Here’s the translation into American English:
The tech giant identifies a wave of attacks using PDFs, QR codes, and legitimate platforms to distribute malware such as Latrodectus, Remcos, and BruteRatel.
Microsoft has issued a new cybersecurity alert that particularly affects U.S. organizations during the tax season. Various campaigns utilizing advanced phishing techniques are being employed to propagate highly sophisticated malware, using methods that combine PDF files, QR codes, and third-party services that appear trustworthy, such as DocuSign or Dropbox.
These attacks are designed to steal credentials, install backdoors, and allow for the silent infiltration of corporate networks. The company’s analysts have identified Storm-0249 as one of the responsible groups, known for using trojans like Latrodectus, Remcos RAT, GuLoader, BruteRatel C4, and new post-exploitation tools like AHKBot.
Phishing-as-a-Service and Evasive Techniques
The campaigns are leveraging PhaaS (Phishing-as-a-Service) platforms like RaccoonO365, which allow the creation of fake pages that mimic the Microsoft 365 login environment, aimed at capturing corporate credentials. One of the documented cases by Microsoft, dated February 6, 2025, describes an infection chain starting with a PDF file that redirects the user to a shortened URL. From there, a fake DocuSign page is presented, which, depending on the operating system and IP address, may deliver a JavaScript file that downloads BRc4, the gateway for Latrodectus.
In another campaign observed between February 12 and February 28, more than 2,300 malicious emails with no body text were sent, containing PDF files that included malicious QR codes. These pointed to phishing links impersonating Microsoft 365. The most affected sectors were consulting, IT, and engineering.
Multi-Layer Infection: From ZIP Files to Excel Macros
In addition to PDFs, threat actors are using .lnk files hidden in ZIPs and Excel documents with malicious macros. One example detected by Microsoft involves the use of Excel macros to download and execute AutoHotKey scripts, which in turn run screen capture and data exfiltration modules.
Hidden links in SVG files and URLs redirected through services like Rebrandly have also been detected, allowing many traditional anti-phishing filters to be bypassed. These techniques are designed to obscure the final URL of malicious sites, making detection by security systems more difficult.
Criminal Ingenuity and Exploitation of Legitimate Platforms
Among the resources exploited by attackers are widely used collaboration services such as Adobe, DocuSign, Canva, Zoho, or Dropbox, which allow malicious emails to go unnoticed by email gateway filters (SEG).
Palo Alto Networks’ analysis also reveals a pattern in the use of QR codes in campaigns targeting Europe and the U.S., where attackers avoid directly displaying the malicious URL, opting for open redirection mechanisms on trusted sites.
Microsoft has detected that even platforms like Facebook have been used to redirect traffic to fake pages offering Windows 11 installers, which actually distribute Latrodectus or Gh0st RAT, according to recent investigations.
Consequences and Recommended Protective Measures
The documented attacks seek not only to steal passwords but also to maintain persistence, move laterally within corporate networks, and lay the groundwork for future intrusions. The use of scheduled tasks, remote command execution, and credential harvesting is increasingly common in these campaigns.
Microsoft recommends implementing phishing-resistant multi-factor authentication (MFA), filtering outgoing traffic to suspicious domains, using secure browsers, and training users to identify phishing attempts.
These campaigns demonstrate that the cybercrime ecosystem is becoming more professional and adapting rapidly. Organizations must be prepared not only to detect known threats but also to mitigate increasingly creative and persistent tactics, especially those that combine social engineering with automated malware distribution.
This new wave of campaigns shows that cybersecurity in corporate environments can no longer rely solely on traditional filters. The overlap between legitimate platforms and criminal tools demands a comprehensive defense, where every digital interaction must be verified and monitored.