{"id":60344,"date":"2026-03-19T15:00:00","date_gmt":"2026-03-19T15:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=145878"},"modified":"2026-03-19T15:00:00","modified_gmt":"2026-03-19T15:00:00","slug":"when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/","title":{"rendered":"When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures"},"content":{"rendered":"<aside class=\"table-of-contents-block accordion wp-block-bloginabox-theme-table-of-contents\" id=\"accordion-fb548735-fe07-46ff-85d1-98bdfa230a98\" data-bi-an=\"table-of-contents\"> <button class=\"btn btn-collapse\" type=\"button\" aria-expanded=\"true\" aria-controls=\"accordion-collapse-fb548735-fe07-46ff-85d1-98bdfa230a98\"> <span class=\"table-of-contents-block__label\">In this article<\/span> <span class=\"table-of-contents-block__current\" aria-hidden=\"true\"><\/span> <svg class=\"table-of-contents-block__arrow\" aria-label=\"Toggle arrow\" width=\"18\" height=\"11\" viewBox=\"0 0 18 11\" fill=\"none\"> <path d=\"M15.7761 11L18 8.82043L9 0L0 8.82043L2.22394 11L9 4.35913L15.7761 11Z\" fill=\"currentColor\" \/> <\/svg> <\/button> <span class=\"table-of-contents-block__progress-bar\"><\/span><br \/>\n<\/aside>\n<p class=\"wp-block-paragraph\">During tax season, threat actors reliably take advantage of the urgency and familiarity of time-sensitive emails, including refund notices, payroll forms, filing reminders, and requests from tax professionals, to trick targets into opening malicious attachments, scanning QR codes, or following multi-step link chains. Every year, there is an observable uptick in tax-themed campaigns as Tax Day (April 15) approaches in the United States, and this year is no different.<\/p>\n<p class=\"wp-block-paragraph\">In recent months, Microsoft Threat Intelligence identified email campaigns using lures around W-2, tax forms, or similar themes, or posing as government tax agencies, tax services firms, and relevant financial institutions. Many campaigns target individuals for personal and financial data theft, but others specifically target accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails during this period.<\/p>\n<p class=\"wp-block-paragraph\">Identified campaigns were designed to harvest credentials or deliver malware. <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/04\/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale\/\">Phishing-as-a-service (PhaaS) platforms<\/a> continue to be prevalent, enabling highly convincing credential theft and multifactor authentication (MFA) bypass campaigns through tailored tax-themed social engineering lures, attachments, and phishing pages. In cases of malware delivery, we noted a continued trend of abusing legitimate remote monitoring and management tools (RMMs), which allow threat actors to maintain persistence on a compromised device or network, enable an alternative command-and-control method, or, in the case of hands-on-keyboard attacks, use as an interactive remote desktop session.<\/p>\n<p class=\"wp-block-paragraph\">This blog details several of the campaigns observed by Microsoft Threat Intelligence in the past few months that leveraged the tax season for social engineering. By educating users about phishing lures, configuring essential email security settings, and defending against credential theft, individuals and organizations can defend against both this seasonal surge in phishing attacks and more broadly against many types of phishing attacks that we observe.<\/p>\n<h2 class=\"wp-block-heading\" id=\"a-wide-range-of-tax-themed-campaigns\">A wide range of tax-themed campaigns<\/h2>\n<h3 class=\"wp-block-heading\" id=\"cpa-lures-leading-to-energy365-phishing-kit\">CPA lures leading to Energy365 phishing kit<\/h3>\n<p class=\"wp-block-paragraph\">In early February 2026, we observed a campaign that was delivering the Energy365 PhaaS phishing kit and used tax and Certified Public Accountant (CPA) lures throughout the attack chain. This campaign stood out due to its highly specific lure customization, in contrast to other threat actors who use this popular phishing kit but employ generic lures. Other notable characteristics of this campaign include the involvement of multiple file formats such as Excel and OneNote, use of legitimate infrastructure such as OneDrive, and multiple rounds of user interaction, all attempts to complicate automated and reputation-based detection. While this specific campaign was not large, it represents the capabilities of Energy365, one of the leading phishing kits that enables hundreds of thousands of malicious emails observed by Microsoft daily.