FOCUS MODE
EXTRACT IOC
Threat Research

Threat actors leverage tax season to deploy tax-themed phishing campaigns

admin
Threat actors leverage tax season to deploy tax-themed phishing campaigns
As the tax season approaches in the U.S., Microsoft has noted an increase in phishing campaigns using tax-related themes to steal sensitive information and deploy malware. These campaigns exploit various techniques, including URL shorteners, QR codes, and legitimate file-hosting services to evade detection. The reported threats include credential theft linked to platforms like RaccoonO365 and various malware types such as Remcos and Latrodectus. Affected: Microsoft products, U.S. taxpayers, financial sector, IT sector, consulting sector

Keypoints :

  • Microsoft observed an increase in phishing campaigns related to tax themes.
  • Threat actors exploit techniques like URL shorteners and QR codes for credential theft.
  • Malware types noted include Remcos, Latrodectus, and AHKBot.
  • Microsoft’s recommendations emphasize user education and advanced anti-phishing solutions.
  • IRS does not request personal information via email, text, or social media.
  • Campaigns primarily targeted U.S.-based organizations and taxpayers.
  • Threat actors use legitimate services to disguise malicious activities.

MITRE Techniques :

  • Phishing (T1566) – Threat actors used tax-themed emails with malicious attachments to trick users into downloading malware.
  • Exploitation for Client Execution (T1203) – Excel files containing malicious macros were used to execute the AHKBot Looper script.
  • Credential Dumping (T1003) – RaccoonO365 infrastructure aimed to steal user credentials through impersonated login pages.
  • Remote Access Tools (T1205) – Remcos was utilized for gaining remote control of infected systems.
  • Command and Control (T1071) – Latrodectus employed C2 communications for further instruction and payload delivery.

Indicator of Compromise :

  • [Domain] shareddocumentso365cloudauthstorage[.]com
  • [IP Address] 181.49.105[.]59
  • [SHA-256] 9bffe9add38808b3f6021e6d07084a06300347dd5d4b7e159d97e949735cff1e
  • [URL] hxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document.xlsm
  • [SHA-256] a31ea11c98a398f4709d52e202f3f2d1698569b7b6878572fc891b8de56e1ff7

Full Story: https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/

Tags: XDR, IMPACT, CREDENTIAL, EXPLOIT, CLOUD, EMAIL, SOCIAL ENGINEERING, SPAM