Microsoft flags IRS spoof phishing that hit 29K users with RMM malware

Microsoft’s security team uncovered a massive phishing operation that masqueraded as the Internal Revenue Service. Recipients received emails prompting them to download what appeared to be a tax‑related document, which actually delivered a Remote Monitoring and Management (RMM) payload. The campaign succeeded against roughly 29,000 users, installing malware capable of harvesting credentials and establishing persistent remote access.

The compromised RMM agents give attackers a foothold to move laterally, exfiltrate data, and deploy additional payloads across corporate networks. Defenders should prioritize blocking IRS‑spoof domains, enforcing MFA, and scanning for the RMM binaries and related IOCs. Rapid detection and removal are critical to prevent credential theft and deeper intrusion.

Categories: Threat Intelligence, Malware & Ransomware, Identity & Access Management

Source: Read original article