Microsoft
One of the campaigns that targets CPAs specifically starts with an email asking for assistance in filing taxes, asking for a quote, and typically providing a backstory. If the actor receives a reply, they send a malicious link that leads to the installation of malware.
However, Microsoft also observed campaigns targeting CPAs that contain a similar backstory but include the malicious link in the first email. Many of these emails have the subject line "REQUEST FOR PROFESSIONAL TAX FILLING." The email provides a backstory that includes a description of a complex tax return situation involving tax audit, university tuition, loan interest, and real estate income. The sender also attempts to explain their inability to physically visit the office due to travel. Finally, the sender asks for a price quote. Microsoft observed variations of the backstory on different days, including one that claims the sender is switching CPAs due to fee increases.
Another campaign that is targeting accountants specifically involved, once again, scammers impersonating the IRS, this time through emails claiming that potentially irregular tax returns had been filed under the recipient's Electronic Filing Identification Number. Recipients were instructed to review these returns by downloading a purportedly legitimate "IRS Transcript Viewer" that leads to a malicious look‑alike domain mimicking SmartVault that even used Cloudflare for bot detection and blocking. Users who pass the bot check are then shown a fake verification animation and are led to a page where they can download the ostensible transcript viewer that is, in fact, a remote access and control tool. Subject lines for emails found to have this malicious link include:
- IRS Request Transcript Review;
- IRS Notice Firm Return Review;
- CPA Compliance Review;
- IRS Support Firm Filing Review; and,
- Review Requested Compliance.
Another. more general. campaign starts with an email with the subject line "See Tax file," which contains an Excel attachment with [Accountant's name] CPA.xlsx, using the name of a real accountant (likely impersonated without their knowledge.) The attachment contains a clickable "REVIEW DOCUMENTS" button that links to a OneNote file hosted on OneDrive. The file, which uses the same CPA's name and logo, has a link leading to a malicious landing page that hosts the Energy365 phishing kit, which will attempt to harvest credentials such as email and password.
Another starts with the subject line "2025 Employee Tax Docs" and contains an attachment named 2025_Employee_W-2 .docx with content that mentions various tax-related terms like Form W-2 and features a QR code pointing to a phishing page. Each document is customized to contain the recipient's name, and the URL hidden behind the QR code also contains the recipient's email address. This means that each recipient received a unique attachment.
Another is connected to a set of domains that were registered to be used in tax-themed phishing campaigns that impersonate specific legitimate companies involved in accounting, tax preparation, finance, bookkeeping, and related companies. Emails with subject lines like "Your Account Now Includes Updated Tax Forms [RF] 1234" or "Your Form 1099-R is ready – [RF] 12123123" and a body saying things like "2025 Tax Forms is ready" and containing a clickable "View Tax Forms" button that goes to one of these dubiously registered domains, such as taxationstatments2025 [dot] com. These sites serve a malware executable named 1099-FR2025.exe, which will allow external actors to take control of the device remotely.
Another campaign uses emails that impersonate the IRS, with the subject line "IR-2026-216." However, astute observers may realize that the email address does not come from
- "IRS US"<noreply@campaign[.]eventbrite[.]com>
- "IRS GOV"<noreply@campaign[.]eventbrite[.]com>
- "Service"<noreply@campaign[.]eventbrite[.]com>
- "IRS TAX"<noreply@campaign[.]eventbrite[.]com>
- ".IRS.GOV"<noreply@campaign[.]eventbrite[.]com>
The email, with the body ""Cryptocurrency Tax Form 1099 is Ready" has a non-clickable URL the user is instructed to copy/paste into the browser. If they do this, the browser automatically downloads IRS-doc.msi, which is in actuality another remote access tool.
Microsoft suggested a number of steps that tax preparers can take to protect themselves, their clients and their firms:
- Configuring
automatic attack disruption in Microsoft Defender XDR; - Enforcing multifactor authentication on all accounts, removing users excluded from MFA, and strictly
requiring MFA from all devices in all locations at all times; - Using
Microsoft Authenticator app for passkeys and MFA - Complementing MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals, possibly scoped to
strengthen privileged accounts with phishing resistant MFA ; - Enabling
Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes; - Configuring Microsoft Defender for Office 365 Safe Links to
recheck links on click ; - Investing in advanced anti-phishing solutions that monitor and scan incoming emails and visited websites;
- Encouraging users to use Microsoft Edge and other web browsers that support
Microsoft Defender SmartScreen ; and, - Enabling
network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
