Thousands of scam emails are hitting inboxes in the US. Hackers are delivering malware using tax-related themes, such as the IRS flagging issues with a tax filing, detection of unusual activity in your tax filing, IRS audit, and others. Microsoft warns of at least four active malicious campaigns.
Microsoft Threat Intelligence warns of several phishing campaigns taking advantage of the approaching Tax Day in the US on April 15th.
Hackers are using all their available arsenal. Phishing emails are loaded with malicious QR codes, shortened unrecognizable URLs, and PDF attachments. Campaigns are exploiting legitimate services, such as Google Business pages or file-hosting platforms.
An accidental click spins the Wheel of Misfortune where prizes include various remote access trojans like Remcos, Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader malware packages and other infostealers.
During tax season, hackers actively steal personal and financial information, which can result in identity theft and monetary loss.
“Threat actors craft campaigns that mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads,” Microsoft warns.
“Although these are well-known, longstanding techniques, they could still be highly effective if users and organizations don’t use advanced anti-phishing solutions and conduct user awareness and training.”
At least four threat actor groups deliver thousands of phishing emails and other lures. Here’s what we know about them and how to distinguish their activity.
1. Emails with IRS notices
Thousands of tax-themed phishing emails landed in inboxes in an attempt to deliver malware. This campaign is attributed to a threat actor labeled Storm-0249, an access broker active since 2021 and known for distributing various malicious packages.
The malicious emails often masquerade as coming from the IRS and contain subjects warning about flagged issues with tax filings, unusual activity, or other important actions required. They contain PDF attachments named “lrs_Verification_Form_1773.pdf” and various other numerical combinations.
The PDFs contain a malicious link, which, after a chain of redirections, brings victims to a landing site masquerading as DocuSign. If victims click the Download button, they’ll receive a malicious JavaScript file, which leads to the installation of Latrodectus loader, used for initial access and payload delivery.
2. Businesses targeted with QR codes within PDFs
Between February 12th and 28th, 2025, over 2,300 organizations in engineering, IT, consulting, and other sectors in the US received tax-themed phishing emails.
“The emails had an empty body but contained a PDF attachment with a QR code and subjects indicating that the documents needed to be signed by the recipient,” Microsoft said.
The QR codes led to a RaccoonO365 phishing page designed to steal credentials. RaccoonO365 is a phishing-as-a-service offering a suite of tools for cybercriminals, including phishing kits that mimic Microsoft 365 sign-in pages.
All of the PDF attachments are unique. The emails appeared in a variety of display names, tricking recipients into believing they came from an official source. Some of the name examples used in a campaign are as follows:
- EMPLOYEE TAX REFUND REPORT
- Project Funding Request Budget Allocation
- Insurance Payment Schedule Invoice Processing
- Client Contract Negotiation Service Agreement
- Adjustment Review Employee Compensation
- Tax Strategy Update Campaign Goals
- Team Bonus Distribution Performance Review
- Proposal request
- HR|Employee Handbooks
3. Malicious Excel files “verify” eligibility for a tax refund
Hackers are also mimicking the IRS by sending Americans phishing emails, luring victims to verify their “potential eligibility for a tax refund.”
On February 13th, 2025, Microsoft observed malicious emails with the subject “IRS Refund Eligibility Notification” and the sender jessicalee@eboxsystems[.]com.
A link in an email directs users to download a malicious Excel file. When opened, it prompts users to enable macros, which then download and run a malicious MSI file.
Microsoft has observed several phishing campaigns using tax-related themes for social engineering to steal credentials and deploy malware, taking advantage as Tax Day approaches in the United States on April 15. https://t.co/nkwDFyKt8m
undefined Microsoft Threat Intelligence (@MsftSecIntel) April 3, 2025
4. Fake customers target accountants
At the beginning of March, Microsoft observed yet another malicious campaign targeting accountants. Phishers pretend to be fake personas asking for tax filing services, asking for prices, and building rapport in an exchange of messages. If the recipient replies, scammers send them their fake “income documents.”
The malicious password-protected PDFs contain links that, when clicked, download ZIP archives from Dropbox containing various .lnk files mimicking tax documents. These .lnk files hide scripts to download additional executable files.
This way, attackers deliver GuLoader, a highly evasive malware downloader that leverages encrypted shellcode, process injection, and cloud-based hosting services to deliver various payloads, including RATs and infostealers.
Thousands of Americans report theft of tax returns
Microsoft's report follows a warning from the FBI about hackers stealing American’s tax returns. Over 1,000 complaints about identity theft in connection with tax returns have been filed with the FBI’s Internet Crime Complaint Center (IC3) within the past year. This represents a 26% increase from the previous year.
To mitigate tax-themed phishing threats, Microsoft recommends educating users about phishing tactics, enabling strong security features like multi-factor authentication (MFA), utilizing advanced threat protection tools such as Zero-hour auto purge (ZAP), network protection, cloud-delivered protection, and endpoint detection and response (EDR) in block mode.
Deploying phishing-resistant authentication methods and enforcing strict MFA policies is also recommended.
The US Internal Revenue Service (IRS) does not initiate contact with taxpayers by email, text messages, or social media to request personal or financial information.
This includes requests for PIN numbers, passwords, or similar access information for credit cards, banks, or other financial accounts.
Your email address will not be published. Required fields are markedmarked