Microsoft sounds alarm on phishing campaigns targeting CPAs

Microsoft issued a warning about the rise of several new phishing campaigns taking advantage of the tax season to steal credentials and plant malware, some of which target accountants specifically. Microsoft noted that many of these campaigns use very specifically targeted communications in contrast to more generic lures. 

One of the campaigns that targets CPAs specifically starts with an email  asking for assistance in filing taxes, asking for a quote, and typically providing a backstory. If the actor receives a reply, they send a malicious link that leads to the installation of malware. However, Microsoft also observed campaigns targeting CPAs that contain a similar backstory but include the malicious link in the first email. Many of these emails have the subject line "REQUEST FOR PROFESSIONAL TAX FILLING." The email provides a backstory that includes a description of a complex tax return situation involving tax audit, university tuition, loan interest, and real estate income. The sender also attempts to explain their inability to physically visit the office due to travel. Finally, the sender asks for a price quote. Microsoft observed variations of the backstory on different days, including switching CPAs due to fee increases.

Another that is targeting accountants specifically involved, once again, scammers impersonating the IRS, this time through emails claiming that potentially irregular tax returns had been filed under the recipient's Electronic Filing Identification Number (EFIN). Recipients were instructed to review these returns by downloading a purportedly legitimate "IRS Transcript Viewer" that leads to a malicious look‑alike domain mimicking SmartVault which even used Cloudflare for bot detection and blocking. Users who pass the bot check are then shown a fake verification animation and are then led to a page where they can download the ostensible transcript viewer that is, in fact, a remote access and control tool. Subject lines for emails found to have this malicious link include IRS Request Transcript Review; IRS Notice Firm Return Review; CPA Compliance Review; IRS Support Firm Filing Review; and Review Requested Compliance.

Ivelin Radkov/Ivelin Radkov - Fotolia

Another more general campaign starts with an email with the subject line "See Tax file," which contains an Excel attachment with [Accountant's name] CPA.xlsx, using the name of a real accountant (likely impersonated without their knowledge.) The attachment contains a clickable "REVIEW DOCUMENTS" button that links to a OneNote file hosted on OneDrive. The file, which uses the same CPA's name and logo, has a link leading to a malicious landing page that hosts the Energy365 phishing kit that will attempt to harvest credentials such as email and password. 

Another starts with the subject line "2025 Employee Tax Docs" and contains an attachment named 2025_Employee_W-2  .docx with content that mentioning various tax-related terms like Form W-2 and features a QR code pointing to a phishing page. Each document is customized to contain the recipient's name, and the URL hidden behind the QR code also contains the recipient's email address. This means that each recipient received a unique attachment. 

Another is connected to a set of domains that were registered to be used in tax-themed phishing campaigns that impersonate specific legitimate companies involved in accounting, tax preparation, finance, bookkeeping, and related companies. Emails with subject lines like "Your Account Now Includes Updated Tax Forms [RF] 1234" or "Your Form 1099-R is ready – [RF] 12123123" and a body saying things like "2025 Tax Forms is ready" and containing a clickable "View Tax Forms" button that goes to one of these dubiously-registered domains, such as taxationstatments2025 [dot] com. These sites serve a malware executable named 1099-FR2025.exe, which will allow external actors to take control of the device remotely. 

Another uses emails that impersonate the IRS with the subject line "IR-2026-216." However, astute observers may realize that the email address does not come from irs.gov but from places Eventbrite emails with names like: 

• "IRS US"<noreply@campaign[.]eventbrite[.]com>
• "IRS GOV"<noreply@campaign[.]eventbrite[.]com>
• "Service"<noreply@campaign[.]eventbrite[.]com>
• "IRS TAX"<noreply@campaign[.]eventbrite[.]com>
• ".IRS.GOV"<noreply@campaign[.]eventbrite[.]com>

The email, with the body ""Cryptocurrency Tax Form 1099 is Ready" has a non-clickable URL the user is instructed to copy/paste into the browser. If they do this, the browser automatically downloads IRS-doc.msi, which is in actuality another remote access tool. 
Microsoft recommended configuring automatic attack disruption in Microsoft Defender XDR; enforcing multifactor authentication (MFA) on all accounts, removing users excluded from MFA, and strictly requiring MFA from all devices in all locations at all times; using Microsoft Authenticator app for passkeys and MFA, and complement MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals, possibly scoped to strengthen privileged accounts with phishing resistant MFA; enabling Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes; configuring Microsoft Defender for Office 365 Safe Links to recheck links on click; investing in advanced anti-phishing solutions that monitor and scan incoming emails and visited websites; encouraging users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen; and enabling network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.