Microsoft is cautioning users about a surge in tax-themed phishing campaigns designed to steal sensitive credentials and install malicious software. These attacks exploit the seasonal urgency of tax filing by impersonating the IRS and tax professionals to trick victims into clicking dangerous links or downloading remote access tools.
Microsoft has observed a significant increase in cyberattacks that leverage the U.S. tax season to deceive both individuals and financial professionals. By sending fraudulent emails that appear to be refund notices, payroll updates, or urgent filing reminders, attackers capitalize on the high volume of legitimate tax correspondence during this period. These messages often include malicious attachments, QR codes, or links to fake login pages designed to harvest usernames, passwords, and even two-factor authentication codes.
While many of these campaigns aim to steal personal data, a large portion specifically targets accountants and organizations that handle vast amounts of financial documentation. Some attackers use sophisticated phishing-as-a-service platforms like Energy365 or SneakyLog to create convincing replicas of Microsoft 365 sign-in pages. Others focus on delivering legitimate remote monitoring and management tools, such as ScreenConnect or Datto, which allow hackers to maintain long-term access to a victim's computer without raising immediate red flags.
In one massive operation identified in February 2026, over 29,000 users across 10,000 organizations were targeted by a campaign impersonating the IRS. These emails claimed that irregular tax returns had been filed and instructed recipients to download a fake transcript viewer. Most of these targets were located in the U.S. within the financial, technology, and retail sectors. The links provided in these emails redirected users to fraudulent domains that used security services like Cloudflare to hide their malicious payloads from automated scanners.
The tactics used in these campaigns vary from using cryptocurrency tax lures to impersonating well-known document management platforms like SmartVault. By mimicking trusted brands and government agencies, cybercriminals successfully bypass the initial skepticism of many users. Once a victim interacts with the content, the attackers can gain full remote control of the system, enabling them to steal credentials and move laterally through a company’s network to access even more sensitive data.
To mitigate the risks associated with these seasonal threats, security experts recommend that organizations and individuals remain highly vigilant when handling tax-related digital communication. Implementing strict two-factor authentication and conditional access policies can provide a critical layer of defense against credential theft. Additionally, monitoring email traffic for suspicious domains and educating staff on the dangers of clicking unsolicited links are essential steps in preventing successful system compromises.
Source: https://www.microsoft.com/en-us/security/blog/2026/03/19/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures/