Cybercriminals Exploit URL Shorteners and QR Codes for Tax-Related Phishing Scams

As the United States approaches Tax Day on April 15, cybercriminals are leveraging tax-related phishing campaigns to exploit unsuspecting individuals and organizations.

Microsoft has identified several sophisticated methods employed by threat actors, including the use of URL shorteners, QR codes, and legitimate services such as file-hosting platforms and business profile pages to bypass security measures.

These tactics aim to steal credentials, deploy malware, and facilitate identity theft through social engineering techniques.

Malware Delivered via Phishing-as-a-Service Platforms

Microsoft’s investigation revealed that many of these phishing campaigns utilize the RaccoonO365 phishing-as-a-service (PhaaS) platform and deliver malware such as BruteRatel C4 (BRc4), Latrodectus, AHKBot, Remcos, and GuLoader.

For example, on February 6, 2025, a campaign attributed to Storm-0249 targeted thousands of users in the U.S. with IRS-themed emails containing malicious PDF attachments.

These PDFs redirected users through multiple links to fake DocuSign pages hosting malware payloads.

The malware Latrodectus, used in these attacks, is a loader designed for initial access and payload delivery.

It incorporates advanced anti-analysis features and dynamic command-and-control configurations to evade detection.

Similarly, BruteRatel C4 is a red-teaming framework exploited by attackers for post-exploitation activities and stealthy operations.

QR Codes as Phishing Tools

Between February 12 and 28, 2025, another campaign targeted over 2,300 organizations in sectors such as engineering and IT.

These emails contained PDF attachments with QR codes linking to phishing pages hosted on RaccoonO365 domains.

The URLs embedded in the QR codes were tailored to each recipient’s email address, increasing the likelihood of successful credential theft.

These phishing kits mimicked Microsoft 365 login pages to deceive victims into revealing sensitive information.

In March 2025, cybercriminals targeted accountants and CPAs using rapport-building techniques.

Initial emails posed as benign requests for tax filing services due to alleged negligence by previous accountants.

Once recipients responded, attackers sent follow-up emails containing malicious PDFs with embedded URLs leading to malware downloads such as GuLoader and Remcos.

GuLoader employs encrypted shellcode and cloud-hosting services for payload delivery while evading security defenses through sandbox detection and API obfuscation.

Remcos provides attackers with full control over compromised systems via keylogging and screen capturing functionalities.

Microsoft emphasizes the importance of proactive defense strategies against these evolving threats:

• User Awareness: Educate individuals about recognizing phishing attempts and protecting sensitive information from unsolicited communications or suspicious links.
• Advanced Security Measures: Implement multi-factor authentication (MFA) across all accounts, enforce phishing-resistant authentication methods, and deploy endpoint detection tools such as Microsoft Defender for Office 365 and Defender Antivirus in cloud-delivered protection mode.
• Safe Browsing Practices: Encourage users to validate URLs before clicking links in emails or search results using browser navigation tools like Microsoft Edge’s Defender SmartScreen feature.
• Automated Threat Remediation: Enable investigation modes in security solutions to allow immediate responses to alerts and breaches while reducing manual intervention requirements.

By combining user education with robust security infrastructure, organizations can significantly reduce their exposure to tax-related phishing scams during this critical season.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates