Microsoft has issued a warning regarding a series of phishing campaigns that are leveraging the urgency of the upcoming tax season in the United States. These campaigns aim to harvest user credentials and deploy malware by sending deceptive emails that appear to be refund notices, payroll forms, filing reminders, or requests from tax professionals.
Scope of the Phishing Campaign
According to Microsoft’s Threat Intelligence and Microsoft Defender Security Research teams, the phishing efforts have targeted both individuals and professionals, particularly accountants who handle sensitive financial data. The emails are designed to trick recipients into opening malicious attachments, scanning QR codes, or clicking on suspicious links.
Methods of Attack
Some phishing attempts direct users to dubious pages created through Phishing-as-a-Service (PhaaS) platforms, while others utilize legitimate remote monitoring and management tools (RMMs) such as ConnectWise ScreenConnect, Datto, and SimpleHelp. These tools enable attackers to maintain persistent access to compromised devices.
Specific tactics include:
- Using Certified Public Accountant (CPA) lures to deliver phishing pages associated with the Energy365 PhaaS kit.
- Targeting organizations in manufacturing, retail, and healthcare with QR code and W2 lures that mimic Microsoft 365 sign-in pages.
- Impersonating the IRS with cryptocurrency-themed emails instructing users to download a malicious “Cryptocurrency Tax Form 1099”.
Impact on Users
On February 10, 2026, Microsoft observed a large-scale phishing campaign that impacted over 29,000 users across approximately 10,000 organizations, with about 95% of the targets located in the U.S. Industries affected include financial services (19%), technology and software (18%), and retail and consumer goods (15%). The phishing emails impersonated the IRS, claiming irregular tax returns had been filed under the recipient’s Electronic Filing Identification Number (EFIN).
The emails contained a button labeled “Download IRS Transcript View 5.1,” which redirected users to a malicious domain designed to look like SmartVault, a legitimate document management service. This phishing site employed Cloudflare to evade detection by automated scanners.
Recommendations for Protection
To mitigate the risks associated with these phishing campaigns, organizations are advised to enforce two-factor authentication (2FA) for all users, implement conditional access policies, and monitor incoming emails and visited websites. Additionally, preventing access to known malicious domains is crucial in safeguarding sensitive information.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
