When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures

Key Takeaways

• Threat actors are heavily leveraging tax season lures (W-2, 1099, IRS impersonation) to deliver phishing kits and malware.
• Phishing-as-a-Service (PhaaS) platforms like Energy365 and SneakyLog are actively used for credential harvesting and MFA bypass.
• Legitimate Remote Monitoring and Management (RMM) tools like ScreenConnect, SimpleHelp, and Datto are being abused as Remote Access Trojans (RATs).
• Campaigns specifically target accounting professionals (CPAs) using complex backstories and fake tax document packages.
• Evasion techniques include the use of QR codes, non-clickable URLs requiring copy-paste, and Cloudflare bot detection to bypass automated analysis.

Affected Systems

• Windows endpoints
• Microsoft 365 accounts
• Accounting professionals and CPAs
• Financial services, education, IT, insurance, healthcare, manufacturing, and retail sectors

Attack Chain

Threat actors initiate the attack chain by sending tax-themed phishing emails containing malicious attachments (Excel, Word with QR codes), links, or non-clickable URLs. Upon user interaction, victims are directed to PhaaS landing pages (Energy365, SneakyLog) designed to harvest credentials and bypass MFA, or they are prompted to download malicious payloads. If a payload is downloaded and executed, it installs abused legitimate RMM tools like ScreenConnect, SimpleHelp, or Datto. These tools act as Remote Access Trojans (RATs), granting the attackers persistent, hands-on-keyboard control over the compromised endpoints for data theft and further exploitation.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: Yes
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Microsoft Defender XDR, Microsoft Sentinel

The article provides KQL advanced hunting queries for Microsoft Defender XDR to detect related domains and file hashes in email and device events. It also provides ASIM queries for Microsoft Sentinel to hunt for network, web session, and file event IOCs.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can easily monitor the execution of RMM tools (ScreenConnect, SimpleHelp, Datto) and their child processes, as well as file creations originating from web browsers. Network Visibility: Medium — Network visibility is useful for detecting connections to known malicious domains or PhaaS infrastructure, but traffic is likely encrypted (HTTPS), limiting deep packet inspection without SSL decryption. Detection Difficulty: Moderate — While the IOCs are straightforward, the abuse of legitimate RMM tools and legitimate hosting services (Eventbrite, carrd.co, AWS SES) makes behavioral detection challenging without causing false positives on legitimate administrative or marketing activity.

Required Log Sources

• Email Gateway Logs
• Web Proxy/Secure Web Gateway Logs
• EDR Process Execution Logs
• EDR File Creation Logs
• DNS Query Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected installations or executions of RMM tools (ScreenConnect, SimpleHelp, Datto) originating from user profile directories (e.g., Downloads, Temp) or spawned by web browsers/email clients.	EDR Process Execution, EDR File Creation	Execution	Medium
Search for email messages containing QR codes in attachments combined with tax-related keywords in the subject or body.	Email Gateway Logs	Initial Access	Low
Identify network connections to newly registered domains containing tax-related keywords (e.g., 'tax', '1099', 'irs') immediately following an email click event.	Web Proxy Logs, DNS Logs, Email Click Logs	Initial Access	Medium

Control Gaps

• Lack of strict application control preventing unauthorized RMM execution
• Email filtering failing to inspect QR codes or non-clickable text URLs
• Automated sandboxes bypassed by Cloudflare bot protection

Key Behavioral Indicators

• Execution of ScreenConnect/SimpleHelp/Datto from unusual paths
• Browser downloading .msi or .exe files from domains mimicking financial institutions
• Emails from legitimate services (Eventbrite) containing suspicious non-clickable URLs

False Positive Assessment

• Medium. The abuse of legitimate RMM tools (ScreenConnect, SimpleHelp, Datto) and legitimate services (Eventbrite, AWS SES, carrd.co) means that overly broad detections could flag legitimate IT administration or marketing emails. Detections must focus on the specific context (e.g., RMM execution from a browser download path).

Recommendations

Immediate Mitigation

• Block the provided IOCs (domains, URLs, hashes) in web proxies, firewalls, and EDR solutions.
• Revoke or investigate any active sessions initiated by unauthorized RMM tools (ScreenConnect, SimpleHelp, Datto).
• Quarantine emails matching the described sender patterns and subject lines.

Infrastructure Hardening

• Implement strict Application Control (e.g., AppLocker, WDAC) to block the execution of unapproved RMM tools.
• Configure email security solutions to scan attachments for QR codes and extract/analyze the embedded URLs.
• Enable Zero-hour auto purge (ZAP) and Safe Links in email security platforms.

User Protection

• Enforce phishing-resistant MFA (e.g., FIDO2, passkeys) for all users to mitigate AiTM PhaaS attacks.
• Implement Conditional Access policies to restrict access from unmanaged devices or unusual locations.
• Use web browsers with integrated malicious site blocking (e.g., Microsoft Defender SmartScreen).

Security Awareness

• Educate employees, especially in finance and HR, about tax-themed phishing lures and the risks of scanning QR codes in emails.
• Train users to verify the sender's actual email address, not just the display name, especially for IRS or CPA communications.
• Instruct users never to copy-paste non-clickable URLs from suspicious emails into their browsers.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1566.002 - Phishing: Spearphishing Link
• T1204.001 - User Execution: Malicious Link
• T1204.002 - User Execution: Malicious File
• T1219 - Remote Access Software
• T1556 - Modify Authentication Process
• T1036.005 - Masquerading: Match Legitimate Name or Location

Additional IOCs

• Domains:
  • gov-irs216[.]net - Alternative malicious domain impersonating the IRS.
  • private-adobe-client[.]im - Redirection domain used in a campaign targeting CPAs to deliver Datto RMM.
  • onedud[.]site - Domain registered in August 2025 used as a sender address via Amazon SES for IRS impersonation.
  • carrd[.]co - Legitimate free site hosting service abused to host malicious links.
  • awstrack[.]me - Legitimate Amazon SES click-tracking URL abused for redirection to phishing sites.
  • campaign[.]eventbrite[.]com - Legitimate Eventbrite domain abused to send IRS impersonation emails.
• Urls:
  • irs-doc.com/doc216 - Specific URL path used in the IRS cryptocurrency lure campaign.
• Other:
  • IRS-doc.msi - Malicious installer delivering ScreenConnect or SimpleHelp.
  • 2025_Employee_W-2 .docx - Malicious Word document attachment containing a QR code leading to the SneakyLog phishing kit.
  • Tax_2025_Full_Document_Package.pdf - Malicious PDF attachment used in a campaign targeting CPAs.
  • noreply@campaign.eventbrite.com - Sender email address abused to masquerade as the IRS.