Microsoft Tax-Season Phishing Attacks Target Credentials

Introduction

Tax season is once again proving to be prime time for cybercriminals. Microsoft reports a clear increase in phishing and malware campaigns that exploit the urgency of tax filings, refund notices, payroll forms, and accountant communications to trick users into surrendering credentials or launching malware.

For IT and security teams, this matters because these campaigns are not just generic spam. Many are highly targeted, personalized, and built to evade traditional detections through QR codes, multi-step link chains, cloud-hosted files, and the abuse of legitimate remote monitoring and management (RMM) tools.

What’s new

Microsoft highlighted several tax-themed attack patterns observed in early 2026:

• CPA-themed phishing with Energy365
  Emails with subjects like "See Tax file" used Excel attachments that linked to OneNote files hosted on OneDrive, eventually redirecting users to credential-harvesting pages powered by the Energy365 phishing-as-a-service kit.

• W-2 QR code phishing with SneakyLog
  Messages titled "2025 Employee Tax Docs" included Word documents containing personalized QR codes. Scanning the code led users to fake Microsoft 365 sign-in pages run through the SneakyLog/Kratos phishing kit, designed to steal credentials and 2FA information.

• 1099 lures delivering ScreenConnect
  Tax-form themed domains impersonated financial and tax brands, leading users to download 1099-FR2025.exe, which installed ScreenConnect. Although legitimate, ScreenConnect can be abused by attackers as a remote access tool.

• IRS and crypto-themed phishing
  Another campaign used fake IRS messaging and cryptocurrency-related social engineering, including copy-and-paste URLs instead of clickable links to reduce automated detection.

Why this matters for administrators

These campaigns show how attackers are blending:

• convincing seasonal business context
• phishing-as-a-service platforms that scale quickly
• personalized attachments and landing pages
• MFA bypass techniques
• legitimate signed RMM tools for persistence and hands-on-keyboard access

Organizations in financial services, healthcare, education, manufacturing, retail, and IT were all observed as targets, with accountants and finance-adjacent roles particularly at risk.

Recommended next steps

IT administrators should take the following actions immediately:

• Reinforce user awareness around tax-themed emails, especially unexpected W-2, 1099, CPA, and IRS messages.
• Block or closely inspect QR code-based phishing and multi-stage attachment chains involving Excel, OneNote, and cloud storage links.
• Review email security policies for impersonation protection, attachment scanning, and URL detonation.
• Hunt for abuse of RMM tools such as ScreenConnect and SimpleHelp, especially when installed outside approved channels.
• Strengthen identity protections with phishing-resistant MFA where possible and monitor for suspicious Microsoft 365 sign-in activity.
• Use Microsoft Defender detection and hunting guidance from the advisory to identify related indicators of compromise.

Bottom line

Tax season gives attackers a predictable window to exploit urgency and trust. Microsoft’s latest findings are a reminder that organizations should treat tax-related messages as a high-risk phishing category and validate both identity activity and remote access tooling across the environment.