Microsoft Warns of IRS Tax-Season Phishing Campaign Hitting 29,000 Users With ScreenConnect, Datto, and SimpleHelp
Microsoft has warned of fresh tax-season phishing campaigns that are impersonating the Internal Revenue Service (IRS), accountants, and tax professionals to steal credentials, capture two-factor authentication codes, and deploy remote access software on victim systems.
The campaigns exploit the urgency and time-sensitive nature of tax-related communications to trick recipients into opening attachments, scanning QR codes, or clicking links disguised as refund notices, W-2 forms, filing reminders, and requests from Certified Public Accountants (CPAs).
"Many campaigns target individuals for personal and financial data theft, but others specifically target accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails during this period," Microsoft Threat Intelligence and Microsoft Defender Security Research said.
While some of the activity leads victims to credential-harvesting pages built using phishing-as-a-service (PhaaS) platforms, other campaigns culminate in the installation of legitimate remote monitoring and management (RMM) tools such as ConnectWise ScreenConnect, Datto, and SimpleHelp, allowing the attackers to establish persistent access on compromised machines.
The details of some of the campaigns are below -
- Using CPA-themed lures to deliver phishing pages associated with the Energy365 PhaaS kit in order to capture victims' email addresses and passwords. Microsoft said the Energy365 kit is estimated to send hundreds of thousands of malicious emails daily.
- Using QR code and W-2 lures to target approximately 100 organizations, primarily in the manufacturing, retail, and healthcare sectors in the U.S., to direct users to phishing pages mimicking Microsoft 365 sign-in portals and built using the SneakyLog (aka Kratos) PhaaS platform to steal credentials and 2FA codes.
- Using tax-themed domains in phishing campaigns that trick users into clicking bogus links under the pretext of accessing updated tax forms, only to deliver ScreenConnect.
- Impersonating the IRS with a cryptocurrency lure targeting the higher education sector in the U.S., instructing recipients to download a supposed "Cryptocurrency Tax Form 1099" from malicious domains such as irs-doc[.]com and gov-irs216[.]net, resulting in the delivery of ScreenConnect or SimpleHelp.
- Targeting accountants and related organizations by asking for help filing taxes and sending malicious links that ultimately lead to the installation of Datto.
Microsoft said it also observed a large-scale phishing campaign on February 10, 2026, in which more than 29,000 users across 10,000 organizations were affected.
About 95% of the targets were located in the United States, with the most impacted sectors including financial services (19%), technology and software (18%), and retail and consumer goods (15%).
"The emails impersonated the IRS, claiming that potentially irregular tax returns had been filed under the recipient's Electronic Filing Identification Number (EFIN). Recipients were instructed to review these returns by downloading a purportedly legitimate 'IRS Transcript Viewer,'" Microsoft said.
The emails were sent through Amazon Simple Email Service (SES) and included a button labeled "Download IRS Transcript View 5.1" that redirected users to smartvault[.]im, a domain masquerading as SmartVault, a well-known document management and sharing platform used in tax and accounting workflows.
The phishing site used Cloudflare to keep bots and automated scanners at bay, ensuring that only human users were served the main payload: a maliciously packaged version of ScreenConnect that granted remote access to victim systems and enabled credential harvesting, data theft, and further post-exploitation activity.
The findings are the latest sign that attackers are increasingly abusing legitimate RMM tools as part of their intrusion playbooks. Because software like ScreenConnect, Datto, and SimpleHelp is commonly used by IT teams and managed service providers, its execution may not immediately stand out as malicious inside corporate environments.
The development also comes as other threat intelligence findings point to a broader rise in remote-access and phishing activity, including fake Google Meet and Zoom pages delivering monitoring software, typosquatted sites distributing trojanized installers, phishing emails abusing Microsoft Azure Monitor alerts, and multi-layer redirection chains designed to bypass link analysis and email defenses.
Huntress recently said abuse of remote monitoring and management tools surged 277% year-over-year, underscoring how threat actors are increasingly favoring trusted administrative software over noisier commodity malware.
To defend against such attacks, Microsoft recommends enforcing multifactor authentication for all users, implementing conditional access policies, scanning incoming emails and visited websites, blocking known malicious domains, and auditing environments for unauthorized use of remote administration tools.
The company’s warning is also a reminder that tax professionals, accountants, payroll teams, and finance staff remain especially attractive targets during filing season because they regularly handle sensitive records, interact with external documents, and are more likely to trust urgent tax-related requests.
The broader lesson is simple: tax season has once again become cyberattack season, with threat actors combining social engineering, phishing-as-a-service kits, legitimate cloud infrastructure, and trusted remote access tools to move from inbox to persistent compromise with minimal friction.
Reference Links and Sources