<\/p>\n<p class=\"wp-block-paragraph\">Between February 5 and 6, several hundred emails with the subject \u201dSee Tax file\u201d targeted multiple industries including financial services, education, information technology (IT), insurance, and healthcare, primarily in the United States. The Excel attachment had the file name <em>[Accountant\u2019s name] CPA.xlsx<\/em>, using the name of a real accountant (likely impersonated in this campaign without their knowledge). The attachment contained a clickable \u201cREVIEW DOCUMENTS\u201d button that linked to a OneNote file hosted on OneDrive.<\/p>\n<p class=\"wp-block-paragraph\">The OneNote file, which continued the ruse by using the same CPA\u2019s name and logo, contained a link leading to a malicious landing page that hosted the Energy365 phishing kit and attempted to harvest credentials such as email and password.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1.webp\" alt class=\"wp-image-145890 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 1. The OneNote file contained the Microsoft logo, a link, and a specific accountant\u2019s name and logo (redacted)<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"qr-code-and-w2-lure-leading-to-sneakylog-phishing-kit\">QR code and W2 lure leading to SneakyLog phishing kit<\/h3>\n<p class=\"wp-block-paragraph\">On February 10, 2026, Microsoft Threat Intelligence observed tax-themed phishing emails sent to approximately 100 organizations, in the manufacturing, retail, and healthcare industries primarily in the United States. The emails used the subject \u201c2025 Employee Tax Docs\u201d and contained an attachment named <em>2025_Employee_W-2&nbsp; .docx<\/em>. The attachment had content that mentioned various tax-related terms like Form W-2 and had a QR code pointing to a phishing page.<\/p>\n<p class=\"wp-block-paragraph\">Each document was customized to contain the recipient\u2019s name, and the URL hidden behind the QR code also contained the recipient\u2019s email address. This means that each recipient received a unique attachment. The phishing page was built with the SneakyLog PhaaS platform and mimicked the Microsoft 365 sign-in page to steal credentials. SneakyLog, which is also known as Kratos, has been around since at least the beginning of 2025. This phishing kit is sold as a part of phishing-as-a-service and is capable of harvesting credentials and 2FA. While not as popular as other platforms like Energy365, SneakyLog has been consistently present in the threat landscape.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig2-1.webp\" alt class=\"wp-image-145897 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig2-1.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 2. Document attachment containing tax lure, user personalization, and a QR code linking to phishing page<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"form-1099-themed-phishing-delivering-screenconnect\">Form 1099-themed phishing delivering ScreenConnect<\/h3>\n<p class=\"wp-block-paragraph\">In January and February 2026, Microsoft Threat Intelligence observed sets of tax-themed domains registered, likely to be used in tax-themed phishing campaigns. These domains used keywords such as \u201ctax\u201d and \u201c1099form\u201d and also impersonated specific legitimate companies involved in tax filing, accounting, investing sectors. Brand abuse of legitimate accounting, tax preparation, finance, bookkeeping, and related companies continues to proliferate during tax season.<\/p>\n<p class=\"wp-block-paragraph\">We observed one of these domains being used in a campaign between February 8 and February 10. Several hundred emails were sent to recipients in a wide range of industries primarily in the United States. The emails used subject lines like \u201cYour Account Now Includes Updated Tax Forms [RF] 1234\u201d or \u201cYour Form 1099-R is ready \u2013 [RF] 12123123\u201d. The email body said \u201c2025 Tax Forms is ready\u201d and contained a clickable \u201cView Tax Forms\u201d button that linked to the URL <em>taxationstatments2025[.]com<\/em>. If clicked, this domain redirected to <em>tax-statments2025[.]com,<\/em> which in turn served a malware executable named <em>1099-FR2025.exe<\/em>.<\/p>\n<p class=\"wp-block-paragraph\">The payload delivered in this campaign is the remote management and monitoring (RMM) tool ScreenConnect, signed by ConnectWise. The specific code signing certificate has since been revoked by the issuer due to high abuse. ScreenConnect is a legitimate tool, but threat actors have learned to abuse RMM functionality and essentially turn legitimate tools into remote access trojans (RATs), helping them take control of compromised devices.