Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware

Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware

Tax Season Turns into Cyberattack Season: Microsoft Warns of Surge in Phishing and Malware Campaigns

By Ravie Lakshmanan | March 23, 2026

As millions of Americans gear up for the annual ritual of filing their taxes, cybercriminals are seizing the moment to unleash a wave of sophisticated phishing and malware campaigns designed to steal sensitive financial data and compromise systems. Microsoft has issued a stark warning about the rise in tax-themed cyberattacks, revealing how attackers are exploiting the urgency and trust associated with tax season to deceive individuals and organizations alike.

The New Face of Tax-Themed Cyber Threats

The campaigns, which have intensified in recent weeks, leverage the high-stakes nature of tax season to trick recipients into opening malicious attachments, scanning QR codes, or clicking on suspicious links. These phishing emails masquerade as refund notices, payroll forms, filing reminders, and even requests from tax professionals. The goal? To harvest credentials, deploy malware, and gain unauthorized access to systems.

“Many campaigns target individuals for personal and financial data theft, but others specifically target accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails during this period,” Microsoft’s Threat Intelligence and Microsoft Defender Security Research teams said in a report published last week.

A Closer Look at the Campaigns

Microsoft detailed several tactics being used by cybercriminals:

  1. CPA Lures and Energy365 PhaaS Kit: Attackers are using Certified Public Accountant (CPA) lures to deliver phishing pages built with the Energy365 Phishing-as-a-Service (PhaaS) kit, which is estimated to send hundreds of thousands of malicious emails daily.

  2. QR Code and W2 Lures: Targeting over 100 organizations in manufacturing, retail, and healthcare, these campaigns use QR codes and W2 lures to direct users to phishing pages mimicking Microsoft 365 sign-in pages, built using the SneakyLog (Kratos) PhaaS platform.

  3. Tax-Themed Domains: Cybercriminals are registering tax-themed domains to trick users into clicking on bogus links, leading to the distribution of ScreenConnect, a remote monitoring and management (RMM) tool.

  4. IRS Impersonation with Cryptocurrency Lure: Targeting the higher education sector, these emails impersonate the IRS, instructing recipients to download a “Cryptocurrency Tax Form 1099” from malicious domains like “irs-doc[.]com” or “gov-irs216[.]net,” ultimately delivering ScreenConnect or SimpleHelp.

  5. Accountant Targeting: Accountants and related organizations are being targeted with emails asking for help to file taxes, leading to the installation of Datto, another RMM tool.

A Massive February 10 Campaign

Microsoft also uncovered a large-scale phishing campaign on February 10, 2026, affecting over 29,000 users across 10,000 organizations. Approximately 95% of the targets were in the U.S., spanning industries such as financial services (19%), technology and software (18%), and retail and consumer goods (15%). The emails impersonated the IRS, claiming that irregular tax returns had been filed under the recipient’s Electronic Filing Identification Number (EFIN). Recipients were instructed to download a “legitimate” IRS Transcript Viewer, which was actually a maliciously packaged ScreenConnect.

Staying Safe: Microsoft’s Recommendations

To combat these threats, Microsoft recommends organizations enforce two-factor authentication (2FA) on all users, implement conditional access policies, monitor and scan incoming emails and visited websites, and block access to malicious domains.

The Broader Threat Landscape

The rise in tax-themed cyberattacks is part of a larger trend of increasing RMM tool abuse by threat actors. According to a recent report by Huntress, the misuse of such tools has surged by 277% year-over-year. Cybercriminals are also exploiting other tactics, such as:

  • Fake Video Conferencing Pages: Using fake Google Meet and Zoom pages to deliver remote access software like Teramind.
  • Refund Scams: Fraudulent websites impersonating brands like Avast to harvest credit card details.
  • Typosquatted Websites: Impersonating official download portals to distribute trojanized installers.
  • Microsoft Azure Monitor Alerts: Abusing legitimate alert notifications to deliver callback phishing emails.
  • Quotation-Themed Lures: Triggering infections with malware like XWorm RAT.
  • ClickFix Ploys: Delivering NetSupport RAT to gain unauthorized system access.
  • OAuth Redirect Abuse: Bypassing email spam filters to redirect users to phishing websites.
  • URL Rewriting Services: Concealing malicious URLs in phishing emails.
  • Malicious ZIP Files: Distributing Salat Stealer or MeshAgent alongside cryptocurrency miners.
  • Digital Invitation Lures: Delivering ScreenConnect via evasive .NET loaders.

