Microsoft Warns of IRS‑Targeted Phishing Campaign Affecting ≈ 29,000 Users and Deploying RMM Malware
What Happened — Microsoft disclosed a new phishing campaign that leverages the U.S. tax‑season deadline to trick recipients into believing they have IRS refunds, payroll forms, or filing reminders. The emails contain malicious links that install remote‑monitoring‑and‑management (RMM) malware capable of harvesting credentials and providing persistent access.
Why It Matters for TPRM —
- Phishing attacks against government agencies often cascade to third‑party vendors that process payroll, tax filings, or provide cloud services.
- RMM malware can be used to pivot into partner networks, exposing data and compromising service continuity.
- The scale (≈ 29 k victims) indicates a high‑success rate, suggesting attackers may already have footholds in multiple supply‑chain entities.
Who Is Affected — Federal government (IRS), payroll service providers, tax‑software SaaS vendors, and any third‑party organizations that exchange data with the IRS or handle employee payroll.
Recommended Actions —
- Review all contracts with payroll, tax‑filing, and financial‑services vendors for phishing‑resilience clauses.
- Verify that vendors enforce multi‑factor authentication (MFA) for any IRS‑related accounts.
- Conduct phishing‑simulation training for staff handling tax‑season communications.
- Ensure endpoint detection and response (EDR) solutions can detect and quarantine RMM payloads.
Technical Notes — Attack vector: credential‑phishing emails with malicious URLs delivering RMM trojan (often variants of TeamViewer, AnyDesk, or custom backdoors). No specific CVE cited. Data at risk includes employee personally identifiable information (PII), payroll records, and IRS filing data. Source: The Hacker News