Tax Season Phishing Hit 29,000 Users Across 10,000 Companies—Microsoft Just Mapped the Entire Campaign

Tax Deadlines Create a Window for Attackers

Every tax season, phishing campaigns surge as attackers exploit the urgency around filing deadlines. But in 2026, Microsoft Threat Intelligence documented campaigns that reached an unprecedented scale. On February 10 alone, a single phishing operation targeted more than 29,000 users across 10,000 organizations, almost exclusively in the United States.

The attackers were not casting a wide net randomly. An analysis of intended recipients showed the campaign specifically targeted accountants, tax preparers, and finance professionals. Financial services firms accounted for 19% of targets, followed by technology companies at 18% and retail businesses at 15%.

How the Campaigns Worked

Microsoft identified several distinct campaigns running simultaneously during tax season, each using different techniques to deliver credential theft or malware.

The first wave hit between February 5 and 6, with several hundred emails carrying the subject line "See Tax file." The messages targeted financial services, education, IT, insurance, and healthcare organizations. Each email contained an attachment with a clickable button labeled "REVIEW DOCUMENTS" that linked to a OneNote file hosted on OneDrive. The OneNote file contained a link to a malicious landing page running the Energy365 phishing kit, which harvested email addresses and passwords.

The February 10 campaign was far larger. More than 29,000 emails used tax themed lures to redirect victims through multiple stages before landing on credential harvesting pages. The operation leveraged legitimate OAuth protocol functionality to manipulate URL redirection and bypass conventional phishing defenses in both email gateways and browsers.

Beyond Credential Theft: Remote Access Malware

Not all the tax season campaigns aimed at stealing passwords. Microsoft also observed attackers using tax themed lures to install remote monitoring and management (RMM) tools on victim machines. These legitimate software packages, normally used by IT departments for remote support, give attackers persistent access to compromised devices and serve as an alternative command and control channel.

The RMM approach is particularly dangerous because the tools are digitally signed by their legitimate developers and are not flagged as malicious by most security software. Once installed, attackers can remotely control the victim's computer, access files, and move laterally through corporate networks.

Separately, the IRS released its annual "Dirty Dozen" list of tax scams for the 2026 filing season, warning that AI generated phishing messages are making scam emails increasingly difficult to distinguish from legitimate IRS communications.

Why Tax Season Phishing Keeps Working

Tax related phishing exploits a specific psychological vulnerability: deadline pressure. When accountants and finance teams are racing to file returns, they are more likely to click without scrutinizing the sender. Attackers register tax themed domains months in advance, Microsoft observed new registrations appearing in January and February 2026, specifically to make their phishing emails appear more credible.

The campaigns also abuse trusted platforms like OneDrive, SharePoint, and Google Docs to host malicious content. Links to these services bypass many email filters because the domains are allowlisted. A phishing email linking to a OneDrive file looks legitimate to both automated security tools and human recipients.

How to Protect Yourself

Whether you file your own taxes or manage returns for an organization, these steps reduce your risk during tax season and beyond:

• Treat any unsolicited email about tax documents with suspicion, even if it appears to come from the IRS, a CPA, or a colleague
• Never click "Review Document" buttons in unexpected emails. Instead, navigate directly to the claimed platform by typing the URL yourself
• Enable phishing resistant multi factor authentication such as hardware security keys or passkeys on all financial and email accounts
• Verify unexpected requests for tax documents through a separate communication channel like a phone call
• Watch for recently registered domains in email links. Hover over links to check the URL before clicking

The IRS will never initiate contact via email, text message, or social media to request personal or financial information. Any message claiming otherwise is a scam, regardless of how official it looks. Tax season ends, but the credentials stolen during it give attackers access to your accounts year round.