<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"574\" height=\"775\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig3.jpg\" alt class=\"wp-image-145898\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig3.jpg 574w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig3-222x300.jpg 222w\" sizes=\"auto, (max-width: 574px) 100vw, 574px\"><figcaption class=\"wp-element-caption\"><em>Figure 3. Email impersonating Fidelity and enticing users to click the button to view tax forms<\/em><\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig4-1.webp\" alt class=\"wp-image-145899 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig4-1.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 4. The final landing page leading to download of 1099-FR2025.exe<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"irs-and-cryptocurrency-themed-phishing-delivering-simplehelp\">IRS and cryptocurrency-themed phishing delivering SimpleHelp<\/h3>\n<p class=\"wp-block-paragraph\">Another notable campaign combined the impersonation of the US Internal Revenue Service (IRS) with a cryptocurrency lure. Notably, this campaign attempted to evade detection by not including a clickable link, but instead asked recipients to copy and paste a URL, which was in the email body, into the browser.<\/p>\n<p class=\"wp-block-paragraph\">This campaign was sent on February 23 and 27, and it consisted of several thousands of emails sent to recipients exclusively in the United States. The emails targeted many industries, with the bulk of email sent to higher education. The emails used the subject \u201cIR-2026-216\u201d and abused online platform Eventbrite to masquerade as coming from the IRS:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">\u201cIRS US\u201d&lt;noreply@campaign[.]eventbrite[.]com&gt;<\/li>\n<li class=\"wp-block-list-item\">\u201cIRS GOV\u201d&lt;noreply@campaign[.]eventbrite[.]com&gt;<\/li>\n<li class=\"wp-block-list-item\">\u201cService\u201d&lt;noreply@campaign[.]eventbrite[.]com&gt;<\/li>\n<li class=\"wp-block-list-item\">\u201cIRS TAX\u201d&lt;noreply@campaign[.]eventbrite[.]com&gt;<\/li>\n<li class=\"wp-block-list-item\">\u201c.IRS.GOV\u201d&lt;noreply@campaign[.]eventbrite[.]com&gt;<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">The email body said \u201cCryptocurrency Tax Form 1099 is Ready\u201d and contained a non-clickable URL with the domain <em>irs-doc[.]com<\/em> or <em>gov-irs216[.]net<\/em>. If pasted in the browser, the URL led to the download of <em>IRS-doc.msi<\/em>, which was either the RMM tool ScreenConnect or SimpleHelp, depending on the day of the campaign. SimpleHelp is another legitimate remote monitoring and management tool abused by threat actors. While not as popular as ScreenConnect, threat actors have been increasingly adopting SimpleHelp due to the recent crackdown on abuse of ScreenConnect by ConnectWise.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig5-1.webp\" alt class=\"wp-image-145900 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig5-1.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 5. Email impersonating IRS and additionally using a \u201cCryptocurrency Tax Form 1099\u201d lure<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"campaign-targeting-cpas-and-delivering-datto\">Campaign targeting CPAs and delivering Datto<\/h3>\n<p class=\"wp-block-paragraph\">Like in previous tax seasons, Microsoft Threat Intelligence observed email campaigns specifically targeting accountants and related organizations. A variant of this campaign is a well-known and documented technique that uses benign conversation starters. The threat actor reaches out asking for assistance in filing taxes, asking for a quote, and typically providing a backstory. If the actor receives a reply, they send a malicious link that leads to the installation of various RATs. However, Microsoft Threat Intelligence also observed campaigns targeting CPAs that contain a similar backstory but include the malicious link in the first email.<\/p>\n<p class=\"wp-block-paragraph\">One such campaign was sent on March 9 and consisted of approximately 1,000 emails sent to users exclusively in the United States. The emails targeted multiple accounting companies but also included a few related industries such as financial services, legal, and insurance. The emails used the subject \u201cREQUEST FOR PROFESSIONAL TAX FILLING\u201d.<\/p>\n<p class=\"wp-block-paragraph\">The email provided a backstory that included a description of a complex tax return situation involving tax audit, university tuition, loan interest, and real estate income. The sender also attempted to explain their inability to physically visit the office due to travel. Finally, the sender asked for a price quote. We observed variations of the backstory on different days, including switching CPAs due to fee increases.