Microsoft Threat Intelligence reports observe multiple sophisticated phishing campaigns leveraging the upcoming U.S. tax season to steal credentials and distribute malware, employing evasion techniques like QR codes and abusing legitimate online services.
Read more: The rise of QR code phishing in healthcare
As the April 15 U.S. Tax Day approaches, threat actors are intensifying social engineering attacks using tax-related themes. Microsoft has detailed several campaigns observed in recent months where attackers send emails impersonating tax authorities (like the IRS) or related services. These emails use lures such as flagged filing issues, unusual activity alerts, audit notices, or refund eligibility to trick recipients into clicking malicious links, opening attachments, or scanning QR codes. The campaigns often abuse legitimate services, including URL shorteners (like Rebrandly), file-hosting platforms (like Firebase and Dropbox), and Google Business pages, to host malicious content or redirect users, ultimately bypassing initial security filters.
Some of the observed campaigns include one attributed to Storm-0249 using fake IRS-themed emails with PDF attachments containing links that redirected through fake DocuSign pages to deliver BruteRatel C4 and Latrodectus malware; another targeting over 2,300 organizations with emails containing unique QR codes in PDFs, which led to RaccoonO365 phishing pages designed to steal Microsoft 365 credentials; a third campaign using Google Business page redirects to lure users into downloading malicious Excel files that installed AHKBot malware for capturing screenshots; and a fourth targeting CPAs and accountants, first building rapport before sending malicious PDFs with links to Dropbox, ultimately deploying GuLoader and the Remcos RAT via LNK files.
These campaigns pose a significant threat, aiming to steal sensitive personal and financial data for identity theft and monetary gain, as well as corporate credentials for broader network compromises. The use of sophisticated techniques like QR codes in attachments and the abuse of trusted third-party services make these threats harder to detect for both users and basic security systems. It shows the importance of vigilance during high-stakes periods like tax season and reinforces the official guidance that the U.S. IRS does not initiate contact via email, text, or social media to request sensitive information.
Microsoft Threat Intelligence detailed these observations, noting that while tax-season scams are common, actors continuously adapt tactics. They emphasized the effectiveness of these methods if organizations lack advanced anti-phishing solutions and user awareness training. The U.S. IRS consistently advises taxpayers that it does not use email, text messages, or social media to request personal or financial information.
Tax season predictably triggers a surge in financially motivated cyber threats. Attackers exploit the urgency and potential anxiety associated with taxes. The observed campaigns demonstrate the evolution of phishing tactics, incorporating methods like QR code phishing ('quishing') and the abuse of legitimate infrastructure alongside known malware families (loaders, RATs, PhaaS platforms), proving the need for multi-layered security defenses, including advanced email filtering, endpoint protection, multifactor authentication (MFA), and continuous user education.
They are attacks where cybercriminals send emails or messages pretending to be from tax authorities (like the IRS) or tax preparation services. The goal is to trick recipients into revealing personal/financial information, clicking malicious links, or installing malware.
Recent campaigns observed by Microsoft show increased use of QR codes embedded in PDF attachments, URL shortening services, fake login pages mimicking legitimate services (like DocuSign or Microsoft 365), and abusing trusted platforms like Dropbox or Google Business pages to host or redirect to malicious content.
Be skeptical of unsolicited tax-related communications, especially those requesting sensitive information or urging immediate action. Never click suspicious links or scan unknown QR codes. Verify sender identities through official channels. Use strong, unique passwords and enable MFA. Keep security software updated and implement email security solutions like those provided by Paubox Email Suite. Educate users about current phishing tactics.