Tax season has always been a favourite hunting ground for cybercriminals, but Microsoft’s recent intelligence points to increasingly sophisticated campaigns exploiting the urgency and familiarity of tax-related correspondence. This annual surge is not simply opportunistic; it demonstrates a nuanced understanding of both individual and organisational behaviours at this time of year. What stands out in Microsoft’s analysis is not merely the volume of attacks, but the tailored nature of lures—ranging from fake refund notices to highly personalised communications aimed at accountants and finance professionals. The consistent exploitation of routine financial workflows signals an evolution in how threat actors weaponise trust and routine.

Evolving Techniques and Strategic Implications

From my perspective, the most pressing issue for technology leaders is the widespread availability of Phishing-as-a-Service (PhaaS) platforms such as Energy365. These offerings lower the barrier to entry for would-be attackers, enabling even modestly resourced groups to orchestrate convincing campaigns with tailored social engineering lures. The rise in multi-format attacks—using Excel, OneNote, or leveraging legitimate services like OneDrive—complicates detection and response mechanisms. It is particularly concerning that these campaigns now target not just individuals but also professionals who routinely manage sensitive documents during tax season. The risk here is twofold: direct credential theft and persistent malware delivery via abused remote monitoring and management (RMM) tools.

For CIOs and CISOs, this highlights a strategic need to revisit both technical controls and human factors. Standard email security solutions may no longer suffice given the sophistication described in these campaigns. Defence must extend beyond perimeter detection to include robust user education about increasingly subtle phishing lures, regular review of access privileges for finance staff, and stringent controls on the use of third-party collaboration tools. Moreover, the abuse of legitimate RMM software as described by Microsoft suggests that organisations must implement tighter monitoring for anomalous remote access activity, especially during periods of heightened risk like tax season.

This trend also raises a broader question about how well-prepared organisations are for “seasonal” threat surges that align with business cycles. Are incident response plans sufficiently agile to adapt to these predictable spikes? Is there adequate cross-team communication between IT security and finance functions? There remains much room for improvement across sectors.

Looking Ahead

In my view, tax-themed cyberattacks exemplify how adversaries continue to adapt their tactics in alignment with our own business rhythms. As we move forward, I expect further blurring of lines between traditional phishing and more persistent forms of compromise leveraging legitimate tools. Continuous investment in layered security controls—coupled with adaptive awareness programmes—will be essential if organisations are to keep pace with these evolving threats.

Source: [When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures](https://is.gd/FnYwCf)