<\/p>\n<p class=\"wp-block-paragraph\">The link in email used the free site hosting service <em>carrd[.]co<\/em>. The site contained a simple \u201cVIEW DOCUMENTS\u201d button that linked to a URL shortener service, which redirected users to <em>private-adobe-client[.]im<\/em>. This uncomplicated redirection chain served to hinder automated detection by using legitimate sites with good reputation and involving user interaction. The final landing page served an executable related to the Datto. Datto is yet another legitimate remote monitoring and management tool, abused by threat actors.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig6-1.webp\" alt class=\"wp-image-145901 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig6-1.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 6. Email sent to a CPA requesting tax filing assistance<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"irs-themed-campaign-targeting-accounting-professionals-and-dropping-screenconnect\">IRS-themed campaign targeting accounting professionals and dropping ScreenConnect<\/h3>\n<p class=\"wp-block-paragraph\">On February 10, 2026, Microsoft Threat Intelligence observed a large-scale phishing campaign sent to more than 29,000 users across 10,000 organizations, almost exclusively focused on targets in the United States (95% of targets). The campaign did not concentrate on any single sector but instead included a wide set of industries, with financial services (19%), technology and software (18%), and retail and consumer goods (15%) being the most commonly targeted.<\/p>\n<p class=\"wp-block-paragraph\">While the campaign did not seem to have been targeting a specific industry, an analysis of intended recipients indicated that the campaign was targeting specific roles, particularly accountants and tax preparers. Messages in the campaign were sent in two waves over a nine\u2011hour window between 10:35 UTC and 19:51 UTC. &nbsp;<\/p>\n<p class=\"wp-block-paragraph\">The emails impersonated the IRS, claiming that potentially irregular tax returns had been filed under the recipient\u2019s Electronic Filing Identification Number (EFIN). Recipients were instructed to review these returns by downloading a purportedly legitimate \u201cIRS Transcript Viewer.\u201d<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig7-1.webp\" alt class=\"wp-image-145902 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig7-1.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 7. Sample campaign phishing email<\/em><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">The emails were sent through Amazon Simple Email Service (SES) from one of two sender addresses on <em>edud[.]site<\/em>, a domain registered in August 2025. To enhance credibility, the sender display name rotated among the following 14 IRS\u2011themed identities:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">IRS e-File Services<\/li>\n<li class=\"wp-block-list-item\">IRS EFIN Team<\/li>\n<li class=\"wp-block-list-item\">IRS EFIN Compliance<\/li>\n<li class=\"wp-block-list-item\">IRS e-Services<\/li>\n<li class=\"wp-block-list-item\">IRS E-File Operations<\/li>\n<li class=\"wp-block-list-item\">IRS Filing Review<\/li>\n<li class=\"wp-block-list-item\">IRS Filing Support<\/li>\n<li class=\"wp-block-list-item\">IRS EFIN Support<\/li>\n<li class=\"wp-block-list-item\">IRS e-Services Team<\/li>\n<li class=\"wp-block-list-item\">IRS e-File Support<\/li>\n<li class=\"wp-block-list-item\">IRS EFIN Review<\/li>\n<li class=\"wp-block-list-item\">IRS e-File Compliance<\/li>\n<li class=\"wp-block-list-item\">IRS e-Services Support<\/li>\n<li class=\"wp-block-list-item\">IRS Practitioner e-Services<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Similarly, the subject lines used in the campaign also rotated, presumably to try and circumvent detection systems that rely on static text signatures. The most common among the 49 email subjects we observed in this campaign include:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">IRS Request Transcript Review<\/li>\n<li class=\"wp-block-list-item\">IRS Notice Firm Return Review<\/li>\n<li class=\"wp-block-list-item\">CPA Compliance Review<\/li>\n<li class=\"wp-block-list-item\">IRS Support Firm Filing Review<\/li>\n<li class=\"wp-block-list-item\">Review Requested Compliance<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">The emails contained a \u201cDownload IRS Transcript View 5.1\u201d button, which purported to lead to a legitimate IRS application that could be used to review the transcript referenced in the email. Instead, the link pointed to an Amazon SES click\u2011tracking URL (<em>awstrack[.]me<\/em>), which then redirected to <em>smartvault[.]im<\/em>, a malicious look\u2011alike domain mimicking SmartVault, a well\u2011known tax and document\u2011management service used by accounting professionals. To evade automated analysis, the phishing site used Cloudflare for bot detection and blocking. Only visitors who resembled human users would be able to reach the final phishing payload, while traffic from crawlers and sandboxes would result in a block page.