Executive Summary

Cybersecurity firm Proofpoint has released an advisory detailing a significant increase in cyber threats leveraging the 2026 tax season. Researchers have identified over one hundred distinct campaigns using tax-related themes as a lure for a wide range of malicious activities. These operations include credential phishing, Business Email Compromise (BEC), and the delivery of malware. A particularly concerning trend is the deployment of legitimate Remote Monitoring and Management (RMM) tools, which attackers use to establish persistent, long-term access to victim networks. These campaigns are global in scope, with specific threat actors like the newly identified TA2730 targeting organizations in Japan and other parts of Asia. The effectiveness of these campaigns lies in their ability to exploit the sense of urgency and legitimacy associated with official tax communications.

Threat Overview

The campaigns leverage the universal and time-sensitive nature of tax season to manipulate human behavior. Attackers are using a diverse set of social engineering tactics:

• Credential Phishing: Emails impersonating investment firms or tax authorities request users to update tax forms like the W-8BEN. The links lead to highly convincing fake login portals designed to harvest credentials for financial or corporate accounts.
• Business Email Compromise (BEC): Threat actors impersonate executives (e.g., the CEO or CFO) and send emails to HR or finance departments, requesting copies of employee W-2 or W-9 forms. This data is then used for identity theft, tax fraud, or to file fraudulent tax returns.
• Malware and RMM Tool Deployment: Phishing emails with malicious attachments or links are used to install malware. Increasingly, the payload is a legitimate RMM tool. By tricking the user into authorizing the installation, attackers gain stealthy, persistent remote access (T1219 - Remote Access Software) that may not be flagged by traditional security software.

These campaigns are not limited to one region, with attacks observed targeting users in Japan, Canada, Australia, Singapore, and Switzerland, among others.

Technical Analysis

• Initial Access: The primary vector is T1566 - Phishing, delivered via email. The lures are carefully crafted to appear as legitimate tax-related communications, increasing their success rate.
• Execution: For malware-based attacks, this often involves the user opening a malicious attachment (T1204.002 - User Execution: Malicious File) or enabling macros in a document. For RMM deployment, it involves social engineering the user to approve the installation.
• Credential Access: The phishing sites are designed to steal credentials (T1539 - Steal Web Session Cookie and password theft). In BEC attacks, the goal is to acquire sensitive documents containing Personally Identifiable Information (PII).
• Persistence and C2: The use of legitimate RMM tools is a powerful technique for establishing persistence and command and control. Since the tools are signed and legitimate, they are often allowed by security policies and can blend in with normal administrative activity.

Impact Assessment

• Financial Loss: Successful BEC attacks can lead to the theft of sensitive employee data, resulting in identity theft and financial fraud. Credential phishing can lead to the compromise of corporate bank accounts.
• Data Breach: The exfiltration of W-2 and W-9 forms constitutes a significant data breach, triggering regulatory reporting requirements (e.g., under GDPR or CCPA) and potential fines.
• Persistent Compromise: An attacker with RMM access has a persistent foothold inside the network. They can use this for long-term espionage, data exfiltration, or as a launchpad for a future ransomware attack.
• Operational Disruption: Responding to these incidents, even if they are caught early, consumes significant time and resources from security and IT teams.

Cyber Observables for Detection

• Email Artifacts: Look for emails with subjects related to tax forms (W-2, W-9, W-8BEN) that come from external domains or public email providers (e.g., Gmail, Outlook).
• Newly Installed Software: Monitor for the installation of new RMM software (e.g., AnyDesk, TeamViewer, ConnectWise) on endpoints, especially on machines belonging to users who are not IT administrators.
• Network Traffic: Monitor for network connections from endpoints to known RMM service domains, especially if the installation was not authorized.
• URL Analysis: Analyze URLs in emails for signs of phishing, such as typosquatting or the use of URL shorteners to hide the true destination.

Detection & Response

• Email Security Gateway: Use an advanced email security solution that can detect and block phishing emails, malicious attachments, and BEC attempts using techniques like sender reputation analysis, URL sandboxing, and impersonation detection. This aligns with D3FEND's Inbound Traffic Filtering.
• User Training: Conduct regular, targeted security awareness training that specifically covers tax-season scams. Teach employees how to identify phishing emails and to verify any requests for sensitive data (like W-2 forms) through a separate communication channel (e.g., a phone call).
• Application Control: Implement application allowlisting or strict software installation policies to prevent users from installing unauthorized RMM tools. This is a form of D3FEND's Executable Allowlisting.

Mitigation

• Multi-Factor Authentication (MFA): Enforce MFA on all external-facing services, especially email. This is a critical defense against the use of stolen credentials.
• Process Hardening for Sensitive Data: Establish a strict, documented process for handling requests for sensitive data like W-2 forms. This process must include out-of-band verification (e.g., in-person or via a known phone number) for any such request, regardless of who it appears to come from.
• Block Unnecessary Software: Proactively block the installation and execution of RMM tools that are not used by your organization for legitimate business purposes.