Microsoft has issued a security warning about a large-scale phishing campaign exploiting the U.S. tax season, impacting over 29,000 users across 10,000 organizations. The attack uses IRS-themed emails to steal credentials and deploy remote monitoring and management (RMM) malware, posing serious risks to enterprises and individuals.
Massive IRS Phishing Campaign Targets Enterprises
According to Microsoft Threat Intelligence, the campaign primarily targeted organizations in the United States, with 95% of victims located in the region. The affected sectors include:
- Financial services (19%)
- Technology and software (18%)
- Retail and consumer goods (15%)
The phishing emails impersonated the Internal Revenue Service (IRS), claiming that suspicious tax returns had been filed under the recipient’s Electronic Filing Identification Number (EFIN). Victims were urged to download a tool labeled “IRS Transcript Viewer” to review the issue.
RMM Malware Delivered via Phishing
Once users interacted with the malicious link, they were redirected to a fake website mimicking a legitimate document-sharing platform. The site delivered a malicious version of ScreenConnect, a legitimate remote access tool abused by attackers.
This allowed threat actors to:
- Gain persistent remote access
- Steal credentials and sensitive data
- Execute further attacks within compromised systems
Attackers also leveraged tools like Datto and SimpleHelp in similar campaigns to expand access across networks.
Phishing-as-a-Service Platforms Drive Attacks
The campaign utilized advanced phishing kits and services, including:
- Energy365 phishing kit, sending hundreds of thousands of emails daily
- SneakyLog (Kratos) platform targeting Microsoft 365 credentials and 2FA codes
These phishing-as-a-service (PhaaS) platforms enable attackers to scale operations quickly and target both individuals and organizations.
Multiple Attack Techniques Observed
Microsoft identified several tactics used across campaigns:
- Fake IRS emails and tax-related lures
- QR code phishing targeting enterprise users
- Malicious domains distributing fake tax forms
- Fake login pages mimicking Microsoft 365
- Email delivery via Amazon Simple Email Service (SES)
The phishing infrastructure also used Cloudflare to block automated detection systems, ensuring only real users received the malware payload.
Rising Abuse of Legitimate Tools
A key trend highlighted in the report is the growing misuse of legitimate software for malicious purposes. RMM tools like ScreenConnect, Datto, and SimpleHelp are increasingly used by attackers because they:
- Appear legitimate to security systems
- Enable long-term persistence
- Allow full remote control of infected systems
Security researchers noted that abuse of such tools has increased significantly, making detection more difficult.
Broader Phishing and Malware Campaigns
The findings also revealed additional ongoing threats, including:
- Fake Zoom and Google Meet pages delivering remote access tools
- Trojanized Telegram installers distributing malware
- Fake Avast refund scams targeting financial data
- Azure-based phishing emails abusing trusted domains
- Multi-layer URL obfuscation to evade detection
- Malware campaigns delivering XWorm, Remcos RAT, and NetSupport RAT
These campaigns highlight the increasing sophistication of phishing attacks worldwide.
How to Stay Protected
Microsoft recommends organizations take the following steps:
- Enforce multi-factor authentication (MFA) across all users
- Implement conditional access policies
- Monitor email traffic and suspicious links
- Block known malicious domains
- Train employees to recognize phishing attempts
Conclusion
The IRS-themed phishing campaign demonstrates how attackers exploit urgency and trust during tax season to compromise users. With over 29,000 users affected, the incident underscores the growing scale of phishing threats and the increasing use of legitimate tools for cyberattacks.
Organizations must strengthen their cybersecurity defenses to protect against evolving phishing tactics and RMM-based malware campaigns.