<\/p>\n<p class=\"wp-block-paragraph\">Users who passed the bot check would be shown a fake \u201cverification\u201d animation that indicated the IRS website was conducting an automated check to verify the connection with IRS provider services. After this animation, a user would be shown a page indicating that the supposed transcript viewer application would start downloading automatically before being redirected to the legitimate IRS provider services webpage. The downloaded file, named <em>TranscriptViewer5.1.exe<\/em>, was not a legitimate IRS tool but a maliciously repackaged ScreenConnect remote access tool (RAT). Upon execution, this payload could grant attackers remote control of the victim system, enabling data theft, credential harvesting, and further post\u2011exploitation activity.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig8a.webp\" alt class=\"wp-image-145903 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig8a.webp\"><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig8b-1.webp\" alt class=\"wp-image-145905 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig8b-1.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 8. Example campaign verification and download \u201csuccess\u201d pages.<\/em><\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\" id=\"how-to-protect-users-and-organization-against-tax-themed-campaigns\">How to protect users and organization against tax-themed campaigns<\/h2>\n<p class=\"wp-block-paragraph\">To defend against social engineering campaigns that leverage the surge in email activity during Tax Season, Microsoft recommends the following mitigation measures:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Configure <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/configure-attack-disruption\">automatic attack disruption<\/a> in Microsoft Defender&nbsp;XDR. Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization\u2019s assets, and provide more time for security teams to remediate the attack fully.<\/li>\n<li class=\"wp-block-list-item\">Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly <a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/identity-protection\/howto-identity-protection-configure-mfa-policy\">require MFA<\/a> from all devices in all locations at all times.<\/li>\n<li class=\"wp-block-list-item\">Use the <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/how-to-enable-authenticator-passkey\">Microsoft&nbsp;Authenticator app for passkeys and MFA<\/a>, and complement MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals.<\/li>\n<li class=\"wp-block-list-item\">Conditional access policies can also be scoped to <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/policy-admin-phish-resistant-mfa#create-a-conditional-access-policy\">strengthen privileged accounts with phishing resistant MFA<\/a>.<\/li>\n<li class=\"wp-block-list-item\">Enable <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-office-365\/zero-hour-auto-purge\">Zero-hour auto purge (ZAP)<\/a> in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.<\/li>\n<li class=\"wp-block-list-item\">Configure Microsoft Defender for Office 365 Safe Links to <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/office-365-security\/safe-links-about\">recheck links on click<\/a>. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/office-365-security\/anti-spam-protection-about\">anti-spam<\/a> and <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/office-365-security\/anti-malware-protection-about\">anti-malware<\/a> protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.<\/li>\n<li class=\"wp-block-list-item\">Invest in advanced anti-phishing solutions\u202fthat monitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers like Microsoft Edge that automatically\u202f<a href=\"https:\/\/learn.microsoft.com\/en-us\/deployedge\/microsoft-edge-security-smartscreen?ocid=magicti_ta_learndoc\">identify and block malicious websites<\/a>, including those used in this phishing campaign, and solutions that\u202f<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/siem-and-xdr\/microsoft-defender-office-365?ocid=magicti_ta_abbreviatedmktgpage\">detect and block malicious emails, links, and files<\/a>.