Microsoft warns of new tax‑season phishing campaigns that impersonate tax authorities and professionals to harvest credentials, deploy remote‑access software, and exfiltrate data. Attackers use Phishing‑as‑a‑Service kits and layered redirection to evade detection and abuse legitimate RMM tools like ScreenConnect, Datto, and SimpleHelp for persistent access. #Energy365 #SneakyLog #ScreenConnect #Datto #SimpleHelp #IRS
Keypoints
- Attackers send tax‑themed phishing emails (refunds, W2s, CPA requests) to steal credentials and 2FA codes from individuals and accountants.
- PhaaS kits such as Energy365 and SneakyLog are used to create convincing phishing pages and distribute hundreds of thousands of malicious emails.
- Threat actors deploy legitimate RMM tools like ScreenConnect, Datto, and SimpleHelp to gain persistent remote access and facilitate post‑exploitation.
- A February 10 campaign affected over 29,000 users across 10,000 organizations in the U.S., abusing Amazon SES and spoofed SmartVault domains to deliver ScreenConnect.
- Organizations are advised to enforce 2FA, apply conditional access, monitor emails and web traffic, block malicious domains, and audit for unauthorized RMM usage amid a 277% surge in RMM abuse.
Read More: https://thehackernews.com/2026/03/microsoft-warns-irs-phishing-hits-29000.html