During this tax season, Microsoft is alerting both individuals and companies about increased numbers of highly sophisticated phishing attacks that are aimed to take advantage of the natural sense of urgency around deadlines for filing taxes, receiving refunds, and receiving payroll documents.
Microsoft Threat Intelligence and Defends Research Teams recently published a report that highlighted many of these phishing attacks. The report outlined how attackers use both classic social engineering techniques combined with the latest technology to impersonate the IRS, tax peofessionals, etc., in order to send what appears to be legitimate e-mails that give urgency to their claims through the use of refund notices, W-2 forms, reminders to file, or the request for assistance in preparing a tax return.
Many campaigns simply aim to steal personal credentials. Others go further, specifically targeting accountants, bookkeepers, and finance professionals who routinely handle sensitive client data and are used to receiving tax-related emails this time of year.
Notable Campaign Examples
1. CPA and Energy365 PhaaS lures: Emails posing as certified public accountants direct victims to phishing pages built with the Energy365 kit, which is blasting out hundreds of thousands of malicious messages daily to harvest email and password combinations.
2. Attack on QR Code and W-2 Documents: Approximately 100 Businesses (Mainly in the Manufacturing, Retail & Healthcare Sectors) Received Targeted QR Codes & Fake W-2s That Lead to SneakyLog (Kratos) Phishing Sites That Resemble Microsoft 365 Login Pages Where Usernames/Passwords & 2FA Codes Can Be Captured.
3. The Tax-themed Domain Exploit for Providing RMM Tools: Links to Tax Form Updates Will Install Legitimate Remote Monitoring Tools (e.g. ConnectWise ScreenConnect; Datto; SimpleHelp) Providing Attackers With Ongoing Remote Access to Infected Computers. IRS impersonation with crypto twist: Emails targeting U.S. higher education institutions claimed recipients needed to download a “Cryptocurrency Tax Form 1099,” leading to domains like irs-doc[.]com that dropped ScreenConnect or SimpleHelp.
4. Accountant-targeted Datto campaign: Fraudulent requests for tax filing assistance led directly to Datto remote access tool installation.
One particularly large wave on February 10, 2026, hit more than 29,000 users across 10,000 organizations, 95% of them in the U.S. These emails impersonated the IRS, warned of “irregular tax returns” filed under the recipient’s EFIN, and tricked users into clicking a “Download IRS Transcript Viewer” button. The link took them to a Cloudflare-protected site mimicking SmartVault, which then delivered a maliciously packaged version of ScreenConnect.
Broader Trends
Microsoft also noted several related campaigns using fake Google Meet/Zoom pages, Avast-branded refund scams, typosquatted Telegram download sites, abused Azure Monitor alerts, quotation lures delivering XWorm, ClickFix tricks pushing NetSupport RAT, and multi-layered URL rewriting through legitimate security services to evade detection.
The abuse of legitimate Remote Monitoring and Management (RMM) tools has surged dramatically, up 277% year-over-year according to Huntress because these tools are trusted by IT teams and often fly under the radar when used maliciously. Some attackers even daisy-chain multiple RMM tools to make detection and remediation harder.
How to Protect Yourself and Your Organization
1. Enable multi-factor authentication (MFA) everywhere, especially on email and financial systems.
2. Use conditional access policies to limit risky sign-ins.
3. Ensure that employees should always be cautious about unexpected tax-related emails, even if they look like they are from the IRS or a client they know.
4. Before you can open attachments and/or links in an email, you should scan them. Don’t scan QR codes from unsolicited comments in emails.
5. Monitor your environment for possible unauthorized RMM tools (such as ScreenConnect, Datto, SimpleHelp, etc.).
6. Report any potentially phony tax emails to your security department or send them to [email protected].
Tax season always brings a spike in scams, but this year’s campaigns show increasing sophistication in blending urgency with trusted brands and legitimate tools. A little extra skepticism when that “urgent IRS notice” lands in your inbox could save a lot of trouble later.
Stay safe out there, filing your taxes is stressful enough without helping cybercriminals do theirs.
Source: The Hacker News