Security News > 2023 > April > Microsoft: Phishing attack targets accountants as Tax Day approaches

Microsoft is warning of a phishing campaign targeting accounting firms and tax preparers with remote access malware allowing initial access to corporate networks.
With the USA reaching the end of its annual tax season, accountants are scrambling to gather clients' tax documents to complete and file their tax returns.
"With U.S. Tax Day approaching, Microsoft has observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan and compromise target networks beginning in February of this year," Microsoft warns in a new report.
These phishing emails contain links that utilize click-tracking services to evade detection by security software, and ultimately lead to a file hosting site that downloads a ZIP archive.
At the same time, the VBS script will download a decoy PDF file and open it in Microsoft Edge to avoid arousing suspicion by the targeted person.
As the initial loaders for the malware in this campaign are malicious files impersonating PDF files, we always recommend that users enable the display of file extensions in Windows so they can identify suspicious files.
News URL
Related news
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries (source)
- Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts (source)
- Darktrace: 96% of Phishing Attacks in 2024 Exploited Trusted Domains Including SharePoint & Zoom Docs (source)
- Phishing attack hides JavaScript using invisible Unicode trick (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
- Botnet targets Basic Auth in Microsoft 365 password spray attacks (source)
- FatalRAT Phishing Attacks Target APAC Industries Using Chinese Cloud Services (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint (source)