RaccoonO365: Phishing Wave Targets Credentials & Malware

Phishing campaigns timed to coincide with the U.S. tax season have intensified, with Microsoft reporting large-scale waves of malicious emails leveraging tax-related themes to steal data and deploy malware.

What sets these campaigns apart is the attackers’ use of advanced evasion techniques designed to bypass filters and security systems. Tactics include embedding QR codes, utilizing URL shorteners, leveraging legitimate file-hosting services, and exploiting business profiles — all intended to reduce suspicion from antivirus solutions and email gateways.

Both corporate and individual users have become targets, lured to counterfeit login pages hosted on the RaccoonO365 phishing platform. This infrastructure is employed to harvest Microsoft 365 credentials and deliver malware strains such as the Remcos remote access trojan, the GuLoader downloader, AHKBot, Latrodectus, and the Brute Ratel C4 post-exploitation framework, often used in penetration testing.

One notable campaign detected on February 6, 2025, focused on U.S.-based users and was disseminated via PDFs containing links to fake DocuSign pages. Upon clicking, the system and IP address of the victim were verified; if deemed “promising,” a JavaScript payload triggered the download of a malicious MSI installer containing BRc4, followed by the deployment of Latrodectus. If the target was considered non-viable, a harmless file was served, minimizing the risk of exposure.

A second, more expansive operation observed between February 12 and 28 targeted over 2,300 organizations across IT, engineering, and consulting sectors. These phishing attempts employed PDF attachments embedded with QR codes leading to RaccoonO365 phishing sites, crafted to mimic Microsoft 365 login portals and trick employees into divulging their credentials.

Phishing vectors varied. AHKBot campaigns used macro-laden Excel documents which, upon activation, launched a download chain culminating in the installation of an AutoHotKey script that captured screenshots and transmitted them to a remote server. GuLoader-based attacks involved ZIP archives containing shortcut files disguised as tax forms; opening them triggered PowerShell scripts that downloaded and executed Remcos RAT.

Increasingly, threat actors are deploying tools designed to evade security filters and bypass defenses — including SVG files that slip past anti-spam systems, fake browser windows (BitB) that mimic login interfaces, and abuse of legitimate platforms like Adobe, Dropbox, Zoho, and DocuSign to mask malicious activity.

Particular scrutiny has been directed at the activities of threat actor group Storm-0249. Their recent campaigns featured redirects to counterfeit Windows 11 Pro download pages via Facebook ads, ultimately delivering Latrodectus. The malware’s latest iteration, observed in February, incorporates new command sets and persistence mechanisms using scheduled tasks.

Amidst the growing sophistication of phishing operations, an increasing number of attacks masquerade under the guise of trusted brands — including fake emails from Spotify, Apple Music, banking institutions, and system update services. The objective remains unchanged: to harvest credentials, implant spyware, and monetize the stolen data.

To mitigate these threats, Microsoft recommends deploying phishing-resistant authentication methods, using browsers with built-in malicious site blocking, and enabling network-level protections to prevent connections to malicious domains.