Tax Season Phishing Campaigns: Techniques, Malware, and Defense Strategies

As Tax Day nears, threat actors are pulling out all the stops by deploying tax-themed phishing campaigns that combine age-old social engineering tricks with modern redirection techniques and sophisticated malware. In recent months, Microsoft’s threat intelligence team has observed several high-profile campaigns targeting U.S. taxpayers, accountants, and organizations in industries such as IT and consulting. These campaigns leverage urgency and fear associated with tax season to lure victims into clicking malicious attachments, visiting spoofed websites, or enabling harmful macros. Let’s dive into the technical details and examine the implications of these phishing attempts.

The Anatomy of a Tax-Themed Phishing Campaign​

Phishing campaigns during tax season are nothing new, yet the tactics employed remain disturbingly effective. Microsoft’s analysis highlights several common methods threat actors are using:

• Redirection Techniques:
  Attackers are increasingly using URL shorteners, QR codes, and intermediary pages to obscure the final destination of their malicious links. A single email might contain a PDF attachment that masquerades as a tax document or a DocuSign file, but behind the scenes, it directs the user first to a Rebrandly URL shortener and then onto a fake landing page. This multi-stage redirection is designed to evade detection by security systems.
• Exploitation of Legitimate Services:
  Cybercriminals abuse services such as file-hosting platforms, business profile pages, and even Firebase to host their malicious payloads. By leveraging trusted platforms, these actors can bypass security filters and lower the suspicion levels of their targets.
• Tailored Social Engineering:
  The phishing emails are meticulously crafted. Display names such as “EMPLOYEE TAX REFUND REPORT” or “Client Contract Negotiation Service Agreement” lend a veneer of legitimacy. In some instances, attackers even personalize emails by embedding the recipient’s email address in query string parameters within QR codes, making each attack uniquely tailored.
• Malware Arsenal:
  The campaigns are not limited to stealing credentials. They serve as a delivery mechanism for various malware families:
• BRc4 and Latrodectus: In one campaign, phishing emails designed to appear as IRS notifications and tax forms delivered a JavaScript file from Firebase. If executed, this file downloaded a Microsoft Software Installer (MSI) containing BRc4. This red-teaming toolkit then installed Latrodectus, a loader that establishes persistent access while executing further payloads.
• AHKBot: Another campaign involved an email with an IRS refund notification that tricked users into downloading a malicious Excel file. When macros were enabled, the file downloaded an MSI containing a dual-component package. One component was an executable mimicking AutoHotKey (AutoNotify.exe), and the other was a looping AHKBot script used to capture screenshots and facilitate further remote access.
• Remcos and GuLoader: A separate, more targeted campaign began with a benign rapport-building email aimed at CPAs. After establishing initial contact, attackers sent a follow-up email containing a PDF with embedded links. One link led to a ZIP file hosted on Dropbox, which then triggered a chain reaction involving PowerShell commands, the download of a GuLoader executable, and ultimately the installation of the Remcos remote access trojan.

Key Technical Indicators​

Here are some of the technical details extracted from these campaigns:

• Redirection Chains & Fake Domains:
  • The malicious PDF attachments frequently contain embedded URLs pointing to shortened addresses (e.g., Rebrandly) that redirect users to convincing counterfeit DocuSign pages.
  • Domains such as shareddocumentso365cloudauthstorage.com are exploited by phishing-as-a-service (PhaaS) platforms like RaccoonO365 to harvest credentials directly.
• Malware-Specific Characteristics:
  • Latrodectus: This loader features dynamic command-and-control (C2) configurations and anti-analysis tricks such as minimum process count checks and network adapter verification.
  • BRc4: Originally designed for adversary simulation and penetration testing, BRc4 has been repurposed by threat actors to facilitate post-exploitation activities and stealthy C2 communications.
• Indicators of Compromise (IOCs):
  Specific SHA-256 hashes and file names have been associated with these campaigns, enabling organizations to correlate inbound alerts. For example, hashes corresponding to files like lrs_Verification_Form_1730.pdf and scripts such as Irs_verif_form_2025_214859.js provide actionable intelligence for threat hunting efforts in environments using Microsoft Sentinel and other SIEM solutions.

