarantine malicious messages.
3. Deploy phishing-resistant authentication methods and enforce multi-factor authentication (MFA) on all accounts.
4. Implement Entra ID Conditional Access authentication strength for critical apps.
5. Encourage the use of browsers that support Microsoft Defender SmartScreen to block malicious websites.
6. Enable network protection to prevent access to malicious domains.
7. Configure Microsoft Defender for Office 365 to recheck links on click through Safe Links scanning.
8. Enable cloud-delivered protection in your antivirus product to cover evolving attacker techniques.
9. Run endpoint detection and response (EDR) in block mode to remediate malicious artifacts detected post-breach.

For Individuals:

1. Be suspicious of emails claiming to be from tax authorities, especially those with urgent requests.
2. Never click on links or download attachments from unexpected emails.
3. Verify the sender’s email address carefully.
4. Be wary of emails containing QR codes.
5. Use strong, unique passwords and enable MFA wherever possible.
6. Keep your operating system and security software updated.
7. Remember that the IRS does not initiate contact with taxpayers by email, text messages, or social media to request personal or financial information.

 How CinchOps Can Help

At CinchOps, we understand the critical importance of protecting your business from these sophisticated tax-season phishing attacks. Our comprehensive security solutions can help secure your organization through:

1. 1. Advanced Email Security: Our email filtering systems can detect and block tax-themed phishing attempts, including those using PDF attachments, QR codes, and shortened URLs.
   2. Employee Security Training: We provide customized training programs to help your team recognize and avoid tax-themed phishing attempts.
   3. Multi-Factor Authentication Implementation: We can deploy and manage robust MFA solutions to protect your critical accounts.
   4. Endpoint Protection: Our advanced security solutions can detect and block malware like Latrodectus, BruteRatel, and Remcos before they compromise your systems.
   5. 24/7 Security Monitoring: Our security operations center provides continuous monitoring to detect and respond to suspicious activities promptly.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Don’t let tax season become an opportunity for cybercriminals to target your business. Contact CinchOps today to ensure your organization remains protected against these evolving threats.

FREE CYBERSECURITY ASSESSMENT