<\/li>\n<li class=\"wp-block-list-item\">Encourage users to use Microsoft Edge and other web browsers that support <a href=\"https:\/\/learn.microsoft.com\/deployedge\/microsoft-edge-security-smartscreen?ocid=magicti_ta_learndoc\">Microsoft Defender SmartScreen<\/a>, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.<\/li>\n<li class=\"wp-block-list-item\">Enable <a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/enable-network-protection\">network protection<\/a> to prevent applications or users from accessing malicious domains and other malicious content on the internet.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-detection-and-hunting-guidance\">Microsoft Defender detection and hunting guidance<\/h2>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-defender\">Microsoft Defender<\/a> customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"6.4336283185841\">\n<tr readability=\"2\">\n<td><strong>Tactic<\/strong>&nbsp;<\/td>\n<td><strong>Observed activity<\/strong>&nbsp;<\/td>\n<td><strong>Microsoft Defender coverage<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4.5528455284553\">\n<td>Initial access<\/td>\n<td>Phishing emails<\/td>\n<td><strong><a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-defender-office-365\">Microsoft Defender for Office 365<\/a> <\/strong><br \/>\u2013 A potentially malicious URL click was detected <br \/>\u2013 Email messages containing malicious URL removed after delivery <br \/>\u2013 Email messages removed after delivery <br \/>\u2013 A user clicked through to a potentially malicious URL<br \/>\u2013 Suspicious email sending patterns detected Email reported by user as malware or phish<\/td>\n<\/tr>\n<tr readability=\"6.4071038251366\">\n<td>Execution<\/td>\n<td>Delivery of RMM tools for post-compromise activity<\/td>\n<td><strong><a href=\"https:\/\/www.microsoft.com\/security\/business\/endpoint-security\/microsoft-defender-endpoint\">Microsoft Defender for Endpoint <\/a><\/strong><br \/>\u2013 Suspicious installation of remote management software<br \/>\u2013 Remote monitoring and management software suspicious activity<br \/>\u2013 Suspicious location of remote management software<br \/>\u2013 Suspicious usage of remote management software<br \/>\u2013 Suspicious command execution via ScreenConnect<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\" id=\"microsoft-security-copilot\">Microsoft Security Copilot<\/h3>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-in-microsoft-365-defender\">Microsoft Security Copilot is embedded in Microsoft Defender<\/a> and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.<\/p>\n<p class=\"wp-block-paragraph\">Customers can also <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-agents-defender\">deploy AI agents<\/a>, including the following <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/agents-overview\">Microsoft Security Copilot agents<\/a>, to perform security tasks efficiently:<\/p>\n<p class=\"wp-block-paragraph\">Security Copilot is also available as a <a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/security\/experiences-security-copilot\">standalone experience<\/a> where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/developer\/custom-agent-overview\">developer scenarios<\/a> that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.<\/p>\n<h3 class=\"wp-block-heading\" id=\"threat-intelligence-reports\">Threat intelligence reports<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments:<\/p>\n<p class=\"wp-block-paragraph\">Microsoft Security Copilot customers can also use the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/security-copilot-and-defender-threat-intelligence?bc=%2Fsecurity-copilot%2Fbreadcrumb%2Ftoc.json&amp;toc=%2Fsecurity-copilot%2Ftoc.json#turn-on-the-security-copilot-integration-in-defender-ti\">Microsoft Security Copilot integration<\/a> in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/using-copilot-threat-intelligence-defender-xdr\">embedded experience<\/a> in the Microsoft Defender portal to get more information about this threat actor.<\/p>\n<h3 class=\"wp-block-heading\" id=\"hunting-queries\">Hunting queries<\/h3>\n<h4 class=\"wp-block-heading\" id=\"microsoft-defender-xdr\">Microsoft Defender XDR<\/h4>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can run the following <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/advanced-hunting-overview\">advanced hunting<\/a> queries to find related activity in their networks:<\/p>\n<p class=\"wp-block-paragraph\"><strong>Find email messages related to known domains<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The following query checks domains in Defender XDR email data:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"13\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nEmailUrlInfo &nbsp;\n| where UrlDomain has_any (\"taxationstatments2025.com\", \"irs-doc.com\", \"gov-irs216.net\", \"private-adobe-client.im\", \"edud.site\", \"smartvault.im\")\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Detect file hash indicators in email data<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The following query checks hashes related to identified phishing activity in Defender XDR data:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"10\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nlet File_Hashes_SHA256 = dynamic([ \"45b6b4db1be6698c29ffde9daeb8ffaa344b687d3badded2f8c68c922cdce6e0\", \"d422f6f5310af1e72f6113a2a592916f58e3871c58d0e46f058d4b669a3a0fd8\"]);\nDeviceFileEvents\n| where SHA256 has_any (File_Hashes_SHA256)\n<\/pre>\n<\/div>\n<h4 class=\"wp-block-heading\" id=\"microsoft-sentinel\">Microsoft Sentinel<\/h4>\n<p class=\"wp-block-paragraph\">Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the <a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy\">Microsoft Sentinel Content Hub<\/a> to have the analytics rule deployed in their Sentinel workspace.<\/p>\n<p class=\"wp-block-paragraph\">The following queries use&nbsp;<a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/normalization\" target=\"_blank\" rel=\"noreferrer noopener\">Sentinel Advanced Security Information Model (ASIM) functions<\/a>&nbsp;to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces&nbsp;<a href=\"https:\/\/aka.ms\/DeployASIM\" target=\"_blank\" rel=\"noreferrer noopener\">from GitHub<\/a>, using an ARM template or manually.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Detect network IP and domain indicators of compromise using ASIM<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The following query checks IP addresses and domain IOCs across data sources supported by ASIM network session parser:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"21\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\n\/\/IP list and domain list- _Im_NetworkSession\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic([]);\nlet ioc_domains = dynamic([\"taxationstatments2025.com\", \"irs-doc.com\", \"gov-irs216.net\", \"private-adobe-client.im\"]);\n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)\n| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Detect Web Sessions IP and file hash indicators of compromise using ASIM<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The following query checks IP addresses, domains, and file hash IOCs across data sources supported by ASIM web session parser:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"18\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\n\/\/IP list - _Im_WebSession\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic([]);\nlet ioc_sha_hashes =dynamic([\"45b6b4db1be6698c29ffde9daeb8ffaa344b687d3badded2f8c68c922cdce6e0\"]);\n_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)\n| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Detect domain and URL indicators of compromise using ASIM<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The following query checks domain and URL IOCs across data sources supported by ASIM web session parser:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"12\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\n\/\/ file hash list - imFileEvent\n\/\/ Domain list - _Im_WebSession\nlet ioc_domains = dynamic([\"taxationstatments2025.com\", \"irs-doc.com\", \"gov-irs216.net\", \"private-adobe-client.im\"]);\n_Im_WebSession (url_has_any = ioc_domains)\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Detect files hashes indicators of compromise using ASIM<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The following query checks IP addresses and file hash IOCs across data sources supported by ASIM file event parser:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"13\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\n\/\/ file hash list - imFileEvent\nlet ioc_sha_hashes = dynamic([\"45b6b4db1be6698c29ffde9daeb8ffaa344b687d3badded2f8c68c922cdce6e0\"]);\nimFileEvent\n| where SrcFileSHA256 in (ioc_sha_hashes) or\nTargetFileSHA256 in (ioc_sha_hashes)\n| extend AccountName = tostring(split(User, @'')[1]), AccountNTDomain = tostring(split(User, @'')[0])\n| extend AlgorithmType = \"SHA256\"\n<\/pre>\n<\/div>\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"12\">\n<tr>\n<td><strong>Indicator<\/strong><\/td>\n<td><strong>Type<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<td><strong>First seen<\/strong><\/td>\n<td><strong>Last seen<\/strong><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>45b6b4db1be6698c29ffde9daeb8ffaa344b687d3badded2f8c68c922cdce6e0&nbsp;&nbsp;<\/td>\n<td>SHA-256<\/td>\n<td>Excel attachment in Energy365 PhaaS