Microsoft warns IRS phishing campaign hits 29k, deploying remote malware

Tax season is being used as cover for a wave of credential theft and remote access attacks targeting professionals across financial services, healthcare, and technology.

What happened

Microsoft has warned of multiple phishing campaigns exploiting the US tax season to steal credentials and install malware on victim devices. According to The Hacker News, attackers are sending emails disguised as IRS refund notices, payroll forms, filing reminders, and requests from tax professionals to trick recipients into opening malicious attachments, scanning QR codes, or clicking suspicious links. Some campaigns direct victims to credential-harvesting pages built on phishing-as-a-service (PhaaS) platforms. Others are from legitimate remote monitoring and management (RMM) tools, software ordinarily used by IT departments to manage devices remotely, giving attackers persistent, hidden access to compromised systems. The Microsoft Threat Intelligence and Microsoft Defender Security Research teams documented the activity in a report published in March 2026, noting that campaigns specifically target accountants and financial professionals who regularly handle sensitive documents and are accustomed to receiving tax-related emails at this time of year.

Going deeper

One of the largest single incidents identified by Microsoft occurred on February 10, 2026, when more than 29,000 users across 10,000 organizations were targeted in a coordinated campaign. Approximately 95 percent of targets were located in the United States, with financial services accounting for 19 percent of victims, followed by technology and software at 18 percent, and retail and consumer goods at 15 percent. In that campaign, emails impersonating the IRS claimed that irregular tax returns had been filed under the recipient's Electronic Filing Identification Number (EFIN) and instructed them to download a purported IRS Transcript Viewer. The emails were sent through Amazon Simple Email Service, a legitimate cloud mailing platform, and directed recipients to a domain masquerading as SmartVault, a well-known document management platform. The download delivered a maliciously packaged version of ConnectWise ScreenConnect, an RMM tool that granted attackers remote access to compromised devices and enabled credential harvesting and further post-exploitation activity. Other campaigns used QR code lures to target approximately 100 organizations in manufacturing, retail, and healthcare, directing victims to fake Microsoft 365 sign-in pages designed to capture both passwords and two-factor authentication codes.

What was said

The Microsoft Threat Intelligence and Microsoft Defender Security Research teams stated in their report that "many campaigns target individuals for personal and financial data theft, but others specifically target accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails during this period." The report was published in March 2026 and documented multiple concurrent tax-themed attack campaigns observed across the United States.

In the know

The abuse of RMM tools in phishing campaigns has been documented across multiple concurrent attack chains. According to The Hacker News, a separate campaign identified in January 2026 used fake event invitation emails to steal victim credentials and then used those credentials to install LogMeIn, a legitimate RMM platform, establishing persistent backdoor access to compromised systems. Researchers described the tactic as turning legitimate software into a "skeleton key" by weaponizing tools that IT teams already trust, making detection much harder. In that campaign, attackers registered with the RMM provider using the stolen email address to generate access tokens, then deployed the software silently through a signed executable that established hidden scheduled tasks to ensure the tool relaunched even if manually closed.

The big picture

The use of legitimate RMM tools as attack infrastructure has been a recognized and growing threat for several years. A joint advisory from CISA, the NSA, and MS-ISAC, reported by BleepingComputer, warned that attackers were exploiting RMM software for malicious purposes after the same tactic was used to compromise multiple US federal civilian agency networks. CISA noted that portable RMM executables allow attackers to gain access as a local user without requiring administrative permissions or a full installation, bypassing standard software controls. The tax-season campaigns documented by Microsoft show the tactic has become routine, including healthcare. According to Paubox's Top 3 Healthcare Email Attacks in 2025, phishing-driven mailbox takeovers exposed more than 630,000 individuals in 2025, making credential theft the most damaging email attack type by patient impact, with healthcare breaches carrying an average cost of $7.4 million according to IBM.

FAQs

What is an RMM tool, and why are attackers using them?

Remote monitoring and management (RMM) tools are legitimate software platforms used by IT departments to remotely access, monitor, and manage devices. Attackers abuse them because they are signed, trusted applications that security tools typically do not flag as threats, making them effective for maintaining persistent, hidden access to compromised systems.

How did attackers use Amazon Simple Email Service in this campaign?

Sending phishing emails through a legitimate cloud email platform allows messages to pass standard authentication checks, reducing the likelihood that security filters will block or flag the email before it reaches the recipient.

Why does tax season create increased phishing risk?

The urgency and familiarity of tax-related communications make recipients more likely to act quickly without verifying the sender. Attackers exploit time pressure and the expectation of official correspondence during filing season to increase the success rate of credential theft campaigns.

What industries were most affected by the February 2026 campaign?

Financial services accounted for 19 percent of targeted organizations, followed by technology and software at 18 percent, and retail and consumer goods at 15 percent. Healthcare organizations were also targeted in separate QR code campaigns documented in the same Microsoft report.