TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Microsoft Threat Intelligence

When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures

Microsoft Threat Intelligence and Microsoft Defender Security Research Team · 2026-03-19 · Read original ↗

ATT&CK techniques detected

31 predictions
T1566.002Spearphishing Link
99%
"##bound email messages in mail flow and time - of - click verification of urls and links in email messages, other microsoft office applications such as teams, and other locations such as sharepoint online. safe links scanning occurs in addition to the regular anti - spam and anti…"
T1566.002Spearphishing Link
99%
"was customized to contain the recipient ’ s name, and the url hidden behind the qr code also contained the recipient ’ s email address. this means that each recipient received a unique attachment. the phishing page was built with the sneakylog phaas platform and mimicked the micr…"
T1566.002Spearphishing Link
99%
"screenconnect by connectwise. campaign targeting cpas and delivering datto like in previous tax seasons, microsoft threat intelligence observed email campaigns specifically targeting accountants and related organizations. a variant of this campaign is a well - known and documente…"
T1566.002Spearphishing Link
99%
"attempted to explain their inability to physically visit the office due to travel. finally, the sender asked for a price quote. we observed variations of the backstory on different days, including switching cpas due to fee increases. the link in email used the free site hosting s…"
T1566.002Spearphishing Link
99%
"when tax season becomes cyberattack season : phishing and malware campaigns using tax - related lures during tax season, threat actors reliably take advantage of the urgency and familiarity of time - sensitive emails, including refund notices, payroll forms, filing reminders, and…"
T1071.001Web Protocols
98%
", " private - adobe - client. im " ] ) ; _ im _ networksession ( starttime = todatetime ( ago ( lookback ) ), endtime = now ( ) ) | where dstipaddr in ( ioc _ ip _ addr ) or dstdomain has _ any ( ioc _ domains ) | summarize imnws _ mintime = min ( timegenerated ), imnws _ maxtime…"
T1566.002Spearphishing Link
98%
"efin compliance irs e - services irs e - file operations irs filing review irs filing support irs efin support irs e - services team irs e - file support irs efin review irs e - file compliance irs e - services support irs practitioner e - services similarly, the subject lines us…"
T1566.002Spearphishing Link
97%
"service ( phaas ) platforms continue to be prevalent, enabling highly convincing credential theft and multifactor authentication ( mfa ) bypass campaigns through tailored tax - themed social engineering lures, attachments, and phishing pages. in cases of malware delivery, we note…"
T1566.002Spearphishing Link
96%
"brand abuse of legitimate accounting, tax preparation, finance, bookkeeping, and related companies continues to proliferate during tax season. we observed one of these domains being used in a campaign between february 8 and february 10. several hundred emails were sent to recipie…"
T1566.002Spearphishing Link
96%
"issuer due to high abuse. screenconnect is a legitimate tool, but threat actors have learned to abuse rmm functionality and essentially turn legitimate tools into remote access trojans ( rats ), helping them take control of compromised devices. irs and cryptocurrency - themed phi…"
T1566.001Spearphishing Attachment
94%
"file name [ accountant ’ s name ] cpa. xlsx, using the name of a real accountant ( likely impersonated in this campaign without their knowledge ). the attachment contained a clickable “ review documents ” button that linked to a onenote file hosted on onedrive. the onenote file, …"
T1566.002Spearphishing Link
93%
"analysis, the phishing site used cloudflare for bot detection and blocking. only visitors who resembled human users would be able to reach the final phishing payload, while traffic from crawlers and sandboxes would result in a block page. users who passed the bot check would be s…"
T1566.002Spearphishing Link
90%
"concentrate on any single sector but instead included a wide set of industries, with financial services ( 19 % ), technology and software ( 18 % ), and retail and consumer goods ( 15 % ) being the most commonly targeted. while the campaign did not seem to have been targeting a sp…"
T1566.001Spearphishing Attachment
89%
"“ irs gov ” < noreply @ campaign [. ] eventbrite [. ] com > “ service ” < noreply @ campaign [. ] eventbrite [. ] com > “ irs tax ” < noreply @ campaign [. ] eventbrite [. ] com > “. irs. gov ” < noreply @ campaign [. ] eventbrite [. ] com > the email body said “ cryptocurrency t…"
T1566.002Spearphishing Link
88%
"- themed campaigns cpa lures leading to energy365 phishing kit in early february 2026, we observed a campaign that was delivering the energy365 phaas phishing kit and used tax and certified public accountant ( cpa ) lures throughout the attack chain. this campaign stood out due t…"
T1566.002Spearphishing Link
85%
"[ 1 ] ), accountntdomain = tostring ( split ( user, @ ' ' ) [ 0 ] ) | extend algorithmtype = " sha256 " indicators of compromise learn more for the latest security research from the microsoft threat intelligence community, check out the microsoft threat intelligence blog. to get …"
