The Fake Taxman Rings Twice
- Javier Conejo del Cerro
- 8 abr
- 3 Min. de lectura
Another tax season, another flood of emails—but these aren’t from your accountant. They’re from cybercriminals posing as the IRS or Microsoft, and they come bearing PDFs and QR codes laced with malware.
Microsoft has issued a warning about a series of phishing campaigns designed to exploit tax-related themes, tricking victims into downloading malicious files or giving away credentials. These emails don’t rely on flashy language or fear tactics. In fact, many contain no text at all—just a single PDF attachment or a QR code. The simplicity is intentional. The aim is to fly under the radar and exploit user routine.
Once again, this isn’t about casting a wide net. It’s a surgical strike targeting users with access—users who are too busy to second-guess a file that looks like just another task.
Victims on the hook
The victims are carefully selected. The attackers are targeting professionals in engineering, consulting, and IT—roles that frequently handle sensitive internal data, client information, and backend systems. These users are accustomed to fast-paced workflows and trust in standardized formats like PDF attachments or file-sharing notifications.
Many of the targeted organizations are mid-sized firms without in-house security teams or a CISO, making them more vulnerable to well-crafted phishing attacks. The combination of privileged access and minimal oversight makes these professionals ideal entry points for threat actors.
Tailored Taxman Hit (TTH)
Once the phishing email is delivered, the attack only proceeds if the user interacts—by clicking a link inside a PDF or scanning a QR code with their phone. The threat actor’s backend infrastructure includes filters that analyze system and IP data before deciding what payload to serve.
If the system meets their criteria, the user receives a JavaScript dropper that delivers two powerful tools: BRc4, a red-teaming tool for post-exploitation activity, and Latrodectus, a stealthy loader known for its modular capabilities.
Other users may receive:
• AHKBot, delivered through Excel files requiring macro activation. It uses AutoHotKey to deploy a screenshot capture module and report back to a command-and-control server.
• GuLoader, which arrives via ZIP archives containing shortcut files (.lnk). These initiate a script chain to download and launch Remcos, a well-known remote access trojan.
All of these payloads tie back to Storm-0249, a threat actor previously linked to Emotet and Bumblebee. The infrastructure is powered by RaccoonO365, a phishing-as-a-service (PhaaS) platform designed to mimic Microsoft 365 login pages and harvest credentials at scale.
Slam the door shut on the taxman
These tax-themed attacks are quiet, adaptive, and well-engineered. The phishing kits are modular, the malware is evasive, and the entry points are crafted to exploit trust in routine digital workflows. To defend against these tactics, organizations must go beyond awareness and adopt layered technical controls:
• Deploy phishing-resistant multi-factor authentication (MFA) to reduce the impact of stolen credentials.
• Block open redirectors and public file-hosting platforms that are commonly abused for redirection and payload delivery.
• Implement email filters that scan inside attachments, including the contents of PDFs and embedded QR codes.
• Monitor endpoints with EDR (Endpoint Detection and Response) to detect post-exploitation activity and suspicious process execution.
• Apply network-layer protection to block communication with known command-and-control (C2) infrastructure.
• Disable macros by default and configure strict group policies to block script execution.
• Provide targeted security training to employees in high-risk roles, helping them identify red flags even in routine-looking messages.
These attacks don’t depend on panic—they depend on routine. And the only way to stop them is to break that routine with security that sees through the silence.
コメント