Tax Season Phishing Alert: Microsoft Warns 29,000 Users Targeted with IRS Lures and RMM Malware

Microsoft's Threat Intelligence team tracked several distinct but overlapping campaigns between January and March 2026, all exploiting tax season anxiety. The campaigns share a common playbook: send urgently worded emails that look like they're from the IRS or a tax preparer, then either harvest credentials through fake sign-in pages or trick users into installing remote access software.

The scale is significant. One IRS-impersonation campaign hit roughly 29,000 mailboxes in a single day, targeting organizations across every major industry vertical. The emails impersonated the IRS, claiming potentially irregular tax returns had been filed under the recipient's Electronic Filing Identification Number (EFIN). Recipients were told to review returns by downloading a fake "IRS Transcript Viewer."

To boost credibility, the attackers rotated across 14 different IRS-themed sender display names and at least 49 different email subject lines. This rotation is designed to slip past email security systems that rely on matching known malicious patterns. The emails were sent through Amazon Simple Email Service, a legitimate platform that many businesses use for outbound email - another layer of camouflage.

Two major phishing-as-a-service (PhaaS) platforms powered these campaigns: Energy365 and SneakyLog (also called Kratos). Energy365 alone is responsible for hundreds of thousands of malicious emails every day, according to Microsoft's telemetry. SneakyLog has been active since early 2025 and specializes in harvesting both credentials and two-factor authentication codes, which means even MFA-protected accounts aren't automatically safe.

Microsoft documented at least four distinct attack chains operating simultaneously. Each one targets a different slice of the business world, and each uses a slightly different lure:

• CPA and accountant lures: Emails impersonating specific accounting firms delivered Excel and OneNote attachments. The OneNote files used a real CPA's name and logo to appear legitimate. Clicking the embedded link landed victims on an Energy365 phishing page that harvested email credentials. This campaign specifically targeted financial services, education, and consulting organizations.
• W-2 and QR code lures: On February 10, 2026, roughly 100 organizations in manufacturing, retail, and healthcare received emails with the subject "2025 Employee Tax Docs." The attachment contained a personalized Word document with the recipient's name and a QR code pointing to a phishing page built on the SneakyLog platform - designed to steal Microsoft 365 credentials and 2FA codes.
• Cryptocurrency 1099 lures: Sent on February 23 and 27, several thousand emails targeted higher education organizations with the subject "IR-2026-216." The email body referenced a "Cryptocurrency Tax Form 1099" and included a URL that, when pasted into a browser, downloaded an MSI file containing either ScreenConnect or SimpleHelp remote access tools.
• IRS transcript viewer lures: The largest campaign, hitting 29,000 users, used EFIN-themed urgency to drive downloads of a fake IRS application. The downloaded package was actually a maliciously configured ScreenConnect installer that gave attackers remote access to the victim's machine.

The common thread across all four: attackers are combining social engineering with real infrastructure. Legitimate email platforms, real business names, customized documents with actual recipient data, and trusted software tools. Every layer is designed to look normal.

Here's the part that should make every business owner's blood pressure spike. The "malware" being deployed in these campaigns isn't really malware at all. It's ConnectWise ScreenConnect, SimpleHelp, and Datto - the same remote monitoring and management tools that thousands of legitimate IT departments and managed service providers use every day. Cybersecurity Houston-area businesses rely on similar tools for routine support and maintenance.

That's what makes this attack strategy so dangerous. When your endpoint protection sees ScreenConnect running on a workstation, it doesn't raise an alarm. It's a known, trusted application. But in the hands of an attacker, it functions exactly like a remote access trojan - giving them full control over the compromised machine, the ability to move across your network, and a persistent connection that survives reboots.

The numbers tell the story. Huntress reported that RMM tool abuse by threat actors has surged 277% year-over-year. Microsoft's own 2025 Digital Defense Report found that 79% of ransomware incidents their incident response team handled involved at least one RMM tool. ConnectWise has already revoked a specific code-signing certificate used in these tax-season campaigns due to widespread abuse.

The attackers aren't sloppy about it, either. The IRS transcript viewer campaign used Cloudflare's bot protection to screen out automated security scanners, ensuring only real human victims reached the malicious download page. Once ScreenConnect was installed, the attacker-controlled instance facilitated data theft, credential harvesting, and additional post-exploitation activity.

