Microsoft Warns of Tax-Season Phishing Surge Targeting U.S. Organizations
Microsoft has identified a wave of phishing campaigns exploiting the U.S. tax season to steal credentials and deploy malware. Threat actors are leveraging urgent, time-sensitive lures such as fake refund notices, payroll forms, and IRS impersonations to trick recipients into interacting with malicious links, QR codes, or attachments.
The attacks disproportionately target accountants, tax professionals, and industries handling sensitive financial data, including manufacturing, retail, healthcare, and higher education. Some campaigns use Phishing-as-a-Service (PhaaS) platforms like Energy365 and SneakyLog (Kratos) to harvest credentials, including two-factor authentication (2FA) codes, via spoofed Microsoft 365 login pages. Others deploy remote monitoring and management (RMM) tools such as ConnectWise ScreenConnect, Datto, and SimpleHelp to gain persistent access to compromised systems.
Key campaigns include:
- CPA-themed phishing using the Energy365 kit, sending hundreds of thousands of malicious emails daily.
- QR code and W-2 lures targeting ~100 U.S. organizations in manufacturing, retail, and healthcare, redirecting victims to fake Microsoft 365 sign-in pages.
- IRS impersonation with cryptocurrency tax form scams, distributing ScreenConnect or SimpleHelp via domains like irs-doc[.]com.
- Datto malware delivery via fake tax-filing assistance links sent to accountants.
- A large-scale February 10, 2026, attack affecting 29,000 users across 10,000 organizations, primarily in financial services, tech, and retail. Emails, sent via Amazon SES, claimed irregular tax returns under recipients’ Electronic Filing Identification Numbers (EFINs) and directed users to a fake SmartVault site (smartvault[.]im) to download a malicious ScreenConnect installer.
The campaigns highlight a 277% year-over-year surge in RMM tool abuse, with attackers daisy-chaining multiple tools to evade detection. Since RMM software is often trusted in corporate environments, unauthorized usage can go unnoticed, complicating attribution and response efforts.
Source: https://thehackernews.com/2026/03/microsoft-warns-irs-phishing-hits-29000.html
SmartVault cybersecurity rating report: https://www.rankiteo.com/company/smartvault-corporation
SimpleHelp Ltd cybersecurity rating report: https://www.rankiteo.com/company/simplehelp-ltd
ConnectWise cybersecurity rating report: https://www.rankiteo.com/company/connectwise
Amazon cybersecurity rating report: https://www.rankiteo.com/company/amazon
Datto cybersecurity rating report: https://www.rankiteo.com/company/datto-inc
"id": "SMASIMCONAMADAT1775551328",
"linkid": "smartvault-corporation, simplehelp-ltd, connectwise, amazon, datto-inc",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '29,000 users across 10,000 '
'organizations',
'industry': ['Manufacturing',
'Retail',
'Healthcare',
'Higher Education',
'Financial Services',
'Technology'],
'location': 'U.S.',
'type': 'Organizations'},
{'industry': ['Accounting', 'Tax Professionals'],
'location': 'U.S.',
'type': 'Individuals'}],
'attack_vector': ['Email',
'Malicious Links',
'QR Codes',
'Malicious Attachments'],
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII, Financial Data, Corporate '
'Access)',
'type_of_data_compromised': ['Credentials',
'Two-Factor Authentication Codes',
'Sensitive Financial Data']},
'date_detected': '2026-02-10',
'description': 'Microsoft has identified a wave of phishing campaigns '
'exploiting the U.S. tax season to steal credentials and '
'deploy malware. Threat actors are leveraging urgent, '
'time-sensitive lures such as fake refund notices, payroll '
'forms, and IRS impersonations to trick recipients into '
'interacting with malicious links, QR codes, or attachments. '
'The attacks disproportionately target accountants, tax '
'professionals, and industries handling sensitive financial '
'data, including manufacturing, retail, healthcare, and higher '
'education. Some campaigns use Phishing-as-a-Service (PhaaS) '
'platforms like Energy365 and SneakyLog (Kratos) to harvest '
'credentials, including two-factor authentication (2FA) codes, '
'via spoofed Microsoft 365 login pages. Others deploy remote '
'monitoring and management (RMM) tools such as ConnectWise '
'ScreenConnect, Datto, and SimpleHelp to gain persistent '
'access to compromised systems.',
'impact': {'brand_reputation_impact': 'Potential Erosion of Trust in '
'Tax-Related Communications',
'data_compromised': 'Credentials (including 2FA codes), Sensitive '
'Financial Data, Corporate Access',
'identity_theft_risk': 'High (PII and Financial Data Exposure)',
'operational_impact': 'Unauthorized Access to Corporate Systems, '
'Potential Data Exfiltration',
'systems_affected': ['Microsoft 365 Accounts',
'RMM Tools (ScreenConnect, Datto, '
'SimpleHelp)']},
'initial_access_broker': {'backdoors_established': 'RMM Tools (ScreenConnect, '
'Datto, SimpleHelp)',
'entry_point': ['Phishing Emails',
'Malicious QR Codes',
'Fake Tax Forms'],
'high_value_targets': ['Accountants',
'Tax Professionals',
'Financial Services']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Tax-season phishing campaigns are highly effective due to '
'urgency and trust in tax-related communications. Abuse of '
'trusted RMM tools complicates detection and attribution. '
'Organizations must enhance monitoring for unauthorized '
'RMM usage and educate employees on phishing risks during '
'high-risk periods.',
'motivation': ['Financial Gain', 'Data Theft', 'Persistent Access'],
'post_incident_analysis': {'corrective_actions': ['Enhanced monitoring for '
'RMM tool abuse.',
'Stronger authentication '
'mechanisms '
'(phishing-resistant MFA).',
'Improved employee training '
'on phishing risks.'],
'root_causes': ['Exploitation of tax-season '
'urgency and trust in tax-related '
'communications.',
'Abuse of trusted RMM tools to '
'evade detection.',
'Use of Phishing-as-a-Service '
'platforms to scale attacks.']},
'recommendations': ['Implement multi-factor authentication (MFA) with '
'phishing-resistant methods (e.g., FIDO2).',
'Monitor for unauthorized or unusual RMM tool usage.',
'Conduct regular phishing awareness training, especially '
'during tax season.',
'Deploy email filtering and anti-phishing solutions to '
'detect and block malicious links/attachments.',
'Enforce strict verification processes for tax-related '
'communications.',
'Segment networks to limit lateral movement in case of a '
'breach.'],
'references': [{'source': 'Microsoft Threat Intelligence'}],
'title': 'Microsoft Warns of Tax-Season Phishing Surge Targeting U.S. '
'Organizations',
'type': 'Phishing, Credential Harvesting, Malware Deployment',
'vulnerability_exploited': 'Social Engineering (Tax-Season Lures), Spoofed '
'Login Pages, Trusted RMM Tools Abuse'}