Microsoft Warns Accountants of Phishing Attacks Ahead of Tax Day

As the annual tax season draws to a close in the USA, accountants are working hastily to collect the necessary tax documents from their clients in order to finalize and file their tax returns.

The heightened activity during this time of the year makes it a prime opportunity for malicious actors to target tax preparers, as we recently highlighted.

Keeping this in mind, Microsoft has identified a new phishing scam that specifically targets tax professionals, with the intention of installing the Remcos remote access trojan malware.

This attack is designed to allow the attackers to gain initial access to corporate networks and is primarily directed toward accounting firms and tax preparers. Microsoft has cautioned these professionals to remain vigilant and take appropriate measures to protect their systems and data.

In a new report from Microsoft, highlighted by the BleepingComputer, “With U.S. Tax Day approaching, Microsoft has observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan (RAT) and compromise target networks beginning in February of this year.“

The phishing campaign starts with fraudulent emails posing as clients requesting tax professionals to provide necessary documents for their tax returns.

These emails contain links that use click-tracking services, making it difficult for security software to detect them.

The links lead to a file hosting site that downloads a ZIP archive, which contains multiple files that appear to be PDFs for various tax forms but are, in reality, Windows shortcuts.

Upon double-clicking these shortcuts, PowerShell executes and downloads a heavily obfuscated VBS file from a remote host, which is saved and executed in C:\Windows\Tasks.

Simultaneously, the VBS script downloads a decoy PDF file, which is opened in Microsoft Edge to avoid raising suspicion.

Microsoft has warned that these VBS files download and execute GuLoader malware, which, in turn, installs the Remcos remote access trojan, enabling the threat actors to spread throughout the network, steal sensitive data, and deploy additional malware on the compromised devices.

As Tax Day approaches, California Attorney General Rob Bonta has issued a consumer alert to caution Californians about the various tax fraud scams that tend to occur more frequently during tax season.