Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware

Tax season consistently attracts cybercriminals, but the latest Microsoft‑reported campaign is notable for its scale and sophistication. By masquerading as IRS notices, payroll forms, and even cryptocurrency tax documents, attackers leveraged familiar language and urgent calls‑to‑action to lure victims into clicking malicious links or scanning QR codes. The use of Phishing‑as‑a‑Service platforms such as Energy365 and SneakyLog enabled rapid generation of convincing credential‑harvesting pages, while Amazon SES facilitated high‑volume delivery. This blend of social engineering and automated infrastructure resulted in over 29,000 compromised accounts, predominantly within financial services, technology, and retail firms.

A disturbing element of the operation is the deployment of legitimate remote‑monitoring and management (RMM) tools—ScreenConnect, Datto, SimpleHelp, among others—to maintain persistent footholds. Because these utilities are trusted by IT departments for legitimate remote support, they often evade detection by conventional antivirus and endpoint solutions. Huntress data shows RMM abuse has jumped 277% year‑over‑year, underscoring a shift toward “living‑off‑the‑land" tactics that exploit existing administrative privileges. Attackers can silently exfiltrate data, harvest credentials, and pivot laterally, turning a seemingly innocuous remote‑support session into a full‑blown breach.

Defenders must adopt a layered response: enforce multi‑factor authentication across all accounts, implement conditional‑access policies that restrict access from anomalous locations, and block known malicious domains at the DNS level. Email security gateways should be tuned to detect IRS‑related spoofing patterns, and organizations should regularly audit their environment for unauthorized RMM installations. Continuous user education about tax‑season phishing cues, combined with threat‑intelligence sharing, will be critical to curbing the next wave of credential‑driven attacks as the fiscal year approaches.