Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware
Summary:
The 2026 tax season has seen a marked escalation in cyberattack sophistication, with Microsoft Threat Intelligence identifying a high volume of campaigns that exploit the seasonal pressure of filing deadlines. These operations utilize a diverse array of delivery mechanisms, including malicious PDF "tax guides," Excel spreadsheets embedded with macros, and OneNote files that trigger malware downloads. A notable shift in 2026 is the widespread adoption of QR code phishing (Quishing), which embeds malicious links within images to bypass traditional email gateways that primarily scan text and URLs.
Furthermore, threat actors are increasingly leveraging Phishing-as-a-Service (PhaaS) platforms such as Energy365 and SneakyLog. These kits are designed to execute Adversary-in-the-Middle (AiTM) attacks, allowing attackers to intercept session cookies and bypass Multi-Factor Authentication (MFA). Once initial access is gained, attackers are frequently deploying legitimate Remote Monitoring and Management (RMM) software, specifically ScreenConnect, SimpleHelp, and AnyDesk, to establish persistent, "living-off-the-land" backdoors. While many campaigns are opportunistic, Microsoft has observed targeted efforts against accounting firms and corporate HR departments, aiming to exfiltrate W-2 data and payroll information for identity theft and Business Email Compromise (BEC) fraud.
Security Officer Comments:
These campaigns represent a significant risk to data integrity and financial security. The shift toward PhaaS-driven AiTM attacks means that standard push-notification MFA is no longer a silver bullet; attackers can now bypass these protections in real-time to access sensitive financial environments. Given our broad membership across critical sectors, the primary impact is the potential for large-scale data exfiltration of employee PII and the hijacking of corporate payroll systems. We must view the abuse of legitimate RMM tools as a critical blind spot, as these tools often fly under the radar of standard antivirus solutions while providing attackers with full administrative control.
Suggested Corrections:
To defend against social engineering campaigns that leverage the surge in email activity during Tax Season, Microsoft recommends the following mitigation measures:
https://www.microsoft.com/en-us/sec...nd-malware-campaigns-using-tax-related-lures/
The 2026 tax season has seen a marked escalation in cyberattack sophistication, with Microsoft Threat Intelligence identifying a high volume of campaigns that exploit the seasonal pressure of filing deadlines. These operations utilize a diverse array of delivery mechanisms, including malicious PDF "tax guides," Excel spreadsheets embedded with macros, and OneNote files that trigger malware downloads. A notable shift in 2026 is the widespread adoption of QR code phishing (Quishing), which embeds malicious links within images to bypass traditional email gateways that primarily scan text and URLs.
Furthermore, threat actors are increasingly leveraging Phishing-as-a-Service (PhaaS) platforms such as Energy365 and SneakyLog. These kits are designed to execute Adversary-in-the-Middle (AiTM) attacks, allowing attackers to intercept session cookies and bypass Multi-Factor Authentication (MFA). Once initial access is gained, attackers are frequently deploying legitimate Remote Monitoring and Management (RMM) software, specifically ScreenConnect, SimpleHelp, and AnyDesk, to establish persistent, "living-off-the-land" backdoors. While many campaigns are opportunistic, Microsoft has observed targeted efforts against accounting firms and corporate HR departments, aiming to exfiltrate W-2 data and payroll information for identity theft and Business Email Compromise (BEC) fraud.
Security Officer Comments:
These campaigns represent a significant risk to data integrity and financial security. The shift toward PhaaS-driven AiTM attacks means that standard push-notification MFA is no longer a silver bullet; attackers can now bypass these protections in real-time to access sensitive financial environments. Given our broad membership across critical sectors, the primary impact is the potential for large-scale data exfiltration of employee PII and the hijacking of corporate payroll systems. We must view the abuse of legitimate RMM tools as a critical blind spot, as these tools often fly under the radar of standard antivirus solutions while providing attackers with full administrative control.
Suggested Corrections:
To defend against social engineering campaigns that leverage the surge in email activity during Tax Season, Microsoft recommends the following mitigation measures:
- Configure automatic attack disruption in Microsoft Defender XDR. Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization’s assets, and provide more time for security teams to remediate the attack fully.
- Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices in all locations at all times.
- Use the Microsoft Authenticator app for passkeys and MFA, and complement MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals.
- Conditional access policies can also be scoped to strengthen privileged accounts with phishing resistant MFA.
- Enable Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
- Configure Microsoft Defender for Office 365 Safe Links to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
- Invest in advanced anti-phishing solutions that monitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers like Microsoft Edge that automatically identify and block malicious websites, including those used in this phishing campaign, and solutions that detect and block malicious emails, links, and files.
- Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
- Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
https://www.microsoft.com/en-us/sec...nd-malware-campaigns-using-tax-related-lures/