[{"data":1,"prerenderedAt":164},["ShallowReactive",2],{"article-slug-threat-actors-exploit-tax-season-with-diverse-phishing-and-malware-campaigns":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":28,"sources":29,"events":41,"mitre_techniques":42,"mitre_mitigations":62,"d3fend_countermeasures":102,"iocs":113,"cyber_observables":114,"tags":136,"extract_datetime":142,"article_type":143,"impact_scope":144,"pub_date":154,"reading_time_minutes":155,"createdAt":142,"updatedAt":156,"updates":157},"0736d0d9-2efe-45c1-9d7e-fba36cc0ac69","threat-actors-exploit-tax-season-with-diverse-phishing-and-malware-campaigns","Cybercriminals Exploit Tax Season with Over 100 Unique Phishing and Malware Campaigns","Threat Actors Ramp Up Tax-Themed Attacks with Phishing, BEC, and RMM Tool Deployment","As tax season intensifies, a surge of over one hundred distinct cyber campaigns are exploiting the urgency of filing deadlines, according to a report from Proofpoint. Threat actors are using a variety of tax-themed lures, such as fake W-8BEN, W-2, and W-9 forms, to conduct credential phishing, Business Email Compromise (BEC), and malware distribution. A notable trend is the use of these phishing emails to trick victims into installing legitimate Remote Monitoring and Management (RMM) tools, which provides attackers with persistent access to compromised systems. Campaigns have been observed globally, with a newly identified actor, TA2730, focusing on targets in Asia.","## Executive Summary\n\nCybersecurity firm **[Proofpoint](https://www.proofpoint.com/us)** has released an advisory detailing a significant increase in cyber threats leveraging the 2026 tax season. Researchers have identified over one hundred distinct campaigns using tax-related themes as a lure for a wide range of malicious activities. These operations include credential phishing, Business Email Compromise (BEC), and the delivery of malware. A particularly concerning trend is the deployment of legitimate Remote Monitoring and Management (RMM) tools, which attackers use to establish persistent, long-term access to victim networks. These campaigns are global in scope, with specific threat actors like the newly identified **TA2730** targeting organizations in Japan and other parts of Asia. The effectiveness of these campaigns lies in their ability to exploit the sense of urgency and legitimacy associated with official tax communications.\n\n## Threat Overview\n\nThe campaigns leverage the universal and time-sensitive nature of tax season to manipulate human behavior. Attackers are using a diverse set of social engineering tactics:\n\n- **Credential Phishing**: Emails impersonating investment firms or tax authorities request users to update tax forms like the W-8BEN. The links lead to highly convincing fake login portals designed to harvest credentials for financial or corporate accounts.\n- **Business Email Compromise (BEC)**: Threat actors impersonate executives (e.g., the CEO or CFO) and send emails to HR or finance departments, requesting copies of employee W-2 or W-9 forms. This data is then used for identity theft, tax fraud, or to file fraudulent tax returns.\n- **Malware and RMM Tool Deployment**: Phishing emails with malicious attachments or links are used to install malware. Increasingly, the payload is a legitimate RMM tool. By tricking the user into authorizing the installation, attackers gain stealthy, persistent remote access ([`T1219 - Remote Access Software`](https://attack.mitre.org/techniques/T1219/)) that may not be flagged by traditional security software.\n\nThese campaigns are not limited to one region, with attacks observed targeting users in Japan, Canada, Australia, Singapore, and Switzerland, among others.\n\n## Technical Analysis\n\n- **Initial Access**: The primary vector is [`T1566 - Phishing`](https://attack.mitre.org/techniques/T1566/), delivered via email. The lures are carefully crafted to appear as legitimate tax-related communications, increasing their success rate.\n- **Execution**: For malware-based attacks, this often involves the user opening a malicious attachment ([`T1204.002 - User Execution: Malicious File`](https://attack.mitre.org/techniques/T1204/002/)) or enabling macros in a document. For RMM deployment, it involves social engineering the user to approve the installation.\n- **Credential Access**: The phishing sites are designed to steal credentials ([`T1539 - Steal Web Session Cookie`](https://attack.mitre.org/techniques/T1539/) and password theft). In BEC attacks, the goal is to acquire sensitive documents containing Personally Identifiable Information (PII).\n- **Persistence and C2**: The use of legitimate RMM tools is a powerful technique for establishing persistence and command and control. Since the tools are signed and legitimate, they are often allowed by security policies and can blend in with normal administrative activity.\n\n## Impact Assessment\n\n- **Financial Loss**: Successful BEC attacks can lead to the theft of sensitive employee data, resulting in identity theft and financial fraud. Credential phishing can lead to the compromise of corporate bank accounts.