Microsoft is warning U.S. organizations of tax-related phishing campaigns that combine PDFs, QR codes, and malware loaders to steal credentials and deploy remote access tools.
What happened
Microsoft has identified multiple active phishing campaigns using tax-themed lures to deliver malware and steal login credentials. These campaigns rely on email attachments that contain PDFs or QR codes, often leading victims to phishing pages or malicious downloads. Some attacks use the phishing-as-a-service (PhaaS) platform known as RaccoonO365 to mimic Microsoft 365 login pages and harvest credentials.
The activity has been attributed to Storm-0249, an access broker previously linked to malware like BazaLoader and Emotet. In some cases, remote access tools such as Remcos RAT and loaders like GuLoader and Latrodectus are deployed following the phishing attempt.
Going deeper
One major campaign detected on February 6, 2025, targeted U.S. users ahead of the tax filing season with hundreds of emails delivering a fake DocuSign link. Clicking the link triggered a download chain that installed BRc4 and Latrodectus malware, provided the user passed IP and system filtering set by the attackers.
A separate campaign between February 12 and 28 targeted over 2,300 U.S. organizations primarily in engineering, IT, and consulting. These emails had blank bodies but included PDF attachments with QR codes that redirected to fake Microsoft login portals tied to the RaccoonO365 platform.
Variants of the campaign used different delivery methods. In one, QR codes led to ZIP files containing malicious .lnk shortcuts that mimicked tax documents. When clicked, the files launched PowerShell commands that downloaded GuLoader and installed Remcos RAT. In another version, opening Excel files with macros triggered the download of AHKBot, which could take screenshots and exfiltrate them to attacker-controlled servers.
Microsoft also noted that similar tactics were used weeks earlier to distribute fake Windows 11 Pro installers via Facebook ads. These campaigns relied on BruteRatel tools and an updated Latrodectus version to establish persistence on compromised systems.
What was said
Microsoft warned that these attacks often abuse legitimate services such as DocuSign, Dropbox, and Adobe to sidestep secure email gateways. The threat actors deliberately avoid placing direct phishing URLs in attachments, opting instead to use redirection through URL shorteners or open redirect flaws on trusted sites.
Palo Alto Networks added that QR code-based attacks are rising in Europe and the U.S., making it harder to detect malicious links at first glance. Meanwhile, attackers have been diversifying their tactics across sectors, including impersonating major banks, media services, and software platforms.
The big picture
Recent phishing campaigns show how attackers are combining automation, redirection techniques, and malware-as-a-service tools to avoid detection. QR codes and cloud-hosted payloads are being used to bypass email and endpoint filters more effectively. The timing and range of recent attacks, including those during tax season, suggest a focus on exploiting moments of heightened user activity. To respond, organizations may need to reinforce both technical controls and user awareness, along with adopting phishing-resistant authentication methods where possible.
FAQs
Why are QR codes being used more frequently in phishing attacks?
QR codes can bypass traditional email filters and allow attackers to hide malicious URLs behind visually innocuous images, making them harder to detect and block.
What is RaccoonO365, and how does it work?
RaccoonO365 is a phishing-as-a-service platform that generates convincing fake Microsoft 365 login pages to steal credentials, often used by threat actors who don’t have technical expertise.
How do malware loaders like GuLoader and Latrodectus fit into these attacks?
These loaders are used to download and execute additional payloads, such as remote access tools, once initial access is gained, allowing attackers to maintain control or exfiltrate data.
How do attackers decide which victims receive the full malware payload?
Some campaigns include filtering rules based on the victim's IP address, location, or system type to determine whether to deliver malware or a harmless decoy document.
What proactive steps can organizations take to defend against these campaigns?
Organizations should deploy phishing-resistant MFA, monitor for unusual authentication behavior, disable macro execution from unknown sources, and educate users on identifying phishing attempts, especially those using QR codes or blank message bodies.
Farah Amod