Conclusion

As tax season ramps up, so does the risk of falling victim to cyberattacks. Organizations and individuals must remain vigilant, adopting robust security measures to protect against these increasingly sophisticated threats. The rise in RMM tool abuse underscores the need for continuous monitoring and auditing of environments to detect and mitigate unauthorized access.

Tags: #TaxSeason #CyberSecurity #Phishing #Malware #Microsoft #IRS #RMM #CyberAttack #DataBreach #OnlineSafety #RemoteAccess #TechNews #CyberCrime #SecurityAlert #2FA #PhishingScam #TaxFraud #DigitalSecurity #CyberAwareness #TechTrends #CyberThreats #DataProtection #OnlineThreats #SecurityBreach #CyberDefense #TechSecurity #PhishingCampaign #MalwareAttack #CyberProtection #TechUpdate #CyberSafety #DataTheft #PhishingEmail #CyberRisk #TechAlert #CyberIncident #SecurityRisk #TechVulnerability #CyberIncident #SecurityThreat #TechBreach #CyberAttack2025 #PhishingAlert #MalwareAlert #CyberAwareness2025 #TechNews2025 #CyberSecurity2025 #OnlineSafety2025 #TechTrends2025 #CyberThreats2025 #DataProtection2025 #OnlineThreats2025 #SecurityBreach2025 #CyberDefense2025 #TechSecurity2025 #PhishingCampaign2025 #MalwareAttack2025 #CyberProtection2025 #TechUpdate2025 #CyberSafety2025 #DataTheft2025 #PhishingEmail2025 #CyberRisk2025 #TechAlert2025 #CyberIncident2025 #SecurityRisk2025 #TechVulnerability2025 #CyberIncident2025 #SecurityThreat2025 #TechBreach2025 #CyberAttack2026 #PhishingAlert2026 #MalwareAlert2026 #CyberAwareness2026 #TechNews2026 #CyberSecurity2026 #OnlineSafety2026 #TechTrends2026 #CyberThreats2026 #DataProtection2026 #OnlineThreats2026 #SecurityBreach2026 #CyberDefense2026 #TechSecurity2026 #PhishingCampaign2026 #MalwareAttack2026 #CyberProtection2026 #TechUpdate2026 #CyberSafety2026 #DataTheft2026 #PhishingEmail2026 #CyberRisk2026 #TechAlert2026 #CyberIncident2026 #SecurityRisk2026 #TechVulnerability2026 #CyberIncident2026 #SecurityThreat2026 #TechBreach2026

Viral Phrases:

