{ "Event": { "analysis": "1", "date": "2026-03-19", "extends_uuid": "", "info": "[Threat Intel] When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures", "protected": false, "publish_timestamp": "1775245820", "published": true, "threat_level_id": "3", "timestamp": "1775245819", "uuid": "c4b0ca88-d853-41ee-844a-03b95c15dd97", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#96f4f6", "local": false, "name": "misp-galaxy:producer=\"Microsoft\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#eb2300", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Defacement - T1491\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#3d1dab", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Internal Spearphishing - T1534\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774004424", "to_ids": false, "type": "link", "uuid": "be5b012b-b9d9-4c15-b26a-fee4b0fa66d5", "value": "https://www.microsoft.com/en-us/security/blog/2026/03/19/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774004424", "to_ids": false, "type": "text", "uuid": "9e0fda01-0b8e-459a-a3f2-8c8f91947972", "value": "During tax season, threat actors exploit the urgency of time-sensitive tax-related emails to trick targets into opening malicious attachments, scanning QR codes, or following link chains. Recent campaigns identified by Microsoft Threat Intelligence use lures around W-2 forms, tax forms, and impersonation of government tax agencies and financial institutions. These campaigns aim to harvest credentials or deliver malware, often using phishing-as-a-service platforms for convincing credential theft and MFA bypass. Notable tactics include using legitimate remote monitoring tools, targeting specific industries and roles like accountants, and employing sophisticated social engineering techniques. The campaigns leverage various file formats, legitimate infrastructure, and multiple user interactions to complicate detection." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774004424", "to_ids": false, "type": "text", "uuid": "23861116-32b6-4c56-bb3b-00bf655c93ea", "value": "Name: When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures\nAuthor: AlienVault\nAdversary: \nTags: [\"datto\", \"phishing\", \"irs impersonation\", \"cpa targeting\", \"simplehelp\", \"credential theft\", \"screenconnect\", \"remote monitoring tools\", \"tax season\", \"social engineering\", \"malware\"]\nTgtd countries: [\"United States of America\"]\nMlwr families: [\"ScreenConnect\", \"SimpleHelp\", \"Datto\"]\nAttack_ids: [\"T1133\", \"T1071\", \"T1036\", \"T1491\", \"T1059\", \"T1102\", \"T1528\", \"T1204\", \"T1534\", \"T1566\", \"T1078\", \"T1105\"]\nIndustries: [\"Financial services\", \"Education\", \"Information technology\", \"Insurance\", \"Healthcare\", \"Manufacturing\", \"Retail\", \"Higher education\", \"Legal\"]" }, { "category": "Network activity", "comment": "Domain hosting email addresses used to send phishing emails in IRS ScreenConnect campaign", "deleted": false, "disable_correlation": false, "timestamp": "1775238851", "to_ids": true, "type": "domain", "uuid": "e9337064-16c4-45a9-bd18-599194f56e49", "value": "edud.site", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IRS / Cryptocurrency-themed SimpleHelp campaign", "deleted": false, "disable_correlation": false, "timestamp": "1775238872", "to_ids": true, "type": "domain", "uuid": "ec8d4381-14b2-4a44-8cf4-8fe995b610a3", "value": "gov-irs216.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IRS / Cryptocurrency-themed SimpleHelp campaign", "deleted": false, "disable_correlation": false, "timestamp": "1775238894", "to_ids": true, "type": "domain", "uuid": "70a33448-4c87-4db4-8864-4f22d630ed0a", "value": "irs-doc.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "CPA-targeted campaign delivering Datto", "deleted": false, "disable_correlation": false, "timestamp": "1775238916", "to_ids": true, "type": "domain", "uuid": "0eed6386-1ee1-443f-9325-bc642ee17389", "value": "private-adobe-client.im", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Domain hosting malicious content in IRS ScreenConnect campaign", "deleted": false, "disable_correlation": false, "timestamp": "1775238937", "to_ids": true, "type": "domain", "uuid": "bc7f4b44-654e-4609-8f4c-4f435cd640c8", "value": "smartvault.im", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775238959", "to_ids": true, "type": "domain", "uuid": "f43e80a3-f9a1-42e8-811f-fd1d48b7a3e9", "value": "tax-statments2025.