Microsoft: IRS-themed Phishing Hits 29,000, RMM Abused
⚠️Microsoft reported large-scale IRS-themed phishing campaigns in February 2026 that targeted more than 29,000 users across 10,000 organizations, using tax refund, payroll and W‑2 lures to harvest credentials and deliver remote access tools. Attackers leveraged Phishing-as-a-Service kits (notably Energy365 and SneakyLog/Kratos) and abused legitimate RMM products such as ScreenConnect, Datto, and SimpleHelp to maintain persistent access. Microsoft advises enforcing 2FA, applying conditional access, and blocking malicious domains and payloads to reduce exposure.