  • Tax Season Turns into Cyberattack Season
  • Microsoft Warns of Surge in Phishing and Malware Campaigns
  • Cybercriminals Exploit Tax Season to Steal Financial Data
  • IRS Impersonation Scams on the Rise
  • RMM Tool Abuse Surges 277% Year-Over-Year
  • Fake Video Conferencing Pages Deliver Malware
  • ClickFix Ploys Deliver NetSupport RAT
  • OAuth Redirect Abuse Bypasses Email Filters
  • URL Rewriting Services Conceal Malicious URLs
  • Malicious ZIP Files Distribute Salat Stealer
  • Digital Invitation Lures Deliver ScreenConnect
  • Tax-Themed Domains Trick Users into Clicking
  • QR Code and W2 Lures Target Organizations
  • CPA Lures and Energy365 PhaaS Kit
  • SneakyLog (Kratos) PhaaS Platform
  • Cryptocurrency Tax Form 1099 Scam
  • Accountant Targeting with Datto
  • February 10 Campaign Affects 29,000 Users
  • Fake IRS Transcript Viewer Malware
  • Amazon SES Used for Phishing Emails
  • SmartVault Impersonation Domain
  • Cloudflare Used to Evade Detection
  • Two-Factor Authentication (2FA) Enforcement
  • Conditional Access Policies Implementation
  • Monitoring and Scanning Incoming Emails
  • Blocking Access to Malicious Domains
  • Continuous Monitoring and Auditing of Environments
  • Rise in RMM Tool Abuse
  • Sophisticated Phishing and Malware Campaigns
  • Exploiting Urgency and Trust of Tax Season
  • Harvesting Credentials and Deploying Malware
  • Gaining Unauthorized Access to Systems
  • Stealing Sensitive Financial Data
  • Deceiving Individuals and Organizations
  • High-Stakes Nature of Tax Season
  • Trick Recipients into Opening Malicious Attachments
  • Scanning QR Codes or Clicking on Suspicious Links
  • Masquerading as Refund Notices, Payroll Forms, Filing Reminders
  • Requests from Tax Professionals
  • Energy365 Phishing-as-a-Service (PhaaS) Kit
  • Hundreds of Thousands of Malicious Emails Daily
  • QR Code and W2 Lures
  • Over 100 Organizations Targeted
  • Manufacturing, Retail, and Healthcare Industries
  • SneakyLog (Kratos) PhaaS Platform
  • Tax-Themed Domains
  • Trick Users into Clicking on Bogus Links
  • Distribution of ScreenConnect
  • IRS Impersonation with Cryptocurrency Lure
  • Higher Education Sector Targeted
  • “Cryptocurrency Tax Form 1099”
  • Malicious Domains: “irs-doc[.]com” or “gov-irs216[.]net”
  • Delivery of ScreenConnect or SimpleHelp
  • Accountant Targeting
  • Emails Asking for Help to File Taxes
  • Installation of Datto
  • Large-Scale Phishing Campaign on February 10, 2026
  • Over 29,000 Users Affected
  • 10,000 Organizations Targeted
  • 95% of Targets in the U.S.
  • Financial Services (19%), Technology and Software (18%), Retail and Consumer Goods (15%)
  • IRS Impersonation
  • Irregular Tax Returns Filed Under EFIN
  • “IRS Transcript Viewer” Download
  • Maliciously Packaged ScreenConnect
  • Amazon Simple Email Service (SES)
  • SmartVault Impersonation Domain
  • Cloudflare Used to Evade Detection
  • Two-Factor Authentication (2FA) Enforcement
  • Conditional Access Policies Implementation
  • Monitoring and Scanning Incoming Emails
  • Blocking Access to Malicious Domains
  • Rise in RMM Tool Abuse
  • 277% Year-Over-Year Increase
  • Continuous Monitoring and Auditing of Environments
  • Fake Video Conferencing Pages
  • Deliver Remote Access Software like Teramind
  • Refund Scams
  • Fraudulent Websites Impersonating Brands like Avast
  • Typosquatted Websites
  • Impersonating Official Download Portals
  • Distribution of Trojanized Installers
  • Microsoft Azure Monitor Alerts
  • Abusing Legitimate Alert Notifications
  • Callback Phishing Emails
  • Quotation-Themed Lures
  • Triggering Infections with Malware like XWorm RAT
  • ClickFix Ploys
  • Delivering NetSupport RAT
  • OAuth Redirect Abuse
  • Bypassing Email Spam Filters
  • URL Rewriting Services
  • Concealing Malicious URLs in Phishing Emails
  • Malicious ZIP Files
  • Distributing Salat Stealer or MeshAgent
  • Cryptocurrency Miners
  • Digital Invitation Lures
  • Delivering ScreenConnect via Evasive .NET Loaders

,

/0 Comments/by
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *