Microsoft has warned of new campaigns taking advantage of the upcoming tax season in the US to harvest credentials and distribute malware.
This email campaign takes advantage of the urgent and time-sensitive nature of email to send phishing messages disguised as refund notices, payroll forms, filing reminders, or requests from tax professionals to trick recipients into opening malicious attachments, scanning QR codes, or interacting with suspicious links.
“While many campaigns target personal and financial data theft, others specifically target accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails at this time of year,” Microsoft Threat Intelligence and Microsoft Defender Security Research teams said in a report released last week.
Some of these efforts direct users to crude pages designed through Phishing-as-a-Service (PhaaS) platforms, while others deploy legitimate remote monitoring and management tools (RMMs) such as ConnectWise ScreenConnect, Datto, and SimpleHelp to give attackers persistent access to compromised devices.
Details of some campaigns are below.
A certified public accountant (CPA) is used to distribute a phishing page related to the Energy365 PhaaS kit to obtain the victim’s email and password. The Energy365 phishing kit is estimated to send hundreds of thousands of malicious emails every day. It uses QR codes and W2 lures to target approximately 100 organizations, primarily in the U.S. manufacturing, retail, and healthcare industries, mimicking Microsoft 365 sign-in pages and directing users to a phishing page built using the SneakyLog (also known as Kratos) PhaaS platform to siphon credentials and two-factor authentication (2FA) codes. Using tax-themed domains in phishing campaigns for the sole purpose of distributing ScreenConnect, tricking users into clicking on a fake link under the pretext of accessing the latest tax forms. A cryptocurrency lure that specifically targets the US higher education sector impersonates the Internal Revenue Service (IRS) by visiting a malicious domain (“irs-doc”) and instructing recipients to download a “Cryptocurrency Tax Form 1099.”[.]com” or “gov-irs216”[.]net”) to distribute ScreenConnect or SimpleHelp. Targets accountants and related organizations by sending malicious links that lead to Datto installations and soliciting tax assistance.
Microsoft said it also observed a large-scale phishing campaign on February 10, 2026, with over 29,000 users across 10,000 organizations affected. Approximately 95% of targets were located in the United States and spanned industries such as financial services (19%), technology and software (18%), and retail and consumer goods (15%).
“The email impersonated the IRS and claimed that fraudulent tax returns may have been filed based on the recipient’s Electronic Filing Identification Number (EFIN). Recipients were instructed to download the purported genuine ‘IRS Transcript Viewer’ to view these returns,” the tech giant said.
Emails sent through Amazon Simple Email Service (SES) include a “Download IRS Transcript View 5.1” button that, when clicked, redirects the user to SmartVault.[.]im is a domain masquerading as SmartVault, a popular document management and sharing platform.
The phishing site leveraged Cloudflare to keep bots and automated scanners at bay, ensuring only human users were served the main payload: a maliciously packaged ScreenConnect that gave the attackers remote access to the system and facilitated data theft, credential harvesting, and further post-exploitation activities.
To stay safe from these attacks, organizations are encouraged to enforce 2FA for all users, implement conditional access policies, monitor and scan incoming emails and visited websites, and prevent users from accessing malicious domains.
This development coincided with the discovery of several campaigns that were found to drop remote access malware and steal data.
They use fake Google Meet and Zoom pages to lure users into fraudulent video calls, and ultimately distribute remote access software such as Teramind, a legitimate employee monitoring platform, through fake software updates. A fraudulent Avast-branded website is used to trick French-speaking users into handing over all their credit card details as part of a refund scam. Using a typosquatted website that impersonates the official Telegram download portal (“telegrgam”)[.]com”) to distribute a trojanized installer that not only drops the legitimate Telegram installer, but also executes a DLL responsible for launching the in-memory payload. The malware then starts communicating with the command and control infrastructure to receive instructions, download updated components, and maintain persistent access. Callback phishing exploits Microsoft Azure Monitor alert notifications with invoice or fraudulent payment lures “The attacker creates a malicious Azure Monitor alert rule that includes an alert description, including fake billing details and an attacker-controlled support phone number. The victim is then added to an action group linked to the alert rule, and Azure sends a phishing message from the legitimate sender address azure-noreply@microsoft.com.” The phishing email uses a quote-themed lure to connect to an external server. Deliver a JavaScript dropper that downloads a PowerShell script and launches a trusted Microsoft application. Runs ‘Aspnet_compiler.exe’ and injects the XWorm 7.1 payload via reflective DLL injection. This updated malware includes .NET-developed components designed for stealth and persistence. It is also used to trigger a fileless Remcos RAT infection chain using phishing emails and ClickFix to gain unauthorized system access and deploy additional data. Microsoft Application Registration Redirect URI (using “login.microsoftonline”)[.]com”) in phishing emails, exploiting trust relationships, bypassing email spam filters, and redirecting users to phishing websites that capture the victim’s credentials and 2FA codes. Legitimate URL rewriting services from Avanan, Barracuda, Bitdefender, Cisco, INKY, Mimecast, Proofpoint, Sophos, and Trend Micro are exploited to hide malicious URLs in phishing emails and evade detection. “While previous efforts typically relied on a single rewriting service, new campaigns stack already rewritten links in multiple layers,” LevelBlue said. This nesting makes it significantly more difficult for security platforms to reconstruct the complete redirect path and identify the final malicious destination. ” Deliver Salat Stealer or MeshAgent along with cryptocurrency miners using malicious ZIP files that impersonate a wide range of software, including artificial intelligence (AI) image generators, voice changing tools, stock market trading utilities, game mods, VPNs, and emulators. This campaign is particularly popular in the US, UK, India, Brazil, France, Canada and Australia. A digital invitation sent via a phishing email is used to direct the user to a fake Cloudflare CAPTCHA page that delivers VBScript, executes PowerShell code to retrieve an evasive .NET loader called SILENTCONNECT from Google Drive, and ultimately delivers ScreenConnect.
This finding comes as threat actors are increasingly adopting RMM, with the misuse of such tools spiking 277% year-over-year, according to a recent report published by Huntress.
“Because these tools are used by legitimate IT departments, they are typically ignored and considered ‘trusted’ in most corporate environments,” said Elastic Security Labs researchers Daniel Stepanic and Salim Bitam. “Organizations must remain vigilant and audit their environments for unauthorized RMM usage.”
Source link
