{"id":353,"date":"2026-03-23T11:38:56","date_gmt":"2026-03-23T11:38:56","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=353"},"modified":"2026-03-23T11:38:56","modified_gmt":"2026-03-23T11:38:56","slug":"microsoft-warns-irs-phishing-hits-29000-users-deploys-rmm-malware","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=353","title":{"rendered":"Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 23, 2026<\/span><\/span><span class=\"p-tags\">Email Security \/ Cloud Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEie9fqlMd4OuFVtXiIjViNTGyYhyol3qoSCp1VC7Au7Zp3ccwTT2YriDd5iWY7vc67FF0inmVd16ko0WfG3C57cyOs-I3RNaQXnk2eyfKefaJajCkfjvD1rfZp1hnOqyICcY5-dPdADaKq7bl74F4bocmJHp1W3sI6ZBGKIXiOI-phZVHwwyqtDQz1kNQty\/s1700-e365\/irs.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Microsoft has warned of fresh campaigns that are capitalizing on the upcoming tax season in the U.S. to harvest credentials and deliver malware.<\/p>\n<p>The email campaigns take advantage of the urgency and time-sensitive nature of emails to send phishing messages masquerading as refund notices, payroll forms, filing reminders, and requests from tax professionals to deceive recipients into opening malicious attachments, scanning QR code, or interacting with suspicious links.<\/p>\n<p>\u00abMany campaigns target individuals for personal and financial data theft, but others specifically target accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails during this period,\u00bb the Microsoft Threat Intelligence and Microsoft Defender Security Research teams <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/19\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/\" rel=\"noopener\" target=\"_blank\">said<\/a> in a report published last week.<\/p>\n<p>While some of these efforts direct users to sketchy pages designed through Phishing-as-a-service (PhaaS) platforms, others result in the deployment of legitimate remote monitoring and management tools (RMMs), such as ConnectWise ScreenConnect, Datto, and SimpleHelp, enabling the attackers to gain persistent access to compromised devices.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The details of some of the campaigns are below &#8211;<\/p>\n<ul>\n<li>Using Certified Public Accountant (CPA) lures to deliver phishing pages associated with the Energy365 PhaaS kit to capture victims&#8217; email and password. The Energy365 phishing kit is estimated to be sending hundreds of thousands of malicious emails on a daily basis.<\/li>\n<li>Using QR code and W2 lures to target approximately 100 organizations, mainly in the manufacturing, retail, and healthcare industries located in the U.S., to direct users to phishing pages mimicking the Microsoft 365 sign-in pages and built using the SneakyLog (aka Kratos) PhaaS platform to siphon their credentials and two-factor authentication (2FA) codes.<\/li>\n<li>Using tax-themed domains for use in phishing campaigns that trick users into clicking on bogus links under the pretext of accessing updated tax forms, only to distribute ScreenConnect.<\/li>\n<li>Impersonating the Internal Revenue Service (IRS) with a cryptocurrency lure that specifically targeted the higher education sector in the U.S., instructing recipients to download a \u00abCryptocurrency Tax Form 1099\u00bb by accessing a malicious domain (\u00abirs-doc[.]com\u00bb or \u00abgov-irs216[.]net\u00bb) to deliver ScreenConnect or SimpleHelp.<\/li>\n<li>Targeting accountants and related organizations, asking for help to file their taxes by sending a malicious link that leads to the installation of Datto.<\/li>\n<\/ul>\n<p><a name=\"more\"\/><\/p>\n<p>Microsoft said it also observed a large-scale phishing campaign on February 10, 2026, in which more than 29,000 users across 10,000 organizations were affected. About 95% of the targets were located in the U.S., spanning industries like financial services (19%), technology and software (18%), and retail and consumer goods (15%).<\/p>\n<p>\u00abThe emails impersonated the IRS, claiming that potentially irregular tax returns had been filed under the recipient&#8217;s Electronic Filing Identification Number (EFIN). Recipients were instructed to review these returns by downloading a purportedly legitimate &#8216;IRS Transcript Viewer,'\u00bb the tech giant said.