Microsoft's data shows broad targeting across virtually every industry. The CPA-themed campaign focused on financial services, education, and consulting. The W-2 campaign zeroed in on manufacturing, retail, and healthcare. The cryptocurrency lure hit higher education hardest. And the 29,000-user IRS campaign spread across multiple verticals indiscriminately.

For Houston-area businesses, the implications are straightforward. If you're a CPA firm or accounting practice, your team is handling sensitive client tax data right now - making them prime targets for credential-harvesting campaigns. Law firms dealing with tax-related matters face similar exposure. Manufacturing and construction companies with administrative staff who process W-2s and 1099s are being directly targeted by the QR code campaigns.

Wealth management firms and energy services companies in the Houston metro area handle financial data that makes them attractive targets for both credential theft and the follow-on ransomware attacks that RMM tool access can enable.

The IRS also released its 2026 "Dirty Dozen" list of tax scams this month, confirming that phishing remains the top tactic criminals use during filing season. The pattern is consistent year after year - but the tools and techniques keep getting more sophisticated.

The good news is that these attacks, while sophisticated in their packaging, are preventable with the right controls. Here's where to focus your cybersecurity effort right now:

• Audit your RMM tools immediately: Know exactly which remote access tools are authorized on your network. If you find ScreenConnect, SimpleHelp, Datto, or any other RMM tool that your IT team didn't install, treat it as a potential compromise and investigate. Check for installations in non-standard directories or with renamed executables.
• Enforce phishing-resistant MFA: Standard two-factor authentication using SMS or authenticator app codes isn't enough anymore - SneakyLog is specifically designed to intercept 2FA tokens. Push notifications, hardware security keys, or certificate-based authentication provide stronger protection.
• Implement conditional access policies: Restrict sign-ins from unfamiliar locations, unmanaged devices, or suspicious IP ranges. Conditional access is one of the most effective controls against credential theft, because even stolen credentials can't be used from unauthorized contexts.
• Train your team on tax-season scams: Make sure every employee knows that the IRS never sends emails requesting downloads, clicks, or personal information. Run a simulated phishing exercise using tax-themed lures before April 15.
• Block known malicious domains: Microsoft's research identifies specific domains used in these campaigns, including domains using keywords like "tax" and "1099form." Your DNS filtering and web security gateway should be updated to block newly registered domains matching these patterns.
• Enable zero-hour auto purge: If you're running Microsoft 365, enable ZAP in Defender for Office 365. This feature retroactively removes malicious emails from mailboxes after new threat intelligence becomes available - catching messages that initially slipped through.

If your business operates in Cypress, The Woodlands, or anywhere across the Houston metro area and you're not sure whether your current IT provider is monitoring for unauthorized RMM installations, that's a gap you should close before tax season ends.

In 30 years working in IT - including time at Cisco managing enterprise security infrastructure - the pattern I see most often with small and mid-sized businesses is that phishing protection gets treated as a checkbox rather than a layered defense. These tax-season campaigns prove why that approach fails. The emails get past basic filters. The payloads look legitimate. And by the time someone notices something is wrong, an attacker has been sitting on the network for weeks.

CinchOps provides the kind of cybersecurity coverage that prevents these scenarios from turning into breach headlines:

• Endpoint monitoring and RMM auditing: We maintain visibility into every piece of software running on your managed endpoints. Unauthorized remote access tools get flagged and investigated before they can be used for lateral movement or data exfiltration.
• Advanced email security: Our email protection goes beyond basic spam filtering. We implement conditional access policies, safe links, safe attachments, and zero-hour auto purge to catch phishing emails even after delivery.
• Phishing-resistant MFA deployment: We configure and manage multi-factor authentication that can withstand adversary-in-the-middle attacks like those used by SneakyLog and Energy365.
• Security awareness training: Regular, targeted training and simulated phishing exercises that use current, real-world lures - including tax-season scenarios - to keep your team sharp.
• 24/7 threat monitoring: Our managed detection and response capabilities mean suspicious activity gets investigated in real time, not the next business day.
• Incident response planning: If a phishing email does get through, we ensure your business has a tested, documented response plan that limits damage and accelerates recovery.

The businesses we work with across Houston, Katy, Sugar Land, and Fulshear don't have to wonder whether someone on their team accidentally installed a backdoor through a fake IRS email. We're already watching for it.