Tax-season phishing targets W-2 and CPA

Microsoft observed tax-season phishing campaigns leveraging W-2, CPA, and IRS lures. Attackers use phishing-as-a-service kits, QR codes, OneNote files, and domain impersonation, and abuse legitimate RMM tools (ScreenConnect, SimpleHelp) to harvest credentials, bypass MFA, and target tax professionals and clients.

During tax season, Microsoft observed a predictable surge in tax-themed phishing and malware campaigns. Threat actors used W-2, 1099, QR codes, and CPA lures to harvest credentials and deliver malware.

Main feature/change and impact

Microsoft Threat Intelligence documented increased use of phishing-as-a-service kits and abused RMM tools during tax season. Energy365 and SneakyLog kits delivered tailored CPA and W-2 lures to harvest credentials and bypass MFA. Threat actors also delivered signed RMM executables like ScreenConnect and SimpleHelp to gain persistent remote access. This shift raised risk for accounting teams and high-value business targets handling financial documents.

Practical implications

Organizations must assume targeted tax-season campaigns will escalate around filing deadlines. Email security should block malicious attachments, scan OneDrive and OneNote links, and flag personalized lures. Enforce MFA with phishing-resistant methods and monitor for unauthorized RMM tool installations. Incident response should include rapid domain takedowns, certificate revocation tracking, and focused hunting for credential theft indicators.

“During tax season, threat actors reliably take advantage of the urgency and familiarity of time-sensitive emails, including refund notices, payroll forms, filing reminders, and requests from tax professionals, to trick targets into opening malicious attachments, scanning QR codes, or following multi-step link chains.”

These campaigns demonstrate attackers prefer tailored social engineering and legitimate-tool abuse. Next steps include tightening email controls, deploying phishing-resistant MFA, and hunting for RMM abuse indicators. Security teams should brief accounting staff and prepare forensic playbooks before peak filing dates.

Key points from the article:

PhaaS kits like Energy365 and SneakyLog enable large-scale credential harvesting.

QR codes and OneNote files increase evasion of automated detection.

Threat actors register tax-themed domains for tailored phishing campaigns.

Legitimate RMM tools are abused as remote access trojans.

Campaigns specifically target accountants and tax professionals for access.

Related Coverage:

• Best practices for securing Microsoft Intune
• GDC 2026: Next generation of Xbox designed to play console and PC games

From the Source

---