DURING tax season, Microsoft Threat Intelligence notes a surge in phishing and malware campaigns that exploit time pressure and familiar tax emails, including refund notices, payroll forms, and requests from tax professionals to trick targets into opening attachments, scanning QR codes, or following link chains.
In recent months, campaigns have used W-2 and tax forms lures or impersonated government tax agencies and financial institutions, with several campaigns designed to harvest credentials or deliver malware through Phishing-as-a-Service platforms such as Energy365 and SneakyLog.
Notable incidents include a February 5–6, 2026 campaign delivering the Energy365 PhaaS kit to several hundred emails across multiple industries in the United States, a February 10, 2026 campaign to around 100 organisations using a W-2 lure and a QR code to a phishing page, and a February 23–27, 2026 IRS-themed effort targeting thousands of emails in higher education and other sectors.
One CPA-targeted campaign in March 2026 involved approximately 1,000 US-only emails with a Datto payload, while an IRS-themed large-scale effort on February 10, 2026 affected more than 29,000 users across 10,000 organisations, predominantly in the United States.
The researchers highlight that threat actors abuse legitimate tools such as ScreenConnect and SimpleHelp to deliver remote access capabilities, and they provide guidance on defence, including MFA enforcement, Safe Links, and Defender detection content aimed at early disruption and containment.