SD Solutions Logo

SD Solutions LLC — Quality Solutions Delivered

bizdev@sdsolutionsllc.com
540-860-0920

Microsoft Reports Widespread IRS Phishing Campaign Deploying RMM Tools

Introduction

Microsoft has reported a large‑scale phishing campaign leveraging U.S. tax season themes by impersonating the Internal Revenue Service (IRS). These attacks use well‑crafted social engineering techniques to steal user credentials and, in more advanced cases, deploy legitimate Remote Monitoring and Management (RMM) tools to maintain long‑term system access. According to Microsoft Threat Intelligence, the campaign has affected tens of thousands of users across thousands of organizations, highlighting a growing trend in which attackers abuse trusted administrative software to evade detection.

Rather than relying solely on traditional malware, threat actors are increasingly blending malicious activity with normal IT operations. This “living‑off‑the‑land” approach makes detection more difficult for organizations that lack visibility into the use of trusted tools and administrative software. 

Overview of the IRS‑Themed Phishing Campaign

The phishing emails used in this campaign closely mimic legitimate IRS communications and commonly reference tax refunds, payroll documentation, W‑2 forms, or potential filing irregularities. These messages are designed to appear time‑sensitive and authoritative, increasing the likelihood that recipients will engage with the content.

Microsoft observed a significant spike in activity on February 10, 2026, during which attackers targeted more than 29,000 users across approximately 10,000 organizations. Majority of the victims were in the United States, aligning with both the tax‑season theme and the use of IRS branding. Many of these campaigns were powered by phishing‑as‑a‑service (PhaaS) platforms, enabling attackers to rapidly scale operations while incorporating features designed to bypass multi‑factor authentication controls.

Common Characteristics of the Campaign

  • Emails impersonating the IRS, tax professionals, or payroll service providers
  • Embedded links redirecting users to fraudulent Microsoft 365 or tax‑related login pages
  • Use of established PhaaS kits such as Energy365 and SneakyLog
  • Targeting of individuals, accountants, finance departments, and payroll teams

Abuse of Remote Monitoring and Management Tools

After gaining initial access, attackers often move beyond credential theft and install legitimate RMM software to maintain persistent control over compromised endpoints. Microsoft has confirmed the abuse of well‑known tools such as ConnectWise ScreenConnect, Datto, and SimpleHelp. These tools are widely used by IT departments and managed service providers and are often trusted or whitelisted within enterprise environments. Because RMM tools are designed for legitimate remote administration, their presence often does not trigger immediate security alerts. This allows attackers to operate under the guise of routine IT activity while retaining near‑full control of infected systems.

Why RMM Tools Are Effective for Attackers

  • They are digitally signed and commonly trusted applications
  • They provide persistent remote desktop access and system control
  • They enable file transfers, command execution, and system monitoring
  • Malicious activity can blend in with normal help desk or administrative operations

Scope and Potential Impact

The scale of this campaign significantly amplifies its potential impact, particularly for organizations that handle sensitive financial or personal information. Microsoft observed targeting across a wide range of sectors, including accounting firms, education, healthcare, retail, and manufacturing.

Once attackers establish persistence through RMM tools, an initial phishing incident can escalate into a broader compromise. Threat actors may perform internal reconnaissance, steal additional credentials, move laterally across networks, exfiltrate sensitive data, or deploy ransomware at a later stage. 

Potential Risks Associated with This Campaign

  • Theft of personal, financial, and tax‑related information
  • Long‑term, undetected access to corporate networks
  • Increased likelihood of secondary attacks such as ransomware or data extortion
  • Potential compromise of downstream clients, partners, or trusted third parties

Why RMM Abuse Is Increasing

Microsoft’s findings reflect a broader shift toward living‑off‑the‑land techniques, where attackers favor legitimate, built‑in, or widely trusted tools instead of custom malware. As endpoint protection and EDR platforms continue to improve, abusing trusted software offers a lower‑effort and higher‑reward method for maintaining access while minimizing the risk of detection.

Seasonal lures, such as tax‑related messaging, further increase campaign effectiveness by aligning closely with user expectations and real‑world events. During high‑pressure or deadline‑driven periods, users are more likely to engage with emails that appear urgent or authoritative. 

Contributing Factors Driving This Trend

  • RMM tools are commonly approved and digitally signed
  • Reduced likelihood of triggering antivirus or EDR alerts
  • Increased user familiarity with remote IT support tools
  • Predictable seasonal events provide reliable phishing themes

Security Considerations for Organizations

This campaign highlights the importance of monitoring not only malware, but also the use of legitimate administrative tools. Organizations should treat the unexpected installation or use of RMM software as a potential security event, particularly when it originates from non‑IT users or unmanaged devices.  

Enhanced visibility into application usage, combined with strong email security controls and regular user awareness training, is especially critical during high‑risk periods such as tax season. 

Key Security Considerations

  • Treat tax‑related emails as high‑risk
  • Monitor for unauthorized RMM installations and usage
  • Restrict RMM tools to approved IT personnel only
  • Strengthen protections against credential‑phishing attacks
  • Increase vigilance during tax season and other predictable events

Conclusion

Microsoft’s warning underscores how modern phishing campaigns have evolved beyond simple credential theft into long‑term compromise operations. By combining IRS‑themed lures with the abuse of legitimate RMM tools, attackers achieve scale, persistence, and stealth with relatively low technical complexity. This strategy allows them to operate within trusted boundaries while bypassing many traditional detection mechanisms. 

Organizations should approach unexpected tax‑related communications with caution and ensure controls are in place to detect unauthorized RMM deployments. As phishing tactics continue to mature, defensive strategies must evolve to focus not only on initial access, but also on the misuse of trusted tools within enterprise environments. 

Tags
cybersecurity, IRS Phishing, IT Security, Microsoft Security, phishing, RMM Abuse

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Recent Posts

Categories

Archives