Microsoft has warned of fresh campaigns that are capitalizing on the upcoming tax season in the U.S. to harvest credentials and deliver malware. The email campaigns take advantage of the urgency and time-sensitive nature of emails to send phishing messages masquerading as refund notices, payroll forms, filing reminders, and requests from tax professionals to deceive recipients into opening malicious attachments, scanning QR code, or interacting with suspicious links. "Many campaigns target individuals for personal and financial data theft, but others specifically target accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails during this period," the Microsoft Threat Intelligence and Microsoft Defender Security Research teams said in a report published last week. While some of these efforts direct users to sketchy pages designed through Phishing-as-a-service (PhaaS) platforms, others result in the deployment of legitimate remote monitoring and management tools (RMMs), such as ConnectWise ScreenConnect, Datto, and SimpleHelp, enabling the attackers to gain persistent access to compromised devices. Microsoft said it also observed a large-scale phishing campaign on February 10, 2026, in which more than 29,000 users across 10,000 organizations were affected. About 95% of the targets were located in the U.S., spanning industries like financial services (19%), technology and software (18%), and retail and consumer goods (15%). "The emails impersonated the IRS, claiming that potentially irregular tax returns had been filed under the recipient's Electronic Filing Identification Number (EFIN). Recipients were instructed to review these returns by downloading a purportedly legitimate 'IRS Transcript Viewer,'" the tech giant said. The emails, which were sent through Amazon Simple Email Service (SES), contained a "Download IRS Transcript View 5.1" button that, when clicked, redire