Microsoft Tax-Season Phishing Attacks Target Credentials
摘要
Microsoft is warning that tax-season phishing attacks are rising, with threat actors using fake CPA messages, W-2 QR codes, and 1099-themed lures to steal Microsoft 365 credentials and deliver malware or remote access tools. The campaigns matter because they are increasingly targeted and evasive, abusing trusted cloud services, multi-step redirects, and legitimate-looking tools to bypass defenses and raise the risk of account compromise and broader network intrusion.
Introduction
Tax season is once again proving to be prime time for cybercriminals. Microsoft reports a clear increase in phishing and malware campaigns that exploit the urgency of tax filings, refund notices, payroll forms, and accountant communications to trick users into surrendering credentials or launching malware.
For IT and security teams, this matters because these campaigns are not just generic spam. Many are highly targeted, personalized, and built to evade traditional detections through QR codes, multi-step link chains, cloud-hosted files, and the abuse of legitimate remote monitoring and management (RMM) tools.
What’s new
Microsoft highlighted several tax-themed attack patterns observed in early 2026:
-
CPA-themed phishing with Energy365
Emails with subjects like "See Tax file" used Excel attachments that linked to OneNote files hosted on OneDrive, eventually redirecting users to credential-harvesting pages powered by the Energy365 phishing-as-a-service kit. -
W-2 QR code phishing with SneakyLog
Messages titled "2025 Employee Tax Docs" included Word documents containing personalized QR codes. Scanning the code led users to fake Microsoft 365 sign-in pages run through the SneakyLog/Kratos phishing kit, designed to steal credentials and 2FA information. -
1099 lures delivering ScreenConnect
Tax-form themed domains impersonated financial and tax brands, leading users to download 1099-FR2025.exe, which installed ScreenConnect. Although legitimate, ScreenConnect can be abused by attackers as a remote access tool. -
IRS and crypto-themed phishing
Another campaign used fake IRS messaging and cryptocurrency-related social engineering, including copy-and-paste URLs instead of clickable links to reduce automated detection.
Why this matters for administrators
These campaigns show how attackers are blending:
- convincing seasonal business context
- phishing-as-a-service platforms that scale quickly
- personalized attachments and landing pages
- MFA bypass techniques
- legitimate signed RMM tools for persistence and hands-on-keyboard access
Organizations in financial services, healthcare, education, manufacturing, retail, and IT were all observed as targets, with accountants and finance-adjacent roles particularly at risk.
Recommended next steps
IT administrators should take the following actions immediately:
- Reinforce user awareness around tax-themed emails, especially unexpected W-2, 1099, CPA, and IRS messages.
- Block or closely inspect QR code-based phishing and multi-stage attachment chains involving Excel, OneNote, and cloud storage links.
- Review email security policies for impersonation protection, attachment scanning, and URL detonation.
- Hunt for abuse of RMM tools such as ScreenConnect and SimpleHelp, especially when installed outside approved channels.
- Strengthen identity protections with phishing-resistant MFA where possible and monitor for suspicious Microsoft 365 sign-in activity.
- Use Microsoft Defender detection and hunting guidance from the advisory to identify related indicators of compromise.
Bottom line
Tax season gives attackers a predictable window to exploit urgency and trust. Microsoft’s latest findings are a reminder that organizations should treat tax-related messages as a high-risk phishing category and validate both identity activity and remote access tooling across the environment.
获取微软技术最新资讯