campaign<\/td>\n<td>2026-02-05<\/td>\n<td>2026-02-06<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>taxationstatments2025[.]com<\/td>\n<td>Domain<\/td>\n<td>Fidelity-themed ScreenConnect campaign<\/td>\n<td>2026-02-08<\/td>\n<td>2026-02-10<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>irs-doc[.]com<\/td>\n<td>Domain<\/td>\n<td>IRS \/ Cryptocurrency-themed SimpleHelp campaign<\/td>\n<td>2026-02-23<\/td>\n<td>2026-02-27 &nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>gov-irs216[.]net<\/td>\n<td>Domain<\/td>\n<td>IRS \/ Cryptocurrency-themed SimpleHelp campaign &nbsp;<\/td>\n<td>2026-02-23 &nbsp;<\/td>\n<td>2026-02-27 &nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>private-adobe-client[.]im<\/td>\n<td>Domain<\/td>\n<td>CPA-targeted campaign delivering Datto<\/td>\n<td>2026-03-05<\/td>\n<td>2026-03-09 &nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>d422f6f5310af1e72f6113a2a592916f58e3871c58d0e46f058d4b669a3a0fd8<\/td>\n<td>SHA-256<\/td>\n<td>EXE dropped in IRS ScreenConnect campaign<\/td>\n<td>2026-02-10<\/td>\n<td>2026-10<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>edud[.]site<\/td>\n<td>Domain<\/td>\n<td>Domain hosting email addresses used to send phishing emails in IRS ScreenConnect campaign<\/td>\n<td>2026-02-10 &nbsp;<\/td>\n<td>2026-02-10<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>smartvault[.]im<\/td>\n<td>Domain<\/td>\n<td>Domain hosting malicious content in IRS ScreenConnect campaign<\/td>\n<td>2026-02-10 &nbsp;<\/td>\n<td>2026-02-10<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h3>\n<p class=\"wp-block-paragraph\">For the latest security research from the Microsoft Threat Intelligence community, check out the <a href=\"https:\/\/aka.ms\/threatintelblog\">Microsoft Threat Intelligence Blog<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To get notified about new publications and to join discussions on social media, follow us on <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">LinkedIn<\/a>, <a href=\"https:\/\/x.com\/MsftSecIntel\">X (formerly Twitter)<\/a>, and <a href=\"https:\/\/bsky.app\/profile\/threatintel.microsoft.com\">Bluesky<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">Microsoft Threuat Intelligence podcast<\/a>.<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/19\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>During tax season, threat actors reliably take advantage of the urgency and familiarity of time-sensitive emails, including refund notices, payroll forms, filing reminders, and requests from tax professionals, to push malicious attachments, links, or QR codes.<br \/>\nThe post When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[10758,5449,188],"class_list":["post-60344","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure","tag-adversary-in-the-middle-aitm","tag-credential-theft","tag-phishing"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-19T15:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures\",\"datePublished\":\"2026-03-19T15:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/\"},\"wordCount\":3329,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1.webp\",\"keywords\":[\"Adversary-in-the-middle (AiTM)\",\"Credential Theft\",\"Phishing\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/\",\"name\":\"When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1.webp\",\"datePublished\":\"2026-03-19T15:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1.webp\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Adversary-in-the-middle (AiTM)\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/adversary-in-the-middle-aitm\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/","og_locale":"en_US","og_type":"article","og_title":"When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-03-19T15:00:00+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures","datePublished":"2026-03-19T15:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/"},"wordCount":3329,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1.webp","keywords":["Adversary-in-the-middle (AiTM)","Credential Theft","Phishing"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/","url":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/","name":"When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1.webp","datePublished":"2026-03-19T15:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Adversary-in-the-middle (AiTM)","item":"https:\/\/www.threatshub.org\/blog\/tag\/adversary-in-the-middle-aitm\/"},{"@type":"ListItem","position":3,"name":"When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60344"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60344\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60344"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}