\n- **Data Breach**: The exfiltration of W-2 and W-9 forms constitutes a significant data breach, triggering regulatory reporting requirements (e.g., under GDPR or CCPA) and potential fines.\n- **Persistent Compromise**: An attacker with RMM access has a persistent foothold inside the network. They can use this for long-term espionage, data exfiltration, or as a launchpad for a future ransomware attack.\n- **Operational Disruption**: Responding to these incidents, even if they are caught early, consumes significant time and resources from security and IT teams.\n\n## Cyber Observables for Detection\n\n- **Email Artifacts**: Look for emails with subjects related to tax forms (`W-2`, `W-9`, `W-8BEN`) that come from external domains or public email providers (e.g., Gmail, Outlook).\n- **Newly Installed Software**: Monitor for the installation of new RMM software (e.g., AnyDesk, TeamViewer, ConnectWise) on endpoints, especially on machines belonging to users who are not IT administrators.\n- **Network Traffic**: Monitor for network connections from endpoints to known RMM service domains, especially if the installation was not authorized.\n- **URL Analysis**: Analyze URLs in emails for signs of phishing, such as typosquatting or the use of URL shorteners to hide the true destination.\n\n## Detection & Response\n\n- **Email Security Gateway**: Use an advanced email security solution that can detect and block phishing emails, malicious attachments, and BEC attempts using techniques like sender reputation analysis, URL sandboxing, and impersonation detection. This aligns with D3FEND's [`Inbound Traffic Filtering`](https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering).\n- **User Training**: Conduct regular, targeted security awareness training that specifically covers tax-season scams. Teach employees how to identify phishing emails and to verify any requests for sensitive data (like W-2 forms) through a separate communication channel (e.g., a phone call).\n- **Application Control**: Implement application allowlisting or strict software installation policies to prevent users from installing unauthorized RMM tools. This is a form of D3FEND's [`Executable Allowlisting`](https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting).\n\n## Mitigation\n\n- **Multi-Factor Authentication (MFA)**: Enforce MFA on all external-facing services, especially email. This is a critical defense against the use of stolen credentials.\n- **Process Hardening for Sensitive Data**: Establish a strict, documented process for handling requests for sensitive data like W-2 forms. This process must include out-of-band verification (e.g., in-person or via a known phone number) for any such request, regardless of who it appears to come from.\n- **Block Unnecessary Software**: Proactively block the installation and execution of RMM tools that are not used by your organization for legitimate business purposes.","🚨 Tax season is phishing season! 🎣 Over 100 campaigns are using fake W-2 and W-9 forms to steal credentials and deploy malware. Watch out for BEC attacks and unauthorized RMM tool installations. #Phishing #CyberSecurity #TaxScam","Cybercriminals are launching a wave of over 100 distinct tax-themed phishing campaigns to deliver malware, remote access tools, and steal credentials using lures related to W-8BEN, W-2, and W-9 forms.",[13,14,15],"Phishing","Malware","Threat Actor","high",[18,21,25],{"name":19,"type":20},"TA2730","threat_actor",{"name":22,"type":23,"url":24},"Proofpoint","vendor","https://www.proofpoint.com/us",{"name":26,"type":27},"Remote Monitoring and Management (RMM)","technology",[],[30,36],{"url":31,"title":32,"date":33,"friendly_name":34,"website":35},"https://www.infosecurity-magazine.com/news/cybercriminals-exploit-tax-season/","Cybercriminals Exploit Tax Season With New Phishing Tactics","2026-03-30","Infosecurity Magazine","infosecurity-magazine.com",{"url":37,"title":38,"date":33,"friendly_name":39,"website":40},"https://www.example-tax-threats.com/q1-2026-report","Q1 2026 Threat Report: Tax Scams Proliferate","Example Tax Threats","example-tax-threats.com",[],[43,46,50,54,58],{"id":44,"name":13,"tactic":45},"T1566","Initial Access",{"id":47,"name":48,"tactic":49},"T1219","Remote Access Software","Command and Control",{"id":51,"name":52,"tactic":53},"T1204.002","User Execution: Malicious File","Execution",{"id":55,"name":56,"tactic":57},"T1539","Steal Web Session Cookie","Credential Access",{"id":59,"name":60,"tactic":61},"T1589.002","Gather Victim Identity Information: Email Addresses","Reconnaissance",[63,68,81,89],{"id":64,"name":65,"description":66,"domain":67},"M1017","User Training","The primary defense against phishing and social engineering is a well-trained and vigilant workforce.","enterprise",{"id":69,"name":70,"d3fend_techniques":71,"description":80,"domain":67},"M1021","Restrict Web-Based Content",[72,76],{"id":73,"name":74,"url":75},"D3-ITF","Inbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering",{"id":77,"name":78,"url":79},"D3-UA","URL Analysis","https://d3fend.mitre.org/technique/d3f:URLAnalysis","Use email and web filters to block malicious attachments, links, and known phishing sites.",{"id":82,"name":83,"d3fend_techniques":84,"description":88,"domain":67},"M1032","Multi-factor Authentication",[85],{"id":86,"name":83,"url":87},"D3-MFA","https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication","MFA is the best defense against the use of stolen credentials, preventing attackers from logging in even if they succeed in a phishing attack.",{"id":90,"name":91,"d3fend_techniques":92,"description":101,"domain":67},"M1033","Limit Software Installation",[93,97],{"id":94,"name":95,"url":96},"D3-EAL","Executable Allowlisting","https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting",{"id":98,"name":99,"url":100},"D3-EDL","Executable Denylisting","https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting","Prevent users from installing unauthorized software, including legitimate RMM tools that can be abused by attackers.",[103,105,107],{"technique_id":73,"technique_name":74,"url":75,"recommendation":104,"mitre_mitigation_id":69},"To combat the high volume of tax-themed phishing emails, organizations must deploy a multi-layered email security gateway. This system should perform several checks on inbound mail: scanning for malicious attachments, sandboxing URLs to check for phishing sites, analyzing email headers for signs of spoofing (DMARC, DKIM, SPF), and using impersonation detection algorithms to identify BEC attempts. For example, it should flag an email that appears to be from the CEO but originates from a public email address or has a 'reply-to' address pointing to an external domain. This automated filtering is the first and most important line of defense to prevent malicious emails from ever reaching an employee's inbox.",{"technique_id":94,"technique_name":95,"url":96,"recommendation":106,"mitre_mitigation_id":90},"To counter the threat of unauthorized RMM tool installation, organizations should implement a policy of executable allowlisting. This prevents any software that is not on a pre-approved list from running. In the context of this threat, the organization would create an inventory of all legitimate, company-sanctioned software. Any attempt by a user to install an RMM tool like AnyDesk or TeamViewer after being tricked by a phishing email would be automatically blocked by the operating system or an application control agent. This shifts the security posture from a reactive 'block known bad' model to a proactive 'allow known good' model, which is far more effective against the abuse of legitimate software.",{"technique_id":108,"technique_name":109,"url":110,"recommendation":111,"mitre_mitigation_id":112},"D3-PBA","Process-based Analysis","https://d3fend.mitre.org/technique/d3f:Process-basedAnalysis","For BEC attacks requesting sensitive forms like W-2s, a technical control must be paired with user training. A Data Loss Prevention (DLP) solution can be configured to detect and block outbound emails containing attachments or content that matches the pattern of a W-2 or W-9 form, especially if the recipient is an external or public email address. This creates a safety net to catch human error. The policy should be set to alert the security team and the sender's manager, providing an opportunity to verify the request's legitimacy before sensitive employee PII leaves the organization. This directly mitigates the impact of a successful social engineering attack on an HR or finance employee.","M1040",[],[115,121,126,131],{"type":116,"value":117,"description":118,"context":119,"confidence":120},"file_name","W-8BEN_Form.docm","Example file name for a malicious document used as a lure. The '.docm' extension indicates it contains macros.","Email attachments, EDR alerts","medium",{"type":122,"value":123,"description":124,"context":125,"confidence":16},"process_name","AnyDesk.exe","Legitimate RMM tools like AnyDesk, TeamViewer, or ScreenConnect being installed on non-IT staff computers can be an indicator of compromise.","Software inventory, process monitoring, EDR",{"type":127,"value":128,"description":129,"context":130,"confidence":16},"url_pattern","microsft-login.com/tax-update","Pattern for a typosquatted domain used in a credential phishing page. Note the misspelling of 'Microsoft'.","Web proxy logs, DNS logs, email link analysis",{"type":132,"value":133,"description":134,"context":135,"confidence":16},"other","Executive Impersonation Email","Emails where the 'From' field is spoofed or the 'Reply-To' address is set to an external domain, requesting sensitive HR/finance data.","Email security gateway logs, manual email analysis",[13,137,138,139,140,141],"Tax Season","BEC","RMM","Social Engineering","Credential Theft","2026-03-31T15:00:00.000Z","NewsArticle",{"geographic_scope":145,"countries_affected":146,"industries_affected":152},"global",[147,148,149,150,151],"Japan","Canada","Australia","Singapore","Switzerland",[153],"Other","2026-03-31",6,"2026-04-06T12:00:00Z",[158],{"update_id":159,"update_date":156,"datetime":156,"title":160,"summary":161,"sources":162},"update-1","Update 1","Tax season scam update: specific RMM tools (N-able, Datto) identified as RATs. Detailed W-2 BEC tactics and severe organizational impacts, including fines and lawsuits, are highlighted.",[163],{},1775683842477]