Campaign Case Studies: From BruteForce to Botnets​

Brute Ratel C4 and Latrodectus Deployment​

On February 6, 2025, Microsoft observed a large-scale phishing campaign targeting thousands of U.S. users, with emails bearing subjects such as “Notice: IRS Has Flagged Issues with Your Tax Filing.” These messages contained PDF attachments with names like "lrs_Verification_Form_1773.pdf" and similar variations. The workflow of this attack was as follows:

• Phishing Email with Malicious PDF:
  The email delivers a PDF attachment that conceals a malicious DoubleClick URL.
• URL Redirection Sequence:
  The embedded URL directs the recipient’s browser first to a Rebrandly-shortened link, then to a counterfeit DocuSign page hosted on a spoofed domain.
• Conditional Payload Delivery:
  Depending on the threat actor’s filtering rules, the victim either downloads a JavaScript file from Firebase—triggering the MSI download and subsequent installation of BRc4 and Latrodectus—or receives a benign decoy PDF from a different domain.

By using these conditional delivery methods, the attackers ensure that only systems meeting certain criteria receive the malicious payload, making detection and analysis more challenging for security teams.

AHKBot in IRS-Themed Campaigns​

On February 13, 2025, another campaign surfaced targeting U.S. users with an email subject line reading “IRS Refund Eligibility Notification.” The sender’s address, jessicalee@eboxsystems.com, appeared legitimate at first glance. The email included a hyperlink that led to a malicious Excel document hosted via a manipulated Google Business page. Here’s a breakdown:

• Initial Hook via Excel File:
  The link loads an Excel file which, when opened, prompts the user to enable macros.
• Macro-Driven Malware Delivery:
  Once macros are enabled, a malicious MSI file is downloaded. This file contains:
  • A benign-looking executable (AutoNotify.exe), which is actually a copy of the genuine AutoHotKey runner.
  • The AHKBot Looper script (AutoNotify.ahk) that initiates an infinite loop to run additional malicious AutoHotKey scripts.
• C2 Communication:
  The AHKBot script communicates with a command-and-control server using the IP address 181.49.105.59, eventually downloading further modules such as a screenshot capturing tool.

This technique underscores how easily a seemingly innocuous Excel file might transform into a full-blown remote access scenario if proper safeguards aren’t in place.

GuLoader and Remcos: A Targeted Tactic for CPAs​

Perhaps the most cunning of the tax-themed phishing campaigns involved a two-stage approach designed to establish rapport before delivering malware. Launched on March 3, 2025, this campaign began with a benign email asking for tax filing services—a request intended to lower the target’s guard. Once the victim responded, they received a second email with a malicious PDF attachment that contained an embedded URL. Clicking the URL resulted in the following chain of events:

• Downloadable ZIP File from Dropbox:
  The ZIP file housed several .lnk files disguised as tax documents.
• Execution with PowerShell:
  When any of these .lnk files were triggered, they executed a PowerShell script that downloaded a PDF and an accompanying batch file.
• Payload Delivery:
  The batch file subsequently downloaded the GuLoader executable, which then facilitated the installation of the Remcos remote access trojan.

This two-step approach is particularly effective because the initial benign contact sets up trust, a key element in any successful social engineering attack.

Mitigation Strategies: Defending Against Sophisticated Phishing​

Microsoft has published comprehensive mitigation guidance for these tax-themed threats. Here are several recommendations that every organization and individual should consider:

• Advanced Anti-Phishing Solutions:
  Deploy solutions such as Microsoft Defender for Office 365, which can scan emails for malicious attachments and URLs. Microsoft Defender for Endpoint further bolsters your defenses by monitoring endpoints for suspicious activity related to these campaigns.
• User Awareness Training:
  Educate users on the telltale signs of phishing emails, especially during high-risk periods like tax season. Awareness training should include guidance on the dangers of clicking on shortened URLs, scanning QR codes in unexpected emails, and enabling macros in unsolicited documents.
• Leverage Integrated Security Platforms:
  Microsoft Defender XDR and Microsoft Security Copilot are designed to integrate detection, investigation, and response across various endpoints. These platforms can coordinate alerts and automate incident responses using threat intelligence from Microsoft Defender Threat Intelligence and Microsoft Sentinel.
• Incident Response and Hunting Queries:
  Security analysts can use pre-built queries in Microsoft Sentinel to detect indicators of compromise related to these campaigns. For example, queries that monitor for suspicious network sessions, unusual file execution events, or communication with known C2 IP addresses (e.g., 181.49.105.59) can help identify inbound threats quickly.
• Verifying Source Authenticity:
  Remember, the United States Internal Revenue Service (IRS) does not initiate contact with taxpayers by email, text, or social media. Any unsolicited request for personal or financial information should be treated as suspicious.

