Microsoft is warning of a major IRS‑themed phishing wave that hit 29,000 users in a single day, using tax‑season panic to steal credentials and deploy remote access malware.
The campaigns piggyback on the urgency of the U.S. tax season, sending emails that pretend to be refund notices, payroll forms, filing reminders, or messages from tax professionals to pressure recipients into acting quickly.
The campaigns piggyback on the urgency of the U.S. tax season, sending emails that pretend to be refund notices, payroll forms, filing reminders, or messages from tax professionals to pressure recipients into acting quickly.
According to Microsoft Threat Intelligence and Defender researchers, some lures target regular taxpayers for financial data, while others focus on accountants and professionals who routinely handle sensitive tax documents and are used to receiving legitimate tax‑related mail.Many of these messages direct users either to phishing pages built on Phishing‑as‑a‑Service platforms like the Energy365 kit or to downloads that silently install remote monitoring and management (RMM) tools.
In one large campaign unearthed on February 10, 2026, more than 29,000 users across 10,000 organizations were targeted in just a day, with about 95% of victims located in the U.S. The emails impersonated the Internal Revenue Service and claimed that irregular tax returns had been filed under the recipient’s Electronic Filing Identification Number, pushing them to urgently review those returns. Sectors hit hardest included financial services, technology and software, and retail and consumer goods, reflecting the high value of the data and access that successful compromises could deliver to attackers.
Victims were instructed to download a supposed “IRS Transcript Viewer” via a button labeled “Download IRS Transcript View 5.1,” which actually redirected to smartvault[.]im, a domain posing as legitimate document platform SmartVault. The site used Cloudflare protections so that automated scanners saw a benign front, while real users received a maliciously packaged ScreenConnect installer that gave attackers remote access to their systems. Once installed, this RMM tooling enabled data theft, credential harvesting, and further post‑exploitation such as lateral movement or deploying additional malware.
Microsoft also highlights related tax‑themed tactics: CPA‑style lures tied to the Energy365 phishing kit, bogus tax‑themed domains that push ScreenConnect, and cryptocurrency‑tax emails that impersonate the IRS and distribute ScreenConnect or SimpleHelp via malicious domains like “irs-doc[.]com” and “gov-irs216[.]net.” In some cases, attackers emailed accountants and organizations asking for help filing taxes, then funneled them to Datto RMM installers under the guise of sharing documentation. Collectively, these methods show a trend of abusing legitimate RMM platforms for stealthy, persistent access instead of relying solely on traditional malware.
To defend against these threats, Microsoft advises organizations to enforce two‑factor authentication on all accounts, implement conditional access policies, and harden email security to better scan attachments, links, and visited websites. They also recommend blocking access to known malicious domains, monitoring networks and endpoints for unauthorized RMM tools like ScreenConnect, Datto, and SimpleHelp, and educating users—especially finance and tax staff—on spotting urgent, tax‑t
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: