On a single day in February, roughly 29,000 email inboxes across the United States were carpet-bombed with phishing messages disguised as IRS correspondence. The campaign didn’t just steal credentials. It deployed remote access trojans, built persistent backdoors, and funneled stolen data to attacker-controlled infrastructure — all while disguising its payload delivery behind trusted platforms like Adobe and Dropbox.
Microsoft’s threat intelligence team flagged the campaign on March 13, 2025, warning that the operation was notable for its scale, speed, and sophistication. According to The Hacker News, the attack targeted a broad cross-section of American organizations, timing its execution to coincide with the peak of U.S. tax filing season — a period when employees are primed to open messages that reference the Internal Revenue Service.
This wasn’t a spray-and-pray operation run by amateurs. The threat actors behind it used a layered delivery chain, multiple redirection techniques, and PDF attachments rigged with shortened URLs that bounced victims through a series of intermediary sites before landing them on a malicious page. The final payload: a cocktail of information-stealing malware and remote access tools capable of giving attackers full control of compromised machines.
Anatomy of the Attack: PDFs, QR Codes, and Trusted Platforms Weaponized
The phishing emails themselves were crafted to look like standard IRS notifications. Subject lines referenced tax refunds, outstanding balances, or document requests — the kind of language that triggers urgency. Attached to each message was a PDF file. Not inherently malicious on its own. But embedded inside were shortened URLs and, in some variants, QR codes that directed recipients to phishing landing pages.
Here’s where the attackers got clever. The URLs didn’t point directly to attacker-owned domains. Instead, they routed through legitimate services — Rebrandly URL shorteners, Google-hosted pages, and file-sharing platforms including Dropbox. By abusing trusted infrastructure, the attackers effectively bypassed many email security gateways that rely on domain reputation to filter threats. A Dropbox link looks clean. A Google redirect looks clean. The actual malicious endpoint, buried several hops deep, doesn’t get scrutinized until it’s too late.
Microsoft identified that the landing pages served different payloads depending on the victim. Some were hit with credential harvesting forms designed to capture Microsoft 365 login details. Others received downloads containing BRc4 — short for Brute Ratel C4, a commercial red-teaming tool that’s been increasingly co-opted by criminal actors. Still others were infected with Latrodectus, a malware loader first documented in late 2023 that functions as a gateway for deploying additional payloads including ransomware.
And some victims got AHKBot, a remote access trojan built on AutoHotKey scripting that can capture screenshots, log keystrokes, and exfiltrate data.
The diversity of payloads matters. It signals that the operators either ran multiple simultaneous campaigns under one umbrella or deliberately varied their tooling to complicate detection and response. Either way, it’s a sign of operational maturity.
Microsoft attributed the campaign to a threat actor it tracks as Storm-0249, a financially motivated group previously linked to BazaLoader and IcedID distribution. Storm-0249 has a track record of exploiting seasonal events — tax deadlines, holiday shopping periods, benefits enrollment windows — to maximize click-through rates on phishing lures.
The February campaign wasn’t Storm-0249’s first use of Latrodectus. The group has been steadily integrating the loader into its operations since mid-2024, suggesting a longer-term shift in tooling preferences. Latrodectus itself is notable because it appears to be a successor to IcedID’s loader component, sharing code similarities and infrastructure patterns with the older malware family. Security researchers at Proofpoint and Team Cymru documented these connections in a detailed analysis published in 2024.
Why Tax Season Phishing Keeps Working — and Why This Campaign Was Different
Tax-themed phishing is nothing new. Every year between January and April, security firms report spikes in IRS-impersonation campaigns. The IRS itself maintains a running list of scam alerts on its website. But the sheer volume of this particular operation — 29,000 mailboxes targeted in a matter of hours — sets it apart from the usual seasonal noise.
