Microsoft Warns of IRS Phishing Campaign Targeting 29,000 Users with RMM Malware
As the U.S. tax season approaches, Microsoft has issued a warning regarding a surge in phishing campaigns designed to exploit the urgency of tax-related communications. These campaigns aim to harvest credentials and deliver malware, posing significant risks to both individuals and organizations.
Phishing Campaigns Exploiting Tax Season
The recent phishing efforts capitalize on the time-sensitive nature of tax-related emails, masquerading as refund notifications, payroll forms, and requests from tax professionals. These deceptive messages are crafted to trick recipients into opening malicious attachments, scanning QR codes, or clicking on suspicious links.
According to the Microsoft Threat Intelligence and Microsoft Defender Security Research teams, many of these campaigns target not only individuals but also accountants and professionals who handle sensitive financial documents. This demographic is particularly vulnerable during tax season, as they are accustomed to receiving legitimate tax-related communications.
Techniques and Tools Used by Attackers
The phishing campaigns utilize various methods to lure victims. Some campaigns direct users to fraudulent pages created through Phishing-as-a-Service (PhaaS) platforms, while others deploy legitimate remote monitoring and management (RMM) tools, such as ConnectWise ScreenConnect and Datto. This enables attackers to maintain persistent access to compromised devices.
Specific tactics observed include:
-
Certified Public Accountant (CPA) Lures: Attackers use CPA-related themes to deliver phishing pages associated with the Energy365 PhaaS kit, which is estimated to send hundreds of thousands of malicious emails daily.
-
QR Code and W2 Lures: Targeting around 100 organizations in sectors like manufacturing and healthcare, these campaigns direct users to phishing pages mimicking Microsoft 365 sign-in pages, built using the SneakyLog PhaaS platform to capture credentials and two-factor authentication (2FA) codes.
-
Tax-Themed Domains: Phishing campaigns employ domains that appear legitimate to trick users into clicking on links under the guise of accessing updated tax forms, ultimately distributing malicious software.
-
Impersonation of the IRS: Some campaigns impersonate the Internal Revenue Service, using cryptocurrency-related lures to target higher education institutions. Recipients are prompted to download a “Cryptocurrency Tax Form 1099” from malicious domains.
Scale of the Threat
On February 10, 2026, Microsoft reported a large-scale phishing campaign that impacted over 29,000 users across 10,000 organizations, with approximately 95% of the targets located in the U.S. The affected industries included financial services, technology, and retail.
The phishing emails impersonated the IRS, claiming irregular tax returns had been filed under the recipient’s Electronic Filing Identification Number (EFIN). Recipients were instructed to download a seemingly legitimate “IRS Transcript Viewer,” which redirected them to a fraudulent domain masquerading as a well-known document management platform.
Recommendations for Organizations
To mitigate the risks associated with these phishing attacks, organizations are advised to implement several security measures:
-
Enforce Two-Factor Authentication (2FA): This adds an additional layer of security for all users.
-
Implement Conditional Access Policies: These policies help restrict access based on specific conditions, reducing the risk of unauthorized access.
-
Monitor Incoming Emails and Websites: Regular scanning of emails and websites can help identify and block malicious content.
-
Prevent Access to Malicious Domains: Organizations should maintain updated lists of known malicious domains and block access to them.
Broader Context of Remote Access Malware
The recent findings coincide with a notable increase in the adoption of RMM tools by threat actors, with a reported 277% surge in abuse year-over-year. Tactics such as daisy-chaining distinct RMM tools complicate attribution and containment efforts, making it increasingly challenging for organizations to detect unauthorized usage.
As these tools are often regarded as “trusted” within corporate environments, organizations must remain vigilant in auditing their systems for any unauthorized RMM activity.
According to publicly available thehackernews.com reporting, the misuse of legitimate tools poses a significant threat, as they can be easily overlooked by security protocols.
For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East: Middle East
