Microsoft Warns: IRS Phishing Attack Hits 29,000 Users and Deploys RMM Malware Backdoors

Photo by GuerrillaBuzz on Unsplash

Key Takeaways

• On February 10, 2026, Microsoft identified a massive IRS-impersonation phishing campaign targeting 29,000+ users across 10,000+ organizations, with ~95% of victims in the U.S.
• Attackers delivered fake "IRS Transcript Viewer 5.1" software that installed legitimate RMM tools—ConnectWise ScreenConnect, Datto, and SimpleHelp—as persistent backdoors.
• Phishing-as-a-Service platforms Energy365 and SneakyLog powered the attacks, with RMM tool abuse surging 277% year-over-year according to Huntress.
• Financial services (19%), technology/software (18%), and retail/consumer goods (15%) were the hardest-hit industries; a parallel QR code campaign targeted manufacturing, retail, and healthcare.

What Happened

On February 10, 2026, Microsoft's threat intelligence teams detected one of the most aggressive IRS-impersonation phishing campaigns of the year. The attack reached more than 29,000 users spread across over 10,000 organizations, with approximately 95% of targeted users based in the United States. Microsoft's Threat Intelligence and Defender Security Research teams publicly disclosed the campaign on March 19, 2026.

Attackers sent emails through Amazon Simple Email Service (SES)—a legitimate, widely trusted cloud email platform—helping their messages slip past standard spam filters. Each email claimed the recipient had filed an irregular tax return under their Electronic Filing Identification Number (EFIN), a real IRS identifier used by tax preparers, and instructed them to download a tool called "IRS Transcript Viewer 5.1" to review the issue. Instead of showing tax documents, that download silently installed Remote Monitoring and Management (RMM) software—legitimate IT tools repurposed as backdoors—including ConnectWise ScreenConnect, Datto, and SimpleHelp, handing attackers persistent, covert remote access to infected machines.

A parallel campaign used QR codes embedded in fake W-2 tax forms to target approximately 100 organizations in manufacturing, retail, and healthcare, redirecting victims to counterfeit Microsoft 365 sign-in pages built to steal passwords and two-factor authentication (2FA) codes in real time. Both campaigns ran on Phishing-as-a-Service (PhaaS) platforms—subscription-based cybercrime toolkits that let low-skill attackers launch sophisticated operations. The two kits identified were Energy365, estimated to send hundreds of thousands of malicious emails per day, and SneakyLog (also known as Kratos), active since early 2025 and capable of bypassing 2FA protections.

Photo by Daniel Josef on Unsplash

Why It Matters for Your Organization's Security

Building on the scale of this campaign, the more unsettling story is how it was executed—and what it reveals about where modern attacks are headed. The deliberate use of legitimate RMM tools instead of custom malware represents a "living-off-the-land" technique (abusing trusted, pre-installed software as an attack vector rather than introducing new malicious code). Endpoint security solutions and antivirus programs are specifically designed not to block tools like ConnectWise ScreenConnect or Datto because those tools are used by IT departments every day. A Huntress report puts the trend in stark numbers: RMM tool abuse surged 277% year-over-year, making it one of the fastest-growing attack vectors in enterprise environments today.

The targeting is precise and deliberate. As Microsoft's teams stated on March 19, 2026: "Many campaigns target individuals for personal and financial data theft, but others specifically target accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails during this period." The people most conditioned to open an IRS-themed email without hesitation are the exact people with access to the most sensitive financial systems. Microsoft's data confirms this: financial services organizations bore the highest exposure at 19% of targets, followed by technology and software companies at 18%, and retail and consumer goods at 15%.

Tax season creates an ideal social engineering window. Urgency is built in, IRS-themed communications feel routine, and employees across accounting, HR, and payroll are expecting to handle tax documents. This pressure overrides the critical thinking that good security awareness training is designed to build. Organizations that have not run context-specific phishing simulations—especially ones modeled on current seasonal lures—are leaving a significant gap in their defenses right now, through April.