So does the technical execution. Most tax-season phishing relies on simple credential theft: fake login pages, W-2 harvesting forms, or social engineering calls. This campaign went further by deploying post-exploitation frameworks and persistent access tools. The attackers weren’t just after passwords. They wanted footholds inside corporate networks.
That distinction matters enormously for defenders. A stolen credential can be reset. A remote access trojan sitting undetected on an endpoint is a different problem entirely. It means data exfiltration, lateral movement, potential ransomware deployment, and a remediation effort that can stretch across weeks.
The abuse of legitimate cloud services as delivery infrastructure also represents an escalating challenge for email security vendors. Traditional reputation-based filtering struggles when the malicious content is hosted on domains belonging to Microsoft, Google, or Dropbox. These platforms are almost universally allowlisted. Attackers know this, and they’ve been exploiting it with increasing frequency.
A March 2025 report from Cofense, an email security firm, found that abuse of legitimate file-sharing and collaboration platforms in phishing campaigns increased 53% year-over-year. Dropbox, SharePoint, and OneDrive were the most commonly abused services. The pattern is clear: attackers go where the trust is.
Microsoft’s own advisory recommended that organizations enable Safe Links and Safe Attachments policies in Microsoft Defender for Office 365, turn on zero-hour auto purge to retroactively remove malicious messages after delivery, and implement phishing-resistant multi-factor authentication across all accounts. Standard advice. But the emphasis on phishing-resistant MFA — meaning hardware security keys or certificate-based authentication, not SMS codes — reflects a growing acknowledgment that traditional MFA can be bypassed by adversary-in-the-middle phishing kits.
The timing of Microsoft’s disclosure also coincided with a broader push by the Cybersecurity and Infrastructure Security Agency (CISA) to raise awareness about tax-season threats. CISA published an updated advisory in early March urging both individuals and organizations to treat any unsolicited IRS-related email with extreme suspicion. The IRS does not initiate contact via email. Period. That fact alone should be a kill switch for these campaigns, yet the click rates suggest otherwise.
Human behavior remains the weakest link. Security awareness training helps, but it has limits. When an employee is rushing to meet a tax deadline and receives what looks like an official IRS document, the instinct to click is powerful. The attackers behind this campaign understood that instinct and engineered every element of their operation to exploit it — from the subject lines to the PDF formatting to the use of QR codes, which shift the interaction from a desktop (where security tools are stronger) to a mobile device (where they’re often weaker).
The Bigger Picture: Phishing-as-a-Service and the Industrialization of Email Attacks
Campaigns like this one don’t exist in isolation. They reflect the broader industrialization of phishing operations. Tools like Brute Ratel C4, originally developed for legitimate penetration testing, are now widely available in underground markets. Malware loaders like Latrodectus are sold or rented as services. Phishing kits with built-in evasion techniques can be purchased for a few hundred dollars.
The barrier to entry keeps dropping.
Storm-0249 is one of dozens of financially motivated threat groups operating at this scale. Microsoft tracks more than 30 such groups actively conducting phishing and malware distribution campaigns. And the infrastructure they use — compromised WordPress sites, bulletproof hosting providers, legitimate cloud services — is cheap, disposable, and endlessly recyclable.
For security teams inside organizations that were targeted, the immediate priority is forensic triage. Identifying which users interacted with the phishing emails, whether any payloads were executed, and whether attacker persistence mechanisms were established on any endpoints. Microsoft provided specific indicators of compromise in its advisory, including file hashes, command-and-control domains, and behavioral signatures associated with BRc4, Latrodectus, and AHKBot.
But the longer-term challenge is architectural. Organizations that still rely primarily on perimeter-based email filtering are fighting a losing battle against campaigns that abuse trusted cloud infrastructure. Layered defenses — endpoint detection and response, network traffic analysis, behavioral analytics, and yes, genuinely phishing-resistant authentication — are no longer optional. They’re table stakes.
Tax season will end in April. The phishing won’t.


WebProNews is an iEntry Publication