Back to Intelligence

Defending Against IRS Phishing Attacks: Detecting Malicious RMM Software

SA
Security Arsenal Team
March 29, 2026
5 min read

Defending Against IRS Phishing Attacks: Detecting Malicious RMM Software

As tax season approaches, cybercriminals are leveraging the urgency of financial filings to launch massive social engineering campaigns. Microsoft has recently issued a warning regarding a surge in IRS-themed phishing attacks that have impacted approximately 29,000 users. These campaigns are not limited to credential harvesting; they actively deploy malicious Remote Monitoring and Management (RMM) software, giving attackers remote control over victim endpoints.

For Security Operations Centers (SOCs) and IT defenders, this threat represents a critical intersection of social engineering and endpoint intrusion. This post details the mechanics of the attack and provides actionable detection rules and remediation strategies.

Technical Analysis

The Vector: Attackers are sending emails masquerading as urgent tax-related communications, including refund notices, W-2 forms, and filing reminders. These messages create a false sense of urgency, compelling users to click links or download attachments.

The Payload: Unlike traditional malware that relies on exploiting a vulnerability, this campaign relies on "living-off-the-land" binaries (LOLBins) or the installation of legitimate, maliciously-configured RMM tools. By installing tools like ScreenConnect, AnyDesk, or similar remote access software, attackers can bypass firewall rules that trust these administrative utilities.

Affected Systems: The primary targets are Windows endpoints within corporate environments that rely on email communication for tax documentation. Once the RMM software is installed by the user (often under the guise of a "secure document viewer"), attackers gain hands-on-keyboard access, facilitating lateral movement, data exfiltration, and ransomware deployment.

Defensive Monitoring

To defend against this campaign, SOCs must monitor for the installation of RMM software initiated by user processes rather than administrative IT staff. Below are detection mechanisms for SIGMA, Microsoft Sentinel, and Velociraptor.

SIGMA Rules

These SIGMA rules identify the suspicious execution of common RMM tools from user-writable directories, a strong indicator of social engineering-driven installation.

YAML
---
title: Suspicious RMM Tool Execution from User Directory
id: 8c8d8a6d-4b5a-4a8c-9d1f-5e7f6a8b9c0d
status: experimental
description: Detects the execution of common Remote Monitoring and Management (RMM) tools from user-profile directories. This is often indicative of a user tricked into installing remote access software via phishing.
references:
  - https://www.microsoft.com/security/blog/
  - https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2026-03-01
tags:
  - attack.command_and_control
  - attack.t1219
  - attack.initial_access
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - ':\Users\'
    Image|contains:
      - '\AnyDesk.exe'
      - '\ConnectWiseControl.exe'
      - '\ScreenConnect.ClientSetup.exe'
      - '\Splashtop.exe'
      - '\RemoteDesktopManager.exe'
      - '\AteraAgent.exe'
  condition: selection
falsepositives:
  - Legitimate installation by IT staff (should be verified against ticketing system)
level: high

KQL (Microsoft Sentinel)

Use the following KQL query to hunt for process creation events associated with high-risk RMM applications within your Microsoft Defender for Endpoint environment.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("AnyDesk.exe", "ConnectWiseControl.exe", "ScreenConnect.ClientSetup.exe", "AteraAgent.exe", "Splashtop.exe")
| where FolderPath contains @"\Users\"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FileName, FolderPath, SHA256
| extend AlertContext = pack("Timestamp", Timestamp, "Device", DeviceName, "User", InitiatingProcessAccountName, "ParentProcess", InitiatingProcessFileName)

Velociraptor VQL

This Velociraptor hunt artifact scans for specific RMM binaries running in user directories or persistence mechanisms (startup folders) related to these tools.

VQL — Velociraptor
-- Hunt for running RMM processes in user directories
SELECT Pid, Name, Exe, Username, CommandLine
FROM pslist()
WHERE Exe =~ '.*\\Users\\.*\\(AnyDesk|ConnectWise|ScreenConnect|Splashtop).*\.exe'
   OR Name =~ '.*(AnyDesk|ConnectWise|ScreenConnect|Splashtop).*'

-- Hunt for persistence in Startup folders for RMM shortcuts
SELECT FullPath, Mtime, Data
FROM glob(globs='C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk')
WHERE Data =~ '(AnyDesk|ConnectWise|ScreenConnect|Remote)'

PowerShell Remediation Script

This script checks for the presence of unauthorized RMM software in user directories and outputs a report for further action.

PowerShell
<#
.SYNOPSIS
    Audit script to detect unauthorized RMM software in user profiles.
.DESCRIPTION
    Scans C:\Users for common RMM executables that may have been installed via phishing.
#>

$RMMKeywords = @("AnyDesk", "ConnectWise", "ScreenConnect", "Splashtop", "Atera")
$UserFolders = Get-ChildItem -Path "C:\Users" -Directory

$Results = @()

foreach ($Folder in $UserFolders) {
    # Exclude default system folders
    if ($Folder.Name -in @"Public", "Default", "DefaultUser0") { continue }

    $Path = $Folder.FullName
    
    Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { 
        $_.Extension -eq ".exe" -and 
        $RMMKeywords -like "*$($_.BaseName)*" 
    } | ForEach-Object {
        $Results += [PSCustomObject]@{
            Username = $Folder.Name
            FilePath = $_.FullName
            DetectedDate = Get-Date
        }
    }
}

if ($Results.Count -gt 0) {
    Write-Warning "Potential Malicious RMM Software Detected:"
    $Results | Format-Table -AutoSize
    # Optional: Quarantine logic would go here
} else {
    Write-Host "No unauthorized RMM software found in user directories." -ForegroundColor Green
}

Remediation

  1. Block Unauthorized RMM Tools: Configure application allowlisting (e.g., AppLocker) to prevent the execution of common RMM binaries unless they are executed from specific, IT-approved directories (e.g., C:\Program Files).
  2. User Awareness: Immediately notify finance and HR teams about the specific nature of these IRS-themed scams. Remind them that the IRS does not initiate contact via email to request personal or financial information.
  3. Isolate Compromised Hosts: If the detection rules identify active RMM processes not approved by IT, isolate the affected machine from the network immediately to prevent lateral movement.
  4. Review Email Rules: Update email secure gateways (ESGs) to flag or block emails containing keywords such as "IRS Refund," "Tax Filing Notice," or "W-2 Form" originating from external domains not on an approved allowlist.
  5. Implement MFA: Ensure that all remote access tools and privileged accounts are protected with multi-factor authentication (MFA) to mitigate the risk of credential theft.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsphishingrmmmicrosoftthreat-huntingsoc

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action