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Fidelity-themed ScreenConnect campaign", "deleted": false, "disable_correlation": false, "timestamp": "1775238981", "to_ids": true, "type": "domain", "uuid": "d00dd594-2911-40c2-ab9c-c38005d40a7c", "value": "taxationstatments2025.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239002", "uuid": "c5ed7130-390e-4e71-a85e-5f6096a0463b", "Attribute": [ { "category": "Payload delivery", "comment": "Excel attachment in Energy365 PhaaS campaign", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239002", "to_ids": true, "type": "md5", "uuid": "3150aa59-17fc-4e31-89cb-ccb64a2c8a40", "value": "fc5f2a0535ccab63a55135ed1824f5c9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Excel attachment in Energy365 PhaaS campaign", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237382", "to_ids": true, "type": "sha1", "uuid": "cd49c6f0-6b93-4969-aa15-af041b35edac", "value": "c0ce9ecfc35a84546ba117e4313061e269fbf667", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Excel attachment in Energy365 PhaaS campaign", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237382", "to_ids": true, "type": "sha256", "uuid": "785d357c-31d7-4c38-bbe4-d6efe2dad2f2", "value": "45b6b4db1be6698c29ffde9daeb8ffaa344b687d3badded2f8c68c922cdce6e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235277", "to_ids": true, "type": "ssdeep", "uuid": "5be14ef6-a78f-49dc-ab5c-aeccf70f4500", "value": "3072:eDoW+Q0gq3vVvE2rsuQ4fpfV5qVKdgn+3g0pwn8TiqVr3aPLyrA1B9b:ekQ0gq3/55hfV5qrn+pfuuOOC9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235277", "to_ids": false, "type": "size-in-bytes", "uuid": "d32d00c6-c571-4b42-9e98-af1eef9a0582", "value": "163983" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235277", "to_ids": true, "type": "vhash", "uuid": "1ca09086-b375-4d87-9de4-5927b77b7b3f", "value": "4177982ef7cc920c171d6bf7d09fc540" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235277", "to_ids": true, "type": "filename", "uuid": "4e077912-2d4a-4907-9945-f984a2f54990", "value": "785wi.exe" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 31/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235277", "to_ids": false, "type": "text", "uuid": "4055ad59-70dc-44ed-a89b-4b40aa921db0", "value": "Excel attachment in Energy365 PhaaS campaign\r\nType Description: Office Open XML Spreadsheet\nMicrosoft: None\nVT Total Detection:18/66\nFirst Submission:2026-02-05T19:52:21.000000+00:00\nLast Submission:2026-02-05T19:52:21.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239023", "uuid": "1ea3b602-43d5-4f3f-871a-42fb65775aa2", "Attribute": [ { "category": "Payload delivery", "comment": "EXE dropped in IRS ScreenConnect campaign", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239023", "to_ids": true, "type": "md5", "uuid": "cbb68e27-53b9-4935-ab01-0da98625565b", "value": "1d01fa267626c4f05b55dc88fa5c7918", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "EXE dropped in IRS ScreenConnect campaign", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237384", "to_ids": true, "type": "sha1", "uuid": "b8a347e1-ffbc-46f9-b0ea-d5282781d5f4", "value": "6791c798b0b9e0cd4722092711a08130daae4d87", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "EXE dropped in IRS ScreenConnect campaign", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237384", "to_ids": true, "type": "sha256", "uuid": "ddb83b9e-9e61-4331-aeb6-97d322b4d578", "value": "d422f6f5310af1e72f6113a2a592916f58e3871c58d0e46f058d4b669a3a0fd8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235298", "to_ids": true, "type": "ssdeep", "uuid": "387ce8f2-3a0d-4631-b67b-ae78dc671c20", "value": "196608:O1EfefPk4KaLNkbgwi4QOKaLNkbgAKaLNkbghKaLNkbgBKaLNkbga:OVWgwiHwWgGWgFWglWga" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235298", "to_ids": false, "type": "size-in-bytes", "uuid": "984311c0-3a1f-46eb-aa4c-a2334d729663", "value": "14694456" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235298", "to_ids": true, "type": "vhash", "uuid": "49712d31-6cf6-44ea-a7be-191fa7f489cc", "value": "017056655d15756az459z6tz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235298", "to_ids": true, "type": "filename", "uuid": "e709fd5a-30c0-41c6-b6fd-4e3e8004cda5", "value": "i76z0.exe" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 31/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235298", "to_ids": false, "type": "text", "uuid": "5eca3f41-f223-42b1-bf0a-e2598926d10b", "value": "EXE dropped in IRS ScreenConnect campaign\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Supma.A\nVT Total Detection:35/71\nFirst Submission:2026-02-14T17:39:27.000000+00:00\nLast Submission:2026-02-14T17:39:27.000000+00:00" } ] } ] } }