Ethical Hacking News
Microsoft has warned of fresh phishing campaigns targeting tax season and RMM malware deployments, emphasizing the importance of being cautious during this time and ensuring system security.
Microsoft has warned of fresh phishing campaigns targeting tax season in the US, aiming to harvest credentials and deliver malware. The campaigns use urgency and time sensitivity to send phishing messages masquerading as refund notices, payroll forms, and requests from tax professionals. Targeted individuals for personal and financial data theft, with a focus on accountants and other professionals handling sensitive documents. Some campaigns direct users to sketchy pages through Phishing-as-a-service (PhaaS) platforms, while others deploy legitimate RMM tools like ConnectWise ScreenConnect and Datto. The Energy365 PhaaS kit is sending hundreds of thousands of malicious emails daily, capturing victims' email and password credentials. Campaigns impersonate the IRS, Microsoft, and other brands to trick users into installing malware or handing over sensitive information. The use of RMM tools has surged 277% year-over-year, highlighting the importance of monitoring for unauthorized usage.
In a recent report, Microsoft Threat Intelligence and Microsoft Defender Security Research teams have warned of fresh phishing campaigns that are capitalizing on the upcoming tax season in the U.S. to harvest credentials and deliver malware. These campaigns are taking advantage of the urgency and time-sensitive nature of emails to send phishing messages masquerading as refund notices, payroll forms, filing reminders, and requests from tax professionals.
The campaigns are targeting individuals for personal and financial data theft, with some specifically targeting accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails during this period. Some of these efforts direct users to sketchy pages designed through Phishing-as-a-service (PhaaS) platforms, while others result in the deployment of legitimate remote monitoring and management tools (RMMs), such as ConnectWise ScreenConnect, Datto, and SimpleHelp.
The details of some of these campaigns are alarming. Using Certified Public Accountant (CPA) lures to deliver phishing pages associated with the Energy365 PhaaS kit, attackers are capturing victims' email and password credentials. The Energy365 phishing kit is estimated to be sending hundreds of thousands of malicious emails on a daily basis.
Using QR code and W2 lures, these campaigns target approximately 100 organizations in the manufacturing, retail, and healthcare industries located in the U.S., directing users to phishing pages mimicking the Microsoft 365 sign-in pages and built using the SneakyLog (aka Kratos) PhaaS platform. These campaigns siphon their credentials and two-factor authentication (2FA) codes.
Impersonating the Internal Revenue Service (IRS), these campaigns trick users into clicking on bogus links under the pretext of accessing updated tax forms, only to distribute ScreenConnect. Targeting accountants and related organizations, these campaigns ask for help to file taxes by sending malicious links that lead to the installation of Datto.
Additionally, these campaigns are using fake Google Meet and Zoom pages to lure users into fraudulent video calls that ultimately deliver remote-access software like Teramind, a legitimate employee monitoring platform. They are also leveraging Avast branding to trick French-speaking users into handing over their full credit card details as part of a refund scam.
Furthermore, attackers are abusing Microsoft Azure Monitor alert notifications to deliver callback phishing emails that use invoice and unauthorized-payment lures. They are using quotation-themed lures in phishing emails to deliver a JavaScript dropper that connects to an external server to download a PowerShell script, which launches the trusted Microsoft application "Aspnet_compiler.exe" and injects into it an XWorm 7.1 payload via reflective DLL injection.
The findings of this report follow an uptick in RMM adoption by threat actors, with the abuse of such tools surging 277% year-over-year. As these tools are used by legitimate IT departments, they are typically overlooked and considered "trusted" in most corporate environments. Organizations must stay vigilant, auditing their environments for unauthorized RMM usage.
In conclusion, Microsoft's recent report highlights the importance of being cautious during tax season and the potential risks associated with remote monitoring and management tools. Individuals and organizations must remain vigilant and take steps to protect themselves from phishing attacks and ensure that their systems are secure.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Warns-of-Fresh-Phishing-Campaigns-Targeting-Tax-Season-and-RMM-Malware-Deployments-ehn.shtml
https://thehackernews.com/2026/03/microsoft-warns-irs-phishing-hits-29000.html
https://cyberwebspider.com/the-hacker-news/microsoft-irs-phishing-warning/
https://www.microsoft.com/en-us/security/blog/2026/01/21/multistage-aitm-phishing-bec-campaign-abusing-sharepoint/
https://www.techrepublic.com/article/sneaky-log-microsoft-phishing-2fa/
Published: Mon Mar 23 08:16:57 2026 by llama3.2 3B Q4_K_M