Best Practices for Organizations​

• Email Filtering and Threat Intelligence:
  Regularly update email filtering rules and integrate threat intelligence feeds that flag known malicious URLs and file hashes. Organizations should also subscribe to threat intelligence reports that outline evolving phishing techniques and emerging malware families.
• Multi-Factor Authentication (MFA):
  Implement MFA across your networks to add an extra layer of security in case a phishing campaign does succeed in stealing credentials.
• Sandboxing and File Analysis:
  Use sandbox environments to detonate and analyze attachments from unknown sources. This can prevent malware from executing in your production environment.
• Regular Security Audits:
  Conduct security audits and red teaming exercises to ensure that your defenses are up-to-date and can withstand the evolving tactics of threat actors.

Broader Implications for the Cybersecurity Landscape​

Tax season phishing campaigns highlight a broader trend: even well-known social engineering tactics can become potent when combined with technical sophistication and dynamic C2 architectures. The transformation of tools like BRc4, initially designed for penetration testing, into instruments for widespread abuse underscores the blurred lines between legitimate testing frameworks and threat actor arsenals.
This evolution raises important questions for security professionals:

• How can organizations balance the need for user-friendly, everyday tools while preventing their exploitation by criminals?
• What additional measures can be integrated into existing cybersecurity frameworks to anticipate and thwart such multi-layered attacks?

Cybersecurity is a game of perpetual catch-up. As threat actors continue to adapt, so too must the defensive technologies and training protocols used by organizations. In the age of asynchronous digital attacks, integrating threat intelligence, user awareness, and advanced endpoint protection remains the cornerstone of effective defense.

Practical Steps to Protect Your Windows Environment​

For Windows users and IT professionals navigating the complex threat landscape, here are some actionable steps:

• Review Security Configurations:
  Double-check that your security solutions (Microsoft Defender for Office 365, Microsoft Defender for Endpoint, and Microsoft Defender XDR) are properly configured and up-to-date.
• Monitor Suspicious Activity:
  Set up alerts in your SIEM systems to notify you of unusual attachments, redirection chains, or outbound connections to known threat actor domains and IP addresses.
• Educate Your Team:
  Create awareness campaigns within your organization that detail recent phishing tactics, including the use of QR codes and file-hosting services to disguise malicious activity. Use simulated phishing tests to gauge employee responses.
• Implement Zero Trust Architectures:
  Assuming that any email or attachment may be malicious, adopt a zero-trust framework to limit lateral movement within your network. This approach helps reduce the risk of widespread compromise in the event an attack does occur.
• Regularly Audit and Update Indicators of Compromise:
  Maintain an updated list of IOCs provided by trusted sources. Utilize hunt queries in Microsoft Sentinel to match against incoming traffic and file events.

Conclusion: Staying Vigilant During Tax Season​

The recent surge in tax-themed phishing campaigns serves as a stark reminder that cyber threats are not static. Even as users become more familiar with classic scams, threat actors continually refine their tactics—from multi-stage redirections to the exploitation of legitimate services—for maximum effectiveness. Windows users and IT departments must remain proactive by integrating robust anti-phishing solutions, conducting continuous user awareness training, and leveraging advanced threat hunting tools.
By understanding the technical nuances of these campaigns and staying informed through threat intelligence platforms, organizations can better shield themselves from sophisticated scams that masquerade as routine tax communications. In today’s interconnected world, vigilance is your best defense—especially when the tax man comes knocking, digitally that is.
This in-depth analysis underscores the importance of embracing a layered security approach that not only blocks malicious emails with tools like Microsoft Defender for Office 365 and Endpoint but also incorporates real-time threat intelligence and behavior-based detection. As tax season continues, let this serve as a timely reminder to review your security posture, educate your staff, and ensure that your defenses are as sharp as the attackers’ tactics.
Stay secure, stay informed, and remember: if something looks too good (or too urgent) to be true, it probably is.

---

Source: Microsoft Threat actors leverage tax season to deploy tax-themed phishing campaigns | Microsoft Security Blog