When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures

Microsoft Threat Intelligence observed multiple coordinated tax‑themed phishing campaigns in early 2026 that targeted U.S. organizations and accounting professionals using personalized lures (W-2s, CPA impersonation, IRS notifications), PhaaS kits (Energy365, SneakyLog), QR codes and attachment-based chains to harvest credentials and deliver remote access malware by abusing legitimate RMM tools (ScreenConnect, SimpleHelp, Datto); the report includes campaign timelines, impacted industries and scales (including a large wave targeting ~29,000 users), IOCs (domains and SHA-256 hashes), and recommended mitigations for detection and prevention.