Every year, as April 15 creeps closer, so does something more sinister than filing stress. Cybercriminals sharpen their tools, polish their lures, and unleash waves of phishing attacks timed to exploit tax season anxiety. But this year, what Microsoft’s threat intel teams are seeing isn’t just more of the same—it’s a revealing case study of how attackers are evolving and why threat intelligence needs to keep up (Tech Radar, 2025). Between February 12 and 28, 2025, over 2,300 organizations in sectors like engineering, IT, and consulting were targeted with tax-themed phishing emails.
At first glance, these phishing campaigns look familiar: messages dressed in IRS branding, emails about "delayed tax refunds" or "unclaimed payments," attachments that beg to be opened. But under the hood, these attacks are operating with a new level of sophistication—leveraging phishing-as-a-service (PhaaS) platforms like RaccoonO365, deploying payloads like Remcos RATs and BruteRatel C4, and using stealth delivery methods to dodge traditional detection.
On February 6, 2025, a significant phishing campaign targeted thousands of U.S. taxpayers (Microsoft, 2025). Attackers, attributed to the group Storm-0249—an access broker active since 2021 known for distributing malware like BazaLoader, IcedID, Bumblebee, and Emotet—sent emails with subjects such as:
Most of these emails included PDF attachments named similarly to official IRS forms (e.g., lrs_Verification_Form_1773.pdf). Opening the attachment led users through a series of redirects, ultimately landing on a counterfeit DocuSign page. Clicking the "Download" button initiated the download of a JavaScript file from Firebase, which then installed the BruteRatel C4 (BRc4) red-teaming tool and the Latrodectus malware.
In early March 2025, cybercriminals focused on CPAs and accountants. Initial emails posed as potential clients seeking tax filing services. Upon engagement, follow-up emails included malicious PDFs leading to the download of ZIP files containing .lnk files disguised as tax documents. Executing these files initiated a chain that installed GuLoader and Remcos malware, granting attackers remote control over the compromised systems.
Here’s where threat intelligence comes in as these campaigns reveal how attackers increasingly blur the lines between consumer trust and malicious activity. QR codes embedded in fake tax forms and shortened URLs routed through legitimate file-hosting or business profile services—on the surface, look benign. But underneath, they redirect users to credential harvesting pages, remote access malware, and loaders like GuLoader or Latrodectus that act as doorways to deeper compromise.
This is why modern threat intelligence must shift from static signature-based detection to dynamic context-aware analysis. It’s no longer just about knowing what payload is being used—it’s about understanding the infrastructure, behavior patterns, and evolving attacker playbooks behind the scenes. What domains are being rotated? What cloud services are being co-opted for delivery? What is the velocity and geography of the campaign spread?
Tax-themed phishing is just the seasonal tip of a much deeper iceberg. These attacks illustrate how threat actors adapt classic social engineering to modern digital terrain—and why organizations need more than endpoint protection. They need telemetry. Correlation. Behavioral insights. Real-time context.
Because for every user tricked into clicking a "tax refund" link, an attacker is watching the playbook work—again.