HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Microsoft Alerts on IRS‑Season Phishing Campaign Hitting ~29K Users and Deploying RMM Malware

Microsoft warned that a tax‑season phishing wave masquerading as IRS communications has compromised roughly 29,000 users, delivering remote‑monitoring‑and‑management malware. The campaign threatens government agencies and any third‑party payroll or tax‑software providers that interact with the IRS, making it a critical TPRM concern.

LiveThreat™ Intelligence · 📅 March 23, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
thehackernews.com

Microsoft Warns of IRS‑Targeted Phishing Campaign Affecting ≈ 29,000 Users and Deploying RMM Malware

What Happened — Microsoft disclosed a new phishing campaign that leverages the U.S. tax‑season deadline to trick recipients into believing they have IRS refunds, payroll forms, or filing reminders. The emails contain malicious links that install remote‑monitoring‑and‑management (RMM) malware capable of harvesting credentials and providing persistent access.

Why It Matters for TPRM

  • Phishing attacks against government agencies often cascade to third‑party vendors that process payroll, tax filings, or provide cloud services.
  • RMM malware can be used to pivot into partner networks, exposing data and compromising service continuity.
  • The scale (≈ 29 k victims) indicates a high‑success rate, suggesting attackers may already have footholds in multiple supply‑chain entities.

Who Is Affected — Federal government (IRS), payroll service providers, tax‑software SaaS vendors, and any third‑party organizations that exchange data with the IRS or handle employee payroll.

Recommended Actions

  • Review all contracts with payroll, tax‑filing, and financial‑services vendors for phishing‑resilience clauses.
  • Verify that vendors enforce multi‑factor authentication (MFA) for any IRS‑related accounts.
  • Conduct phishing‑simulation training for staff handling tax‑season communications.
  • Ensure endpoint detection and response (EDR) solutions can detect and quarantine RMM payloads.

Technical Notes — Attack vector: credential‑phishing emails with malicious URLs delivering RMM trojan (often variants of TeamViewer, AnyDesk, or custom backdoors). No specific CVE cited. Data at risk includes employee personally identifiable information (PII), payroll records, and IRS filing data. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/03/microsoft-warns-irs-phishing-hits-29000.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →