BusinessPostCorner.com
No Result
View All Result
Thursday, July 16, 2026
  • Home
  • Business
  • Finance
  • Accounting
  • Tax
  • Management
  • Marketing
  • Crypto News
  • Human Resources
BusinessPostCorner.com
  • Home
  • Business
  • Finance
  • Accounting
  • Tax
  • Management
  • Marketing
  • Crypto News
  • Human Resources
No Result
View All Result
BusinessPostCorner.com
No Result
View All Result

Microsoft sounds alarm on phishing campaigns targeting CPAs

March 25, 2026
in Accounting
Reading Time: 5 mins read
A A
0
Microsoft sounds alarm on phishing campaigns targeting CPAs
ShareShareShareShareShare

Microsoft issued a warning about the rise of several new phishing campaigns taking advantage of the tax season to steal credentials and plant malware, some of which target accountants specifically. Microsoft noted that many of these campaigns use very specifically targeted communications in contrast to more generic lures. 

Processing Content

One of the campaigns that targets CPAs specifically starts with an email  asking for assistance in filing taxes, asking for a quote, and typically providing a backstory. If the actor receives a reply, they send a malicious link that leads to the installation of malware. However, Microsoft also observed campaigns targeting CPAs that contain a similar backstory but include the malicious link in the first email. Many of these emails have the subject line “REQUEST FOR PROFESSIONAL TAX FILLING.” The email provides a backstory that includes a description of a complex tax return situation involving tax audit, university tuition, loan interest, and real estate income. The sender also attempts to explain their inability to physically visit the office due to travel. Finally, the sender asks for a price quote. Microsoft observed variations of the backstory on different days, including switching CPAs due to fee increases.

Another that is targeting accountants specifically involved, once again, scammers impersonating the IRS, this time through emails claiming that potentially irregular tax returns had been filed under the recipient’s Electronic Filing Identification Number (EFIN). Recipients were instructed to review these returns by downloading a purportedly legitimate “IRS Transcript Viewer” that leads to a malicious look‑alike domain mimicking SmartVault which even used Cloudflare for bot detection and blocking. Users who pass the bot check are then shown a fake verification animation and are then led to a page where they can download the ostensible transcript viewer that is, in fact, a remote access and control tool. Subject lines for emails found to have this malicious link include IRS Request Transcript Review; IRS Notice Firm Return Review; CPA Compliance Review; IRS Support Firm Filing Review; and Review Requested Compliance.

E-mail symbol printed on a piece of paper hooked on a fishing hook. Phishing and data protection concept.

Ivelin Radkov/Ivelin Radkov – Fotolia

Another more general campaign starts with an email with the subject line “See Tax file,” which contains an Excel attachment with [Accountant’s name] CPA.xlsx, using the name of a real accountant (likely impersonated without their knowledge.) The attachment contains a clickable “REVIEW DOCUMENTS” button that links to a OneNote file hosted on OneDrive. The file, which uses the same CPA’s name and logo, has a link leading to a malicious landing page that hosts the Energy365 phishing kit that will attempt to harvest credentials such as email and password. 

Another starts with the subject line “2025 Employee Tax Docs” and contains an attachment named 2025_Employee_W-2  .docx with content that mentioning various tax-related terms like Form W-2 and features a QR code pointing to a phishing page. Each document is customized to contain the recipient’s name, and the URL hidden behind the QR code also contains the recipient’s email address. This means that each recipient received a unique attachment. 

Another is connected to a set of domains that were registered to be used in tax-themed phishing campaigns that impersonate specific legitimate companies involved in accounting, tax preparation, finance, bookkeeping, and related companies. Emails with subject lines like “Your Account Now Includes Updated Tax Forms [RF] 1234” or “Your Form 1099-R is ready – [RF] 12123123” and a body saying things like “2025 Tax Forms is ready” and containing a clickable “View Tax Forms” button that goes to one of these dubiously-registered domains, such as taxationstatments2025 [dot] com. These sites serve a malware executable named 1099-FR2025.exe, which will allow external actors to take control of the device remotely. 

Another uses emails that impersonate the IRS with the subject line “IR-2026-216.” However, astute observers may realize that the email address does not come from irs.gov but from places Eventbrite emails with names like: 

  • “IRS US”
  • “IRS GOV”
  • “Service”
  • “IRS TAX”
  • “.IRS.GOV”

The email, with the body “”Cryptocurrency Tax Form 1099 is Ready” has a non-clickable URL the user is instructed to copy/paste into the browser. If they do this, the browser automatically downloads IRS-doc.msi, which is in actuality another remote access tool. 
Microsoft recommended configuring automatic attack disruption in Microsoft Defender XDR; enforcing multifactor authentication (MFA) on all accounts, removing users excluded from MFA, and strictly requiring MFA from all devices in all locations at all times; using Microsoft Authenticator app for passkeys and MFA, and complement MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals, possibly scoped to strengthen privileged accounts with phishing resistant MFA; enabling Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes; configuring Microsoft Defender for Office 365 Safe Links to recheck links on click; investing in advanced anti-phishing solutions that monitor and scan incoming emails and visited websites; encouraging users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen; and enabling network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet. 

Credit: Source link

ShareTweetSendPinShare
Previous Post

Tackling tax season’s final stretch

Next Post

Hard Forks For Quantum Threats

Next Post
Hard Forks For Quantum Threats

Hard Forks For Quantum Threats

Perplexity AI Predicts XRP Will Hit This XRP Price by End of 2026

Perplexity AI Predicts XRP Will Hit This XRP Price by End of 2026

July 14, 2026
The AP audit problem starts before the AI

The AP audit problem starts before the AI

July 15, 2026
When the ducks are quacking, feed them

When the ducks are quacking, feed them

July 13, 2026
Shultz Huber acquires Stroh Johnson

Shultz Huber acquires Stroh Johnson

July 15, 2026
Xbox layoffs: What’s next for the video game giant?

Xbox layoffs: What’s next for the video game giant?

July 15, 2026
Ethereum Price Prediction: Tom Lee Targets  Trillion ETH

Ethereum Price Prediction: Tom Lee Targets $5 Trillion ETH

July 10, 2026
BusinessPostCorner.com

BusinessPostCorner.com is an online news portal that aims to share the latest news about following topics: Accounting, Tax, Business, Finance, Crypto, Management, Human resources and Marketing. Feel free to get in touch with us!

Recent News

Euro Car Parks being investigated over petrol forecourt parking tickets

Euro Car Parks being investigated over petrol forecourt parking tickets

July 16, 2026
Analysis: Trump approves 80% of GOP disaster aid — and 60% for Democrats

Analysis: Trump approves 80% of GOP disaster aid — and 60% for Democrats

July 16, 2026

Our Newsletter!

Loading
  • Contact Us
  • Privacy Policy
  • Terms of Use
  • DMCA

© 2023 businesspostcorner.com - All Rights Reserved!

No Result
View All Result
  • Home
  • Business
  • Finance
  • Accounting
  • Tax
  • Management
  • Marketing
  • Crypto News
  • Human Resources

© 2023 businesspostcorner.com - All Rights Reserved!