Tax Season is Upon Us, and So Are the Scammers

Proofpoint researchers report that TA576 has resumed tax-season campaigns targeting accounting and finance organizations in North America, using compromised email accounts and reply-to domains to send malicious Firebase URLs which redirect to zipped LNK shortcuts; execution chains leverage encoded PowerShell, SyncAppvPublishingServer.vbs LOLBAS injection, and Mshta/HTA to deploy the Parallax RAT, enabling credential theft, remote access, and potential lateral movement while using living-off-the-land techniques to evade detection.