Microsoft has issued a warning about a surge in tax-themed phishing campaigns in the U.S., ahead of the 2026 tax season. Attackers are impersonating the IRS, accountants, and payroll services to steal credentials, deliver malware, and gain persistent access to corporate networks.
How the Campaign Works
The attacks leverage urgency and legitimacy in emails, using tactics such as:
- Phishing Pages via PhaaS Kits: Attackers use platforms like Energy365 and SneakyLog (Kratos) to steal Microsoft 365 credentials and two-factor authentication (2FA) codes.
- Malicious Attachments and QR Codes: Links in emails lead to malware delivery, including ScreenConnect, Datto, SimpleHelp, and other Remote Monitoring and Management (RMM) tools.
- Cryptocurrency Lures: Targeting higher education and other sectors with fake IRS “Cryptocurrency Tax Form 1099” downloads to deploy RMM malware.
- Large-Scale Targeting: A February 10, 2026 campaign affected 29,000 users across 10,000 organizations, primarily in financial services, technology, and retail. Emails directed victims to a fake SmartVault site delivering ScreenConnect.
Additional Observed Tactics
- Fake Google Meet, Zoom, Avast, and Telegram pages to install RMM or malware.
- Exploiting Microsoft Azure Monitor alert notifications to send phishing emails.
- Using multi-layer URL rewriting services to evade detection from security platforms.
- Malicious ZIPs masquerading as AI tools, VPNs, or software installers to drop Salat Stealer, MeshAgent, or crypto miners.
- Delivering fileless malware, including XWorm 7.1 and Remcos RAT, through PowerShell injection via trusted Microsoft binaries.
Key Insights
- Attackers increasingly abuse legitimate RMM tools, leveraging their trusted status to maintain stealth and persistence. Huntress reports a 277% year-over-year increase in RMM abuse.
- Organizations must enforce 2FA, conditional access policies, and email monitoring, as well as audit internal systems for unauthorized RMM usage.
Recommendations
- Audit and restrict RMM tool access within corporate environments.
- Educate users on phishing signs, including IRS-themed emails and suspicious QR codes.
- Block known malicious domains and monitor traffic to untrusted sources.
- Deploy advanced email security and URL inspection tools capable of detecting chained redirections.