The downstream consequences of an RMM-based intrusion extend well beyond the initial foothold. Once an attacker controls an RMM session, they can exfiltrate sensitive records, deploy ransomware, pivot laterally to other systems, and maintain long-term access that persists through reboots. For organizations in regulated industries, that means potential breach notification obligations, regulatory fines under frameworks like HIPAA or PCI-DSS, and serious reputational damage. This is precisely why a formal incident response plan—a pre-defined set of steps your team executes the moment a breach is detected—must exist before an attack occurs. Organizations with practiced response playbooks recover faster and suffer measurably smaller financial losses than those improvising under pressure. Treating cybersecurity best practices as a checkbox exercise rather than an operational discipline is what makes campaigns like this one so consistently effective.

Photo by Peter Conrad on Unsplash

The AI Angle

The core detection challenge these campaigns pose—trusted software doing untrustworthy things—is precisely where AI-powered security tools outperform traditional defenses. Signature-based antivirus cannot flag ConnectWise ScreenConnect as malicious because, on its own, it is not. AI-driven platforms like Microsoft Defender XDR and CrowdStrike Falcon use behavioral analysis to detect the anomalies that matter: an RMM installation triggered seconds after a suspicious email attachment is opened, a remote session connecting to an unrecognized IP address, or lateral movement (attackers spreading from one compromised device to others on the same internal network) that falls outside normal IT workflows.

Platforms that integrate real-time threat intelligence feeds—continuously updated data about active attack infrastructure, PhaaS toolkits like Energy365 and SneakyLog, and known malicious sender patterns—can block or quarantine these phishing emails before they ever reach an employee's inbox. Deploying AI-assisted email security alongside behavioral endpoint detection is among the most impactful cybersecurity best practices any organization can prioritize this tax season, particularly for teams with access to sensitive financial and personnel data.

What Should You Do? 3 Action Steps

1. Audit and Lock Down RMM Tool Installations Immediately

Enforce application control policies (rules that govern which software is permitted to run on company devices) to ensure only IT-approved RMM tools can execute in your environment. Use endpoint management platforms like Microsoft Intune or your EDR console to scan all devices for unauthorized installations of ConnectWise ScreenConnect, Datto, SimpleHelp, or any other remote access software not deployed by your IT team. Discovery of any unauthorized RMM tool should immediately trigger your incident response plan: isolate the affected device, review connection logs for the RMM session, reset credentials accessible from that machine, and open a formal investigation. Do not assume the installation was accidental.

2. Launch Tax-Season Phishing Simulations Targeting Finance and HR Teams

Deploy simulated IRS-themed phishing tests across your organization—with priority on finance, accounting, payroll, and HR employees—before the end of April. Platforms like KnowBe4, Proofpoint, or Microsoft Attack Simulator can replicate the exact lures used in this campaign: fake EFIN irregularity notices, W-2 QR codes, and counterfeit Microsoft 365 sign-in pages. Employees who engage with the simulation should receive immediate, in-the-moment security awareness training rather than disciplinary action. This behavioral reinforcement is the most cost-effective data protection investment most organizations can make, and it directly closes the human gap that PhaaS platforms are specifically engineered to exploit.

3. Harden Email Filtering with Threat Intelligence and Authentication Standards

Configure your email security gateway to apply elevated scrutiny to messages sent via bulk cloud email services—like Amazon SES—that claim to originate from government agencies. Enable advanced threat intelligence feeds within platforms like Microsoft Defender for Office 365, Proofpoint, or Mimecast to block known PhaaS infrastructure in real time. Verify that your own domains are protected with properly configured DMARC, DKIM, and SPF records (email authentication standards that cryptographically verify a sender's identity and prevent domain spoofing). Use a free diagnostic tool like MXToolbox to check your current configuration. Finally, enforce phishing-resistant multi-factor authentication—hardware keys or passkey-based MFA—on all Microsoft 365 accounts, since SneakyLog is specifically designed to harvest standard 2FA codes during real-time sign-in interception.

