IRS Impostors Phishing Scam Surge: Microsoft Warns 29,000 Users Targeted with RMM Malware

What prompted Microsoft to issue warnings about IRS-themed phishing in early 2026?

Microsoft Threat Intelligence and Microsoft Defender Security Research teams published a detailed report on March 19, 2026, highlighting a sharp increase in tax-related email attacks as the April 15 U.S. tax filing deadline approached. These messages exploited the time pressure of tax season, using subjects and content that mimicked official communications from the Internal Revenue Service (IRS), payroll providers, tax professionals, or financial services. Attackers sent refund notices, payroll forms, filing reminders, and requests for assistance to trick recipients into interacting with malicious elements.

The campaigns fell into two main categories: those designed to steal login credentials through fake websites and those that installed malware for long-term access to victim systems. Microsoft noted that while many attacks aimed at individuals for personal financial information, others focused on accountants and tax preparers who routinely handle sensitive client documents and financial records. “Many campaigns target individuals for personal and financial data theft, but others specifically target accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails during this period,” the Microsoft teams stated in their analysis.

How large was the February 10, 2026, IRS impersonation campaign?

On February 10, 2026, Microsoft observed one particularly extensive phishing operation that reached more than 29,000 users spread across over 10,000 organizations. Approximately 95 percent of those targeted were located in the United States, with the messages sent in two waves over a roughly nine-hour window between 10:35 and 19:51 UTC. While the operation spanned many sectors, an analysis of the intended recipients showed it was zeroing in on specific roles — particularly accountants and tax preparers. The emails claimed that irregular tax returns had been filed under the recipient’s Electronic Filing Identification Number (EFIN), a unique identifier used by tax professionals, and directed recipients to review the supposed issues by downloading a file presented as a legitimate IRS tool called “IRS Transcript Viewer.”

The messages were sent using Amazon Simple Email Service (SES) and included a prominent “Download IRS Transcript View 5.1” button. Clicking it redirected users to smartvault[.]im, a domain set up to imitate SmartVault, a real document management platform. The site used Cloudflare services to block automated scanners and bots, ensuring that only real users reached the final payload. After a fake “verification” animation suggesting the IRS was checking the connection, victims received a file named TranscriptViewer5.1.exe. This executable was not an IRS viewer but a maliciously repackaged version of ScreenConnect, a legitimate remote monitoring and management (RMM) tool signed by ConnectWise. Once run, it allowed attackers to take remote control of the victim’s system, steal data, harvest credentials, and carry out additional malicious actions.

This campaign stood out for its scale and focus on U.S.-based entities in sectors such as financial services (19 percent), technology and software (18 percent), and retail and consumer goods (15 percent). The operation demonstrated how attackers could quickly reach tens of thousands of potential victims during peak tax preparation time.

What other IRS-themed tactics delivered RMM tools in these attacks?

Beyond the February 10 incident, Microsoft documented several related efforts that used cryptocurrency or tax form lures to distribute RMM malware. In a campaign sent on February 23 and 27, emails using the subject line “IR-2026-216” abused the events platform Eventbrite to appear to come from the IRS and told recipients — mainly in higher education — that a “Cryptocurrency Tax Form 1099” was ready. The messages pointed to domains such as irs-doc[.]com or gov-irs216[.]net, which delivered an IRS-doc.msi file that installed either ScreenConnect or SimpleHelp, another legitimate RMM tool. Attackers turned to SimpleHelp more frequently after ConnectWise moved to curb ScreenConnect abuse.

Another variant targeted accounting firms directly, asking for help with tax filing and providing a malicious link that installed Datto, yet another RMM solution. These attacks abused trusted remote access software because it blends in with normal IT management activity, making detection harder. Once installed, the tools grant persistent remote desktop access, alternative command-and-control channels, or a platform for hands-on attacks. Microsoft emphasized that “in cases of malware delivery, we noted a continued trend of abusing legitimate remote monitoring and management tools (RMMs), which allow threat actors to maintain persistence on a compromised device or network.”

Phishing-as-a-service (PhaaS) platforms also played a role in credential theft variants. Attackers used the Energy365 kit — estimated to send hundreds of thousands of malicious emails a day — with certified public accountant (CPA) lures, and used the SneakyLog kit (also known as Kratos) to mimic Microsoft 365 login pages after users scanned QR codes hidden in personalized W-2 attachments. These kits enabled the capture of usernames, passwords, and even multifactor authentication codes.

Why do attackers focus on tax professionals and accountants during this period?

Tax preparers and accountants manage large volumes of sensitive client information, including Social Security numbers, income details, bank account data, and investment records. A successful compromise provides attackers with high-value material for identity theft, fraudulent refund claims, or further network infiltration — the same kind of cascading exposure seen in other large credential and data breaches, such as the 700Credit breach that exposed nearly 6 million car buyers. Microsoft pointed out that these professionals “are accustomed to receiving tax-related emails during this period,” which lowers suspicion around urgent messages claiming filing problems or refund issues.

The timing aligns with the April 15 deadline, when stress levels rise and people act quickly on official-looking notices. The Internal Revenue Service itself reinforces this risk in its 2026 Dirty Dozen list of tax scams, which places IRS impersonation via email and text (phishing and smishing) at the top. The IRS stresses that it never initiates contact through unsolicited emails, texts, or social media to request personal information or payments. (IRS.gov)

What broader trends in phishing and malware delivery appeared in these campaigns?

Microsoft identified ongoing use of PhaaS platforms that make sophisticated credential theft accessible to less-skilled attackers. These services provide ready-made phishing pages, email templates, and MFA bypass mechanisms tailored to tax themes. Malware delivery shifted toward legitimate RMM tools because they evade many security filters — tools like ScreenConnect, SimpleHelp, and Datto are signed by reputable vendors and used daily by IT teams, so their presence rarely triggers an immediate alert.

The pivot is part of a much larger pattern. According to a report from Huntress, abuse of RMM tools surged 277 percent year-over-year, with attackers sometimes daisy-chaining several different RMM products to fragment telemetry and complicate detection. “As these tools are used by legitimate IT departments, they are typically overlooked and considered ‘trusted’ in most corporate environments,” Elastic Security Labs researchers Daniel Stepanic and Salim Bitam noted, urging organizations to audit their environments for unauthorized RMM usage. The threat is well-established at the federal level too: a joint advisory from CISA, the NSA, and MS-ISAC warned that attackers had exploited RMM software to compromise multiple U.S. federal civilian agency networks, in part because portable RMM executables can run as a local user without administrative rights or a full installation. The tactic has shown up across many lures — a separate January 2026 campaign used fake event invitations to steal credentials and then install LogMeIn for persistent access — and across many sectors, including healthcare, where phishing-driven mailbox takeovers exposed more than 630,000 individuals in 2025. (Microsoft Security Blog)

How can organizations and individuals protect themselves from these threats?

Microsoft recommends several practical steps. Enable multifactor authentication on all accounts, particularly email and financial services. Set up conditional access policies to block suspicious sign-ins. Scan incoming emails for malicious links and attachments, and monitor web traffic for known bad domains. Avoid downloading files from unexpected sources, even if they appear to come from the IRS or tax authorities.

Individuals should verify any IRS-related communication by logging directly into official portals rather than clicking email links. Suspicious messages can be reported to the IRS at its ph******@*rs.gov address. Organizations should audit for unauthorized RMM installations and train staff to recognize tax-themed social engineering. Regular security updates and endpoint detection tools help catch repackaged legitimate software used maliciously.

These measures address the core risks: credential compromise that leads to account takeovers and malware installation that enables data exfiltration or deeper breaches. Staying alert during tax season remains essential as attackers continue refining these methods.