Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware

Microsoft warns of large, ongoing phishing campaigns timed around U.S. tax season that use CPA/IRS and tax-themed lures, QR codes, and typosquatted domains to steal credentials and deliver remote access tools (ScreenConnect, Datto, SimpleHelp) and malware (Salat Stealer, RATs, cryptominers). Campaigns leverage Phishing-as-a-Service kits (Energy365, SneakyLog/Kratos), multi-vendor URL rewriting, abuse of legitimate services (Amazon SES, Cloudflare, Azure Monitor alerts), and deceptive pages to maintain persistence and evade detection; roughly 29,000 users in 10,000 organizations were impacted in one observed campaign. Organizations are advised to enforce 2FA, implement conditional access, monitor email/web traffic, and audit for unauthorized RMM usage.