Tax-season credential phishing and RMM malware campaign
Campaign
Summary
Hide ▲
Show ▼
A tax-themed cyber campaign is using credential phishing, remote monitoring and management (RMM) tools, and fraud lures to target people handling financial data and login credentials, raising the risk of account takeover and long-term access. Security researchers identified more than a hundred operations in early 2026, showing the activity is broad and recurring rather than isolated. Some lures impersonate investment firms and company executives, pushing victims to fake login pages and document-collection pages.
Related Happenings
Cyber-enabled cargo theft is surging across transportation and logistics in 2025
Target Trend
First: 30.04.2026 19:32
Last: 30.04.2026 19:32
Sources 1
About this happening:
**Cyber-enabled cargo theft** is surging across **transportation and logistics**, driving nearly **$725 million** in estimated losses in the **U.S. and Canada** and materially inc...
Cyber-enabled cargo theft is surging across transportation and logistics in 2025
Target TrendAbout this happening: **Cyber-enabled cargo theft** is surging across **transportation and logistics**, driving nearly **$725 million** in estimated losses in the **U.S. and Canada** and materially inc...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
U.S. tax-season phishing and malware-delivery campaign
Campaign
First: 23.03.2026 12:55
Last: 23.03.2026 12:55
Sources 1
About this happening:
The **U.S. tax-season phishing campaigns** are harvesting credentials and delivering malware, putting **individuals**, **accountants**, and other professionals at risk. The lures...
U.S. tax-season phishing and malware-delivery campaign
CampaignAbout this happening: The **U.S. tax-season phishing campaigns** are harvesting credentials and delivering malware, putting **individuals**, **accountants**, and other professionals at risk. The lures...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Microsoft Entra device code phishing and vishing campaign
Campaign
First: 19.02.2026 14:30
Last: 19.02.2026 14:30
Sources 1
About this happening:
A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...
Microsoft Entra device code phishing and vishing campaign
CampaignAbout this happening: A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...
Timeline
-
30.03.2026 18:00 2 articles · 1mo ago
Proofpoint identifies tax-themed campaigns using RMM tools and credential phishing
Initial DisclosureProofpoint's March 30, 2026 advisory describes more than a hundred tax-themed cyber campaigns active in early 2026, where attackers used malware, remote monitoring and management (RMM) tools, credential phishing, fake login pages, and impersonation of investment firms and company executives to collect W-8BEN, W-2, and W-9 information.
Show sources
- Cybercriminals Exploit Tax Season With New Phishing Tactics — www.infosecurity-magazine.com — 30.03.2026 18:00
- Cybercriminals Exploit Tax Season With New Phishing Tactics — www.infosecurity-magazine.com — 30.03.2026 18:00