Microsoft has issued a warning about a surge in phishing attacks exploiting the U.S. tax season, with cybercriminals targeting tens of thousands of users to steal sensitive data and deploy remote access malware.
According to recent threat intelligence findings, attackers are leveraging tax-related themes to trick victims into engaging with malicious emails. These messages often appear as legitimate communications, including refund notices, payroll documents, filing reminders, and requests from tax professionals.
Tax Season Used as a Cyberattack Opportunity
The campaigns rely heavily on urgency, encouraging recipients to act quickly without verifying authenticity. Victims are prompted to open attachments, click suspicious links, or scan QR codes, all of which lead to credential theft or malware installation.
While many attacks focus on individuals, a significant number specifically target accountants and financial professionals who regularly handle sensitive financial data and are more likely to trust tax-related communications.
RMM Tools Abused for Persistent Access
One of the most concerning aspects of these attacks is the misuse of legitimate remote monitoring and management (RMM) software. Instead of deploying traditional malware, attackers install trusted tools such as:
- ConnectWise ScreenConnect
- Datto
- SimpleHelp
These tools allow attackers to maintain long-term access to compromised systems while avoiding detection, as they are commonly used in enterprise IT environments.
Multiple Campaign Techniques Identified
Microsoft identified several distinct attack methods used across different campaigns:
- Phishing emails impersonating Certified Public Accountants (CPA) to steal login credentials using advanced phishing kits
- QR code-based attacks combined with W2-related lures targeting organizations across industries like manufacturing, healthcare, and retail
- Fake tax-related domains designed to distribute remote access tools
- IRS impersonation campaigns promoting fraudulent cryptocurrency tax forms to deliver malware
- Emails requesting tax filing assistance that lead to malicious software installation
Large-Scale Attack Impacts Over 29,000 Users
A major phishing campaign observed on February 10, 2026, affected more than 29,000 users across approximately 10,000 organizations. The majority of victims were based in the United States, with key sectors including:
- Financial services
- Technology and software
- Retail and consumer goods
The phishing emails falsely claimed that irregular tax filings had been made under the recipient’s Electronic Filing Identification Number (EFIN), urging them to download a fake “IRS Transcript Viewer.”
Sophisticated Delivery and Evasion Techniques
The attack chain used cloud-based email delivery services to distribute phishing messages, increasing credibility. Victims who clicked the download link were redirected to a fake website designed to mimic a trusted document platform.
To avoid detection, the phishing infrastructure used advanced filtering techniques to block automated security scanners and only deliver malicious payloads to real users. The final payload typically included a malicious version of ScreenConnect, granting attackers full remote control.
Expanding Threat Landscape Beyond IRS Phishing
This campaign is part of a broader trend where attackers are using creative tactics to deliver malware and steal data. Additional techniques observed include:
- Fake video conferencing platforms distributing remote access software
- Fraudulent refund websites targeting credit card information
- Malicious software downloads disguised as popular applications
- Abuse of legitimate cloud services to send phishing messages from trusted addresses
- Multi-layered URL redirection to evade security detection
- Fileless malware attacks using PowerShell and legitimate system processes
These methods demonstrate the increasing sophistication of modern cyber threats.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
