Americans are under attack — that’s the warning from Microsoft this week, with multiple ongoing campaigns “to steal credentials and deploy malware.” Fortunately, unlike the tidal wave of unstoppable AI attacks that are about to be unleashed on users, Microsoft provides clear advice on what you must do — and what you must not.
The warning comes as the countdown to U.S. Tax Day on April 15 fast approaches, and is now just nine days away. The attacks use malicious attachments containing QR codes and shortened URLs that redirect to “phishing pages delivered via the RaccoonO365 phishing-as-a-service (PhaaS) platform, remote access trojans (RATs) like Remcos, and other malware like Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader.”
That’s quite the list, and while we’re all now primed to watch for emails designed to catch us out, these campaigns still prove remarkably effective. We are especially vulnerable on small screen devices — our phones, which mask many of the telltale signs we might spot on a PC and which make it all too easy to click an attachment.
In that same vein, while we might be guarded with a Microsoft Office attachment, for some reason PDFs seem to slip the net. Perhaps we assume they’re safer given their basic, flat profile. And to an extent that’s right. But the URLs or QR codes they include are anything but, and PDFs are fast becoming a favorite attack methodology.
Microsoft provides the following examples of PDFs you need to avoid — and that means deleting emails as soon as they arrive in your inbox:
- “lrs_Verification_Form_1773.pdf
- lrs_Verification_Form_2182.pdf
- lrs_Verification_Form_222.pdf”
Not very imaginative — but then that’s the general idea. Emails will turn up with banal headings as well, just the sort of admin headache you’ll be expecting at this time of year:
- “Notice: IRS Has Flagged Issues with Your Tax Filing
- Unusual Activity Detected in Your IRS Filing
- Important Action Required: IRS Audit
- EMPLOYEE TAX REFUND REPORT
- Project Funding Request Budget Allocation
- Insurance Payment Schedule Invoice Processing
- Client Contract Negotiation Service Agreement
- Adjustment Review Employee Compensation
- Tax Strategy Update Campaign Goals
- Team Bonus Distribution Performance Review
- proposal request
- HR|Employee Handbooks”
It is becoming ever easier for attackers to craft a campaign and then use a phishing-as-a-service platform. RaccoonO365 was discovered last year and is designed “to steal Microsoft 365 credentials and bypass multi-factor authentication.” As so often these days, this is just one of the self-serve threats marketed through private Telegram channels. These rental platforms build in sophisticated defenses to avoid detection and bypass filters and security nets, usually leveraging legitimate cloud services.
Such defenses include profiling victims before an attack is mounted, and can even provide an escape path to a benign alternative to prevent the threat being flagged. The concept of operations across the campaigns in Microsoft’s report are broadly the same. Tax-themed emails with URL/QR code primed PDFs, which then lead to an install or download. But an attack can be much simpler — and can stop once a user has given away their credentials. The trick, though, is stealing two-factor authentication codes.
This is yet another reason to delete your Microsoft password and move to passkeys instead — just as the Windows-maker is warning a billion users they should do.
Beyond changing to passkeys, do not open PDFs you’re not expecting and where you cannot verify the source. Be especially wary of any tax-themed email or message this month. It’s a scammer’s paradise out there with all this focused activity. Per Microsoft, “these threat actors craft campaigns that mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads.”