<\/p>\n<p>The emails, which were sent through Amazon Simple Email Service (SES), contained a \u00abDownload IRS Transcript View 5.1\u00bb button that, when clicked, redirected users to smartvault[.]im, a domain masquerading as SmartVault, a well-known document management and sharing platform.<\/p>\n<p>The phishing site relied on Cloudflare to keep bots and automated scanners at bay, thus ensuring that only human users are served the main payload: a maliciously packaged ScreenConnect that grants the attackers remote access to their systems and facilitates data theft, credential harvesting, and further post\u2011exploitation activity.<\/p>\n<p>To stay safe against these attacks, organizations are recommended to enforce 2FA on all users, implement conditional access policies, monitor and scan incoming emails and visited websites, and prevent users from accessing the malicious domains.<\/p>\n<p>The development coincides with the discovery of several campaigns that have been found to drop remote access malware or conduct data theft &#8211;<\/p>\n<ul>\n<li>Using <a href=\"https:\/\/www.netcraft.com\/blog\/remote-access-delivery-via-fake-meetings\" rel=\"noopener\" target=\"_blank\">fake Google Meet and Zoom pages<\/a> to lure users into fraudulent video calls that ultimately <a href=\"https:\/\/www.malwarebytes.com\/blog\/scams\/2026\/02\/fake-zoom-meeting-update-silently-installs-surveillance-software\" rel=\"noopener\" target=\"_blank\">deliver<\/a> remote-access software like Teramind, a legitimate employee monitoring platform, by means of a bogus software update.<\/li>\n<li>Using a <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/02\/refund-scam-impersonates-avast-to-harvest-credit-card-details\" rel=\"noopener\" target=\"_blank\">fraudulent website<\/a> that leverages the Avast branding to trick French-speaking users into handing over their full credit card details as part of a refund scam.<\/li>\n<li>Using a <a href=\"https:\/\/labs.k7computing.com\/index.php\/fake-telegram-malware-campaign-analysis-of-a-multi-stage-loader-delivered-via-typosquatted-websites\/\" rel=\"noopener\" target=\"_blank\">typosquatted website<\/a> impersonating the official Telegram download portal (\u00abtelegrgam[.]com\u00bb) to distribute trojanized installers that, in addition to dropping a legitimate Telegram installer, execute a DLL responsible for launching an in-memory payload. The malware then initiates communication with its command-and-control infrastructure to receive instructions, download updated components, and maintain persistent access.<\/li>\n<li>Abusing <a href=\"https:\/\/x.com\/SpiderLabs\/status\/2032446349094818119\" rel=\"noopener\" target=\"_blank\">Microsoft Azure Monitor alert notifications<\/a> to deliver callback phishing emails that use invoice and unauthorized-payment lures. \u00abAttackers create malicious Azure Monitor alert rules, embedding scam content in the alert description, including fake billing details and attacker-controlled support phone numbers,\u00bb LevelBlue said. \u00abVictims are then added to the Action Group linked to the alert rule, causing Azure to send the phishing message from the legitimate sender address azure-noreply@microsoft.com.\u00bb<\/li>\n<li>Using <a href=\"https:\/\/www.trellix.com\/blogs\/research\/malware-as-a-service-redefined-xworm-rat\/\" rel=\"noopener\" target=\"_blank\">quotation-themed lures<\/a> in phishing emails to deliver a JavaScript dropper that connects to an external server to download a PowerShell script, which launches the trusted Microsoft application \u00abAspnet_compiler.exe\u00bb and injects into it an XWorm 7.1 payload via reflective DLL injection. The updated malware comes with a .NET-developed component engineered for stealth and persistence. Similar requests for quotation lures have also been used to <a href=\"https:\/\/www.trellix.com\/blogs\/research\/fileless-multi-stage-remcos-rat-phishing-to-memory\/\" rel=\"noopener\" target=\"_blank\">trigger<\/a> a fileless Remcos RAT infection chain.