T1566.002Spearphishing Link
84%
"file name [ accountant ’ s name ] cpa. xlsx, using the name of a real accountant ( likely impersonated in this campaign without their knowledge ). the attachment contained a clickable “ review documents ” button that linked to a onenote file hosted on onedrive. the onenote file, …"
T1598Phishing for Information
72%
"- themed campaigns cpa lures leading to energy365 phishing kit in early february 2026, we observed a campaign that was delivering the energy365 phaas phishing kit and used tax and certified public accountant ( cpa ) lures throughout the attack chain. this campaign stood out due t…"
T1566.003Spearphishing via Service
66%
"- themed campaigns cpa lures leading to energy365 phishing kit in early february 2026, we observed a campaign that was delivering the energy365 phaas phishing kit and used tax and certified public accountant ( cpa ) lures throughout the attack chain. this campaign stood out due t…"
T1598.002Spearphishing Attachment
65%
"- themed campaigns cpa lures leading to energy365 phishing kit in early february 2026, we observed a campaign that was delivering the energy365 phaas phishing kit and used tax and certified public accountant ( cpa ) lures throughout the attack chain. this campaign stood out due t…"
T1556.006Multi-Factor Authentication
64%
"mitigation measures : configure automatic attack disruption in microsoft defender xdr. automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization ’ s assets, and provide more time for security teams to remediate the attack fully. e…"
T1071.001Web Protocols
58%
"= dynamic ( [ " taxationstatments2025. com ", " irs - doc. com ", " gov - irs216. net ", " private - adobe - client. im " ] ) ; _ im _ websession ( url _ has _ any = ioc _ domains ) detect files hashes indicators of compromise using asim the following query checks ip addresses an…"
T1071.001Web Protocols
57%
"##4db1be6698c29ffde9daeb8ffaa344b687d3badded2f8c68c922cdce6e0 " ] ) ; _ im _ websession ( starttime = todatetime ( ago ( lookback ) ), endtime = now ( ) ) | where dstipaddr in ( ioc _ ip _ addr ) or filesha256 in ( ioc _ sha _ hashes ) | summarize imws _ mintime = min ( timegener…"
T1111Multi-Factor Authentication Interception
51%
"service ( phaas ) platforms continue to be prevalent, enabling highly convincing credential theft and multifactor authentication ( mfa ) bypass campaigns through tailored tax - themed social engineering lures, attachments, and phishing pages. in cases of malware delivery, we note…"
T1598.003Spearphishing Link
47%
"was customized to contain the recipient ’ s name, and the url hidden behind the qr code also contained the recipient ’ s email address. this means that each recipient received a unique attachment. the phishing page was built with the sneakylog phaas platform and mimicked the micr…"
T1621Multi-Factor Authentication Request Generation
44%
"service ( phaas ) platforms continue to be prevalent, enabling highly convincing credential theft and multifactor authentication ( mfa ) bypass campaigns through tailored tax - themed social engineering lures, attachments, and phishing pages. in cases of malware delivery, we note…"
T1566.002Spearphishing Link
39%
"##dr customers can use the following threat analytics reports in the defender portal ( requires license for at least one defender xdr product ) to get the most up - to - date information about the threat actor, malicious activity, and techniques discussed in this blog. these repo…"
T1219Remote Access Tools
38%
"brand abuse of legitimate accounting, tax preparation, finance, bookkeeping, and related companies continues to proliferate during tax season. we observed one of these domains being used in a campaign between february 8 and february 10. several hundred emails were sent to recipie…"
T1598.002Spearphishing Attachment
37%
"file name [ accountant ’ s name ] cpa. xlsx, using the name of a real accountant ( likely impersonated in this campaign without their knowledge ). the attachment contained a clickable “ review documents ” button that linked to a onenote file hosted on onedrive. the onenote file, …"
T1071.001Web Protocols
35%
"all prefixed with ‘ ti map ’ ) to automatically match the indicators mentioned in this blog post with data in their workspace. if the ti map analytics are not currently deployed, customers can install the threat intelligence solution from the microsoft sentinel content hub to hav…"
T1598.003Spearphishing Link
31%
"- themed campaigns cpa lures leading to energy365 phishing kit in early february 2026, we observed a campaign that was delivering the energy365 phaas phishing kit and used tax and certified public accountant ( cpa ) lures throughout the attack chain. this campaign stood out due t…"

Summary

During tax season, threat actors reliably take advantage of the urgency and familiarity of time-sensitive emails, including refund notices, payroll forms, filing reminders, and requests from tax professionals, to push malicious attachments, links, or QR codes.

The post When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures appeared first on Microsoft Security Blog.