Tax-Season Phishing Campaign Impersonating IRS Targets Finance Roles Across U.S. Organizations

Summary 

On February 10, 2026, Microsoft observed a large-scale phishing campaign that targeted more than 29,000 users across 10,000 organizations, with 95% of victims located in the United States. The campaign impersonated the Internal Revenue Service (IRS) and specifically targeted accountants and tax preparers by referencing irregularities in Electronic Filing Identification Numbers (EFINs). Emails were delivered through Amazon Simple Email Service (SES) using a newly registered domain and redirected users through an SES tracking link to a Cloudflare-protected phishing site masquerading as SmartVault. Users who passed Cloudflare’s bot checks were served a fake verification page that initiated the download of a malicious TranscriptViewer5.1.exe file. The file was a ScreenConnect remote access tool capable of granting threat actors control over victim devices.

Every year, Microsoft tracks and identifies social engineering techniques in the months leading up to US Tax Day by threat actors seeking to steal personal and financial information, which can result in identity theft and monetary loss. Although these threats use well-known, longstanding social engineering techniques, they can still be highly effective if users and organizations don’t use advanced anti-phishing solutions and conduct user awareness training.

Overview 

The campaign was distributed in two waves over a nine-hour window, reaching organizations across a broad range of industries. While the targeting was not limited to a single sector, financial services, technology/software, and retail organizations represented the largest portions of affected users.

Analysis indicates that the primary targeting focus was role-based rather than industry-specific, with accountants, tax preparers, and other finance-related personnel most frequently receiving the phishing emails. Attackers rotated multiple IRS-themed sender identities and dozens of subject lines, likely in an effort to evade detection by static filtering controls.

Attack Chain 

The phishing emails claimed that irregular tax returns had been filed under the recipient’s EFIN and instructed recipients to download an “IRS Transcript Viewer” to review the issue. The embedded download button linked to an Amazon SES click-tracking URL, which redirected victims to a malicious SmartVault look-alike domain protected by Cloudflare bot filtering.

Users who passed the verification checks were shown a fake validation page indicating that IRS provider services were verifying the connection. Shortly afterward, a malicious executable file (TranscriptViewer5.1.exe) was automatically downloaded. The executable was a repackaged ScreenConnect remote access tool which, once executed, allowed threat actors to gain persistent remote access, enabling credential harvesting, data theft, and further post-exploitation activity.

Mitigation 

Organizations should review email security configurations to ensure that advanced anti-phishing protections are enabled, including Safe Links, Safe Attachments, and Zero-hour Auto Purge (ZAP) capabilities where available. Security teams should also proactively search for and remove delivered phishing emails that contain similar subjects, sender domains, or URLs associated with the campaign.

User awareness remains critical, particularly during tax season when IRS-themed social-engineering attacks increase. Conducting targeted phishing-simulation exercises for finance and accounting personnel can significantly reduce risk. Additionally, enabling phishing-resistant multi-factor authentication (MFA), strengthening conditional access policies for privileged accounts, and deploying endpoint network protection can help limit attacker access if initial compromise occurs. Automated attack disruption and extended detection and response (XDR) capabilities should also be leveraged to contain active threats more rapidly.

Conclusion 

This campaign demonstrates how threat actors continue to leverage trusted cloud infrastructure, seasonal themes, and role-focused targeting to increase phishing success rates. Even when tactics rely on familiar social-engineering techniques, the combination of infrastructure blending, bot-evasion controls, and legitimate remote-management tools can make attacks more difficult to detect and more damaging once executed. Strengthening layered email defenses, endpoint protection, and user awareness programs remains essential to reducing the impact of large-scale phishing campaigns of this nature.