← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.304
Executive Summary
On February 10, 2026, a coordinated IRS-themed phishing operation hit 29,000 users across 10,000 organizations in a single day, with 95% of targets in the United States. Attackers used legitimate remote monitoring and management tools, ConnectWise ScreenConnect, Datto RMM, and SimpleHelp, to establish persistent remote access after credential theft, bypassing standard endpoint controls. Organizations face risk of sustained unauthorized access, credential compromise, MFA bypass, and data exfiltration, particularly during peak tax season when IRS-branded lures carry high credibility.
Technical Analysis
Microsoft Threat Intelligence documented this campaign peaking February 10, 2026 (source: Microsoft Threat Intelligence reporting).
Attack chain: phishing emails delivered via Amazon SES impersonate the IRS and SmartVault (T1566.001, T1566.002); victims are lured into executing malicious files (T1204.002); attackers deploy ConnectWise ScreenConnect, Datto RMM, or SimpleHelp as post-compromise persistence and remote access mechanisms (T1219), abusing trusted, signed binaries to evade EDR and network controls (T1036.005, T1027.006).
Two PhaaS platforms underpin the operation: Energy365 (unattributed operators) and SneakyLog/Kratos, documented by Sekoia.io as an adversary-in-the-middle kit that proxies Microsoft 365 authentication sessions, harvests session cookies in real time, and bypasses MFA (T1550.004, T1539).
Additional techniques include spearphishing attachment delivery (T1598.002), use of compromised or actor-controlled accounts (T1078, T1585.002), and web application command-and-control over HTTP (T1071.001). Relevant CWEs: CWE-308 (MFA bypass via session hijack), CWE-1021 (UI redress / proxy interception), CWE-290 (authentication bypass by capture-replay), CWE-345 (insufficient source verification), CWE-359 (exposure of private information). No CVE assigned. RMM tool abuse has increased significantly year-over-year per industry telemetry. Threat actor attribution: unattributed PhaaS operators; further attribution data insufficient.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to external IR firm or law enforcement (FBI IC3, Secret Service) immediately if: (1) any endpoint shows evidence of active RMM session to attacker infrastructure (confirmed via netstat + DNS sinkhole data or EDR behavioral telemetry), (2) credential theft or MFA bypass is confirmed in M365 logs with evidence of data exfiltration, or (3) financial impact exceeds organizational incident response budget or involves regulatory reporting requirements (e.g., HIPAA, GLBA, state breach notification law).
Note: This checklist is tailored to organizations using ConnectWise ScreenConnect, Datto RMM, or SimpleHelp. If your organization uses different RMM platforms, substitute those vendor names in steps 1-2 and adapt monitoring rules accordingly.
Preparation
NIST 800-61r3 §2.1 (preparation: tools and resources)
NIST 800-53 CM-2 (Baseline Configuration)
NIST 800-53 CM-8 (Information System Component Inventory)
CIS 6.1 (Establish and maintain detailed asset inventory)
Compensating Control
Use free tools: `wmic product list brief` (Windows), `dpkg -l | grep -E 'connect|datto|simple'` (Linux), or `softwareupdate -l` (macOS). Cross-reference manually against IT-approved vendor list in shared spreadsheet. For shadow IT, query DNS queries to ScreenConnect relay domains (screenconnect.com, connectwise.net), Datto agent IPs, and SimpleHelp endpoints using free passive DNS or local firewall logs.
Preserve Evidence
Before removal: (1) Capture running process list with full command-line arguments (`Get-Process | Select-Object Name, CommandLine` on Windows; `ps auxww` on Linux). (2) Export Windows Registry `HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall` and `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall` for all RMM vendor entries. (3) Collect file system metadata for RMM installation directories (`dir /s /t:c` for creation/modification dates). (4) Capture network connections to RMM infrastructure (`netstat -ano` on Windows, `ss -tupn` on Linux) with timestamps before uninstalling.
Step 1, Immediate: Audit all RMM tools (ConnectWise ScreenConnect, Datto RMM, SimpleHelp) installed in your environment; remove any instance not explicitly authorized and documented by IT or security operations.
Preparation
NIST 800-61r3 §2.1 (preparation: tools and resources)
NIST 800-53 CM-2 (Baseline Configuration)
NIST 800-53 CM-8 (Information System Component Inventory)
CIS 6.1 (Establish and maintain detailed asset inventory)
Compensating Control
Use free tools: `wