Full Report
Microsoft has warned of fresh campaigns that are capitalizing on the upcoming tax season in the U.S. to harvest credentials and deliver malware. The email campaigns take advantage of the urgency and time-sensitive nature of emails to send phishing messages masquerading as refund notices, payroll forms, filing reminders, and requests from tax professionals to deceive recipients into opening
Analysis Summary
# Incident Report: Tax Season Phishing and RMM Malware Campaigns
## Executive Summary
Microsoft has identified several large-scale phishing campaigns leveraging the U.S. tax season to target over 29,000 users across 10,000 organizations. Attackers are utilizing "Phishing-as-a-Service" (PhaaS) platforms and masquerading as the IRS to harvest credentials and deploy legitimate Remote Monitoring and Management (RMM) tools for persistent access. The primary outcome is credential theft, two-factor authentication (2FA) bypass, and full system compromise via remote access.
## Incident Details
- **Discovery Date:** March 19, 2026 (Report Publication)
- **Incident Date:** February 10, 2026 (Large-scale peak) and ongoing through March 2026.
- **Affected Organization:** Multiple (10,000+ organizations)
- **Sector:** Financial Services (19%), Technology (18%), Retail (15%), Manufacturing, Healthcare, and Higher Education.
- **Geography:** Primarily United States (95% of targets)
## Timeline of Events
### Initial Access
- **Date/Time:** Campaigns intensified starting February 10, 2026.
- **Vector:** Phishing via Email and QR Codes.
- **Details:** Emails sent via Amazon Simple Email Service (SES) used lures including IRS Electronic Filing Identification Number (EFIN) irregularities, W2 forms, and "Cryptocurrency Tax Form 1099."
### Lateral Movement
- **Details:** After the initial compromise via RMM software (ConnectWise ScreenConnect, Datto, SimpleHelp), attackers gain the capability to move laterally across the network and access sensitive financial files and document management systems.
### Data Exfiltration/Impact
- **Impact:** Harvesting of Microsoft 365 credentials, 2FA codes, and sensitive tax/financial documents. Long-term persistent access established via RMM tools allows for future data theft or ransomware deployment.
### Detection & Response
- **How it was discovered:** Detected by Microsoft Threat Intelligence and Microsoft Defender Security Research teams through anomalous email volume and malicious domain tracking.
- **Response actions taken:** Microsoft issued public warnings, updated Defender definitions, and provided indicators of compromise (IOCs) for organizational blocking.
## Attack Methodology
- **Initial Access:** Phishing (Email, QR codes, malicious links).
- **Persistence:** Installation of legitimate RMM tools (ConnectWise, Datto, SimpleHelp) to bypass traditional antivirus.
- **Privilege Escalation:** Not explicitly detailed, but implied through RMM administrative capabilities.
- **Defense Evasion:** Use of Cloudflare to block automated security scanners; use of legitimate RMM software to avoid detection; hosting on trusted services like Amazon SES.
- **Credential Access:** Using PhaaS kits (Energy365, SneakyLog/Kratos) to mimic M365 login pages and intercept 2FA.
- **Discovery:** Reconnaissance of financial and accounting personnel.
- **Lateral Movement:** Via RMM tool suites once the endpoint is established.
- **Collection:** Targeting of sensitive tax documents and financial records.
- **Exfiltration:** Unauthorized access to "SmartVault" impersonation sites or direct transfer via RMM.
- **Impact:** System compromise and theft of PII/financial data.
## Impact Assessment
- **Financial:** High potential for fraud and theft of cryptocurrency or tax refunds.
- **Data Breach:** Exposure of EFINs, W2s, and accounting credentials.
- **Operational:** Disruption to accounting firms and tax professionals during peak filing season.
- **Reputational:** Damage to organizations whose domains or tax identities were compromised.
## Indicators of Compromise
- **Web Indicators:**
- irs-doc[.]com
- gov-irs216[.]net
- smartvault[.]im
- **File Indicators:** "IRS Transcript View 5.1" (Maliciously packaged ScreenConnect installer).
- **Behavioral Indicators:** Unexpected installation of RMM tools; redirects from Amazon SES emails to Cloudflare-protected credential harvesting sites.
## Response Actions
- **Containment:** Blocking of identified malicious domains at the firewall/DNS level.
- **Eradication:** Removal of unauthorized RMM software (ConnectWise, Datto, SimpleHelp) from unmanaged endpoints.
- **Recovery:** Mandatory password resets and revocation of active sessions for compromised users.
## Lessons Learned
- **Key Takeaways:** Attackers are increasingly moving away from "custom" malware in favor of legitimate RMM tools which are harder for EDR solutions to flag as inherently malicious.
- **What could have been done better:** Stricter "Conditional Access" policies could have blocked logins from suspicious locations even after 2FA was intercepted.
## Recommendations
- **MFA Hardening:** Transition from SMS/Push 2FA to FIDO2-based security keys to prevent interception by PhaaS kits.
- **Application Control:** Implement "Allow Lists" for RMM tools to ensure only corporate-approved management software can execute.
- **User Awareness:** Train employees (specifically in finance and HR) to recognize that the IRS does not typically contact individuals via email regarding EFIN or cryptocurrency forms.
- **Email Filtering:** Configure mail gateways to flag or sandbox emails containing links to newly registered domains or document-sharing impersonators.