Microsoft warns accountants of new phishing campaign amid tax period

(Image credit: wk1003mike / Shutterstock)

Microsoft is sounding the alarm over a new phishing campaign targeting accounting firms, tax preparers, financial services providers, and similar organizations in the United States. The campaign is currently at its zenith, given that the annual tax season in the country is reaching its end.

That means that financial service providers and similar firms are rushing to meet the deadline and file annual tax returns for their clients. As a result, they might be reckless and/or overworked, making them an ideal target for hackers.

The phishing campaign, Microsoft says, can have different goals. Some threat actors might use these emails to distribute infostealing malware, as financial service providers often hold plenty of sensitive client data which can be used in extortion attacks.

Delivering Remcos

Alternatively, they can always sell the data on the dark web for other threat actors to make use of. In other scenarios, they can use this access to deliver stage-two malware, run ransomware campaigns, and similar.

Microsoft observed some threat actors using phishing techniques to deliver Remcos, a known remote access trojan.

"With U.S. Tax Day approaching, Microsoft has observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan.”

The emails are nothing extraordinary - the attackers claim to be a client of the victim, sharing the documents needed to file a tax return. They share the documents via a link to a filesharing service provider, thus bypassing any email security tools the victims might have installed on their endpoints. 

If the victim ends up downloading the files, they’ll find a couple of bogus PDF files and Windows shortcut files that, if run, ultimately deliver Remcos. 

The best way to protect against phishing is to be vigilant when receiving any attachments or links in emails, especially when they’re not expected. Also, having an antivirus solution, a firewall, and multi-factor authentication, will help.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.