Frequently Asked Questions

How do I protect my small business from IRS phishing emails during tax season?

Start with three layers of defense. First, deploy email filtering with real-time threat intelligence to block phishing messages before they reach employees—look for platforms that specifically flag government impersonation from cloud email services like Amazon SES. Second, run tax-season phishing simulations for any employee who handles financial documents; targeted security awareness training is the most direct way to reduce click rates on seasonal lures. Third, enforce multi-factor authentication on all business accounts, especially Microsoft 365 and any financial platforms, so stolen credentials alone are not enough for an attacker to gain access. Even a basic implementation of these three controls would have stopped the majority of the 29,000+ compromises documented in the February 10, 2026 Microsoft campaign.

Why are attackers using legitimate RMM tools like ScreenConnect as malware, and how can I detect unauthorized installations?

Legitimate RMM tools are attractive to attackers precisely because security software trusts them. This "living-off-the-land" technique bypasses antivirus and many EDR tools that rely on signature matching. RMM tool abuse has surged 277% year-over-year according to Huntress, reflecting how widely criminals have adopted this approach. To detect unauthorized installations, maintain an authoritative inventory of all approved remote access tools in your environment and run regular audits against it. Use behavioral detection in your EDR platform to flag unusual RMM activity patterns—such as a new installation followed within minutes by an outbound remote session to an unfamiliar IP address. Any unauthorized RMM tool discovered on a device should be treated as an active incident response situation, not a routine support ticket.

What industries were most targeted by the 2026 IRS phishing campaign Microsoft identified, and is my sector at risk?

According to Microsoft's threat intelligence data from the February 10, 2026 campaign, financial services organizations were the most heavily targeted at 19% of affected entities, followed by technology and software companies at 18%, and retail and consumer goods firms at 15%. A separate QR code and W-2 lure campaign specifically targeted manufacturing, retail, and healthcare organizations. However, the broader principle holds across all industries: any organization with employees who routinely receive, process, or sign tax-related documents—accountants, HR professionals, payroll administrators, office managers—should be considered a high-value target during tax season and prioritized for phishing simulation and security awareness refreshers.

How do Phishing-as-a-Service platforms like Energy365 and SneakyLog bypass two-factor authentication?

Phishing-as-a-Service platforms package everything an attacker needs into a turnkey kit: realistic phishing email templates, credential-harvesting web pages that mirror legitimate sites, backend infrastructure, and increasingly, adversary-in-the-middle proxying (a technique where the fake sign-in page sits between the victim and the real website, forwarding the victim's credentials and live 2FA codes to the attacker in real time before passing the session along). SneakyLog, also known as Kratos and active since early 2025, uses exactly this technique to capture one-time passwords before they expire. Energy365 is estimated to send hundreds of thousands of malicious emails per day. Standard SMS-based or app-based 2FA codes are vulnerable to this approach; phishing-resistant MFA using hardware security keys or passkeys is the most effective data protection countermeasure against real-time credential interception.

What should a small business incident response plan include specifically for RMM-based phishing intrusions?

A practical incident response plan for RMM-based intrusions should cover five elements. First, an immediate isolation procedure: network-quarantine any device where an unauthorized RMM tool is found, preventing lateral spread. Second, a session log review: pull connection logs from the RMM tool to determine when the session started, what IP connected, and how long access persisted. Third, a credential sweep: reset passwords and revoke active sessions for all accounts accessible from the compromised machine, including email, financial platforms, and VPN. Fourth, a notification checklist: identify whether any sensitive personal or financial data may have been accessed and assess your regulatory disclosure obligations. Fifth, a post-incident review: update cybersecurity best practices and close the specific gap—whether a missed email filter, an untrained employee, or an unaudited software installation—that allowed the attack to succeed. Running tabletop exercises (structured walkthroughs of simulated attack scenarios) at least twice a year keeps your team ready to execute these steps under real pressure.

Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs.