A massive wave of cyberattacks disguising themselves as IRS correspondence has targeted over 29,000 users across 10,000 organizations in the United States. According to Microsoft’s latest security alert, the phishing campaign leverages tax-related urgency to deliver credential-stealing malware and gain remote access to victim devices during the sensitive tax season.

Key Takeaways

• Over 29,000 users impacted; 95% based in the U.S.

• Campaigns impersonate IRS and target credential theft and remote device access.

• Industries hit hardest include financial services, technology, and retail.

How The Attack Unfolded

Attackers sent carefully crafted emails posing as official IRS communications. These messages—often resembling refund notices, tax forms, or filing reminders—tricked recipients into clicking malicious attachments or links. The phishing emails pressed on urgency, prompting users to review irregular tax returns via a link or download purported tax documents.

Victims who clicked were redirected to bogus websites that appeared legitimate, some mimicking reputable services like SmartVault or Microsoft 365. These fraudulent sites were designed to harvest login credentials, two-factor authentication codes, or even trick users into installing remote monitoring and management (RMM) software such as ScreenConnect, Datto, or SimpleHelp, granting attackers ongoing access.

Techniques And Tools Used

The attackers disguised their intentions with several sophisticated methods:

• Phishing-as-a-Service Kits: Platforms like Energy365 and SneakyLog powered large-scale distribution of phishing emails and custom login capture pages.

• QR Code Lures and Fake Domains: QR codes and lookalike web addresses increased credibility and dodged standard filters.

• Use of Cloud Services for Credibility: Emails sent through Amazon SES and websites protected by services like Cloudflare were used to avoid detection.

• Impersonation of Professionals: Accountants, payroll staff, and tax professionals were targeted using plausible pretexts and personalized messages.

Industries And Individuals Most At Risk

Microsoft’s threat teams noted broad sector targeting, with the following breakdown:

Other affected segments include healthcare, higher education, and manufacturing. Attackers also specifically sought out accountants and administrative staff handling tax files.

Security Recommendations And Response

To counter these threats, Microsoft and security researchers recommend:

1. Enforce two-factor authentication for all users.

2. Use conditional access policies to restrict login attempts.

3. Regularly audit RMM tool usage to detect suspicious access.

4. Monitor and filter incoming emails and website visits for malicious activity.

5. Educate employees on warning signs of targeted phishing attempts and suspicious requests for sensitive information.

The Bigger Trend: RMM Malware On The Rise

The recent IRS-themed campaign is part of a broader surge in cybercriminals leveraging legitimate RMM tools for unauthorized remote access. Huntress reports a 277% year-over-year increase in the abuse of such tools. These applications, while sanctioned in IT environments, are increasingly overlooked when used for nefarious purposes, complicating detection and remediation.

Organizations are urged to remain vigilant throughout tax season and beyond, proactively monitoring for unusual activity related to remote access software and responding quickly to potential breaches.

Sources:

• Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware, The Hacker News.