In the run-up to the US tax filing deadline, Microsoft researchers have identified a wave of tax season phishing attacks designed to steal credentials and deploy remote access malware. Threat actors are weaponizing themes such as tax refunds, filing reminders, and IRS audits to create urgency and persuade recipients to open attachments, click links, or scan QR codes.
How tax season phishing scams target individuals and tax professionals
According to Microsoft Threat Intelligence and Microsoft Defender Security Research, attackers are distributing emails that impersonate IRS refund notifications, payroll and W‑2 forms, tax filing reminders, and messages seemingly sent by tax advisors. During peak filing season, this content appears routine, which significantly increases the likelihood that recipients will overlook subtle red flags.
While some IRS phishing scams focus on individual taxpayers to steal personal and financial data, a growing share targets accountants, auditors, and tax preparers. These professionals handle sensitive financial documents, access business systems, and routinely receive legitimate tax-related correspondence. Compromising their accounts gives adversaries an immediate foothold into multiple client organizations.
To scale their operations, threat actors increasingly rely on Phishing-as-a-Service (PhaaS) platforms. These services provide ready-made, realistic phishing templates that mimic banking portals, tax services, and cloud storage logins, lowering the technical barrier for less sophisticated criminals and enabling quick, large-scale campaigns.
Major IRS impersonation campaign uses ScreenConnect for stealthy access
On 10 February 2026, Microsoft observed a large-scale IRS phishing campaign that targeted more than 29,000 users across 10,000 organizations, with about 95% of victims located in the United States. The most impacted sectors were financial services (19%), technology and software (18%), and retail/consumer goods (15%).
In this operation, phishing emails claimed that suspicious tax returns had been filed using the recipient’s Electronic Filing Identification Number (EFIN). To review these allegedly fraudulent filings, victims were urged to download a tool called “IRS Transcript Viewer.”
The messages were sent via Amazon Simple Email Service (SES), a legitimate cloud email platform. Using a reputable infrastructure provider helps phishing emails bypass basic spam filters and increases trust, because security checks often treat Amazon SES as a reliable source when SPF and DKIM are correctly configured.
The “Download IRS Transcript View 5.1” button redirected users to a phishing domain, smartvault[.]im, intentionally chosen to resemble the legitimate SmartVault document-sharing platform. The site was protected by Cloudflare, which filtered automated scanners and security crawlers while serving the malicious content to real users only.
Instead of a document viewer, victims downloaded a specially packaged ConnectWise ScreenConnect client. ScreenConnect is a lawful remote monitoring and management (RMM) tool commonly used by IT teams for remote support. In this case, it was repurposed to grant attackers hidden, persistent remote access to compromised systems.
Once installed, the ScreenConnect instance allowed adversaries to exfiltrate data, hijack additional user accounts, deploy more malware, and conduct broader post‑exploitation actions across the victim’s environment—while much of the activity resembled normal remote administration.
Abuse of legitimate RMM tools: a rapidly growing trend
This campaign is part of a broader shift where attackers increasingly deploy legitimate remote monitoring and management (RMM) tools, including ScreenConnect, Datto, and SimpleHelp. A recent report from Huntress notes that malicious RMM abuse has grown by 277% year over year, underscoring the appeal of “living off the land” techniques that blend into normal IT operations.
As highlighted by Elastic Security Labs and other researchers, these applications are often pre-approved and trusted within corporate environments. Endpoint security tools and monitoring teams may whitelist RMM binaries, assuming they are used only by internal IT or contracted managed service providers. This trust gap allows adversaries to masquerade as legitimate administrators, making detection significantly more difficult than with traditional malware.
This tactic aligns with broader industry data. The FBI’s Internet Crime Complaint Center (IC3) has repeatedly reported phishing as the most common cybercrime category, and many major ransomware incidents begin with seemingly benign remote access tools that have been misused or misconfigured.
Defending against tax-themed phishing and RMM-based attacks
To reduce exposure to tax season phishing attacks and RMM abuse, Microsoft recommends enabling multi-factor authentication (MFA) for all users, prioritizing administrative, finance, and accounting accounts. Conditional access policies should restrict logins from anomalous devices, unfamiliar locations, and risky IP addresses.
Email and web defenses require particular attention. Organizations should deploy advanced filters that analyze attachments and URLs, perform sandboxing, and check domain reputation in real time. Proper implementation of SPF, DKIM, and DMARC helps thwart domain spoofing, while security teams should monitor traffic to newly registered or low-reputation domains connected to tax or IRS-related themes.
RMM governance is equally critical. Security teams should maintain an inventory of all remote administration tools, enforce installation only from trusted sources, and limit RMM deployment to managed devices. Users without administrative privileges should be technically blocked from installing tools such as ConnectWise ScreenConnect, Datto, SimpleHelp, and similar software. Regular audits should search for unauthorized RMM agents, unexpected new remote access services, and suspicious ScreenConnect or Datto sessions outside approved maintenance windows.
Human factors remain a decisive element. Finance, payroll, and accounting staff—as well as external tax consultants—should receive recurring training on identifying phishing, checking sender domains, and treating unsolicited attachments, downloads, and QR codes with caution, especially when messages claim to originate from the IRS or other regulators and create a sense of urgency.
Tax-themed phishing campaigns demonstrate how effectively adversaries can combine social engineering with legitimate cloud services and RMM tools to bypass traditional defenses. Organizations that process financial or personal data should proactively strengthen authentication, monitoring, and remote access controls, while investing in continuous awareness training. Taking these measures before the next “urgent IRS notification” hits inboxes greatly reduces the chance that a single click will escalate into a serious cybersecurity incident.