<\/li>\n<li>Using phishing emails and ClickFix ploys to <a href=\"https:\/\/www.darktrace.com\/blog\/netsupport-rat-how-legitimate-tools-can-be-as-damaging-as-malware\" rel=\"noopener\" target=\"_blank\">deliver<\/a> <a href=\"https:\/\/corelight.com\/blog\/detecting-netsupport-manager-abuse\" rel=\"noopener\" target=\"_blank\">NetSupport RAT<\/a> and gain unauthorized system access, exfiltrate data, and deploy additional malware.<\/li>\n<li>Using <a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/phishing-with-oauth-redirect\" rel=\"noopener\" target=\"_blank\">Microsoft Application Registration Redirect URI&#8217;s<\/a> (\u00ablogin.microsoftonline[.]com\u00bb) in phishing emails to abuse trust relationships and bypass email spam filters to redirect users to phishing websites that capture victims&#8217; credentials and 2FA codes.<\/li>\n<li>Abusing legitimate <a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/weaponizing-safe-links-abuse-of-multi-layered-url-rewriting-in-phishing-attacks\" rel=\"noopener\" target=\"_blank\">URL rewriting services<\/a> from Avanan, Barracuda, Bitdefender, Cisco, INKY, Mimecast, Proofpoint, Sophos, and Trend Micro to conceal malicious URLs in phishing emails evades detection. \u00abThreat actors have increasingly adopted multi-vendor chained redirection in their phishing campaigns,\u00bb LevelBlue said. \u00abEarlier activity typically relied on a single rewriting service, but newer campaigns stack multiple layers of already\u2011rewritten links. This nesting makes it significantly harder for security platforms to reconstruct the full redirect path and identify the final malicious destination.\u00bb<\/li>\n<li>Using <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/\" rel=\"noopener\" target=\"_blank\">malicious ZIP files<\/a> impersonating a wide range of software, including artificial intelligence (AI) image generators, voice-changing tools, stock-market trading utilities, game mods, VPNs, and emulators, to deliver Salat Stealer or MeshAgent, along with a cryptocurrency miner. The campaign has specifically targeted users in the U.S., the U.K., India, Brazil, France, Canada, and Australia.<\/li>\n<li>Using <a href=\"https:\/\/www.elastic.co\/security-labs\/silentconnect-delivers-screenconnect\" rel=\"noopener\" target=\"_blank\">digital invitation lures<\/a> sent via phishing emails to divert users to a fake Cloudflare CAPTCHA page that delivers a VBScript, which then runs PowerShell code to fetch an evasive .NET loader dubbed SILENTCONNECT from Google Drive to eventually deliver ScreenConnect.<\/li>\n<\/ul>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ciso-risk-comm-cert-li-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjoqpwvMkmQTpI6oFBcM5sjZJ4sJ2YplYYhb-ceY5aPYSXjkfcX-xHTDS-SMK3wzNy_kFuH4yN1umKPloMnloAmmRc5nXo64laMkM5neZzco95ZJXnRH-iV-6vAXRDv8vCSgWdcloM_rsNLykF6rlZbcXQ2n2fT-No23La_8rS67S8terJhozZU9JPmB9kO\/s728-e100\/ciso-light-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The findings follow an uptick in RMM adoption by threat actors, with the abuse of such tools surging 277% year-over-year, according to a recent report published by Huntress.<\/p>\n<p>\u00abAs these tools are used by legitimate IT departments, they are typically overlooked and considered &#8216;trusted&#8217; in most corporate environments,\u00bb Elastic Security Labs researchers Daniel Stepanic and Salim Bitam said. \u00abOrganizations must stay vigilant, auditing their environments for unauthorized RMM usage.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 23, 2026Email Security \/ Cloud Security Microsoft has warned of fresh campaigns that are capitalizing on the upcoming tax season in the U.S. to harvest credentials and deliver&hellip;<\/p>\n","protected":false},"author":1,"featured_media":354,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[297,825,824,42,147,390,827,826,148],"class_list":["post-353","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-deploys","tag-hits","tag-irs","tag-malware","tag-microsoft","tag-phishing","tag-rmm","tag-users","tag-warns"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=353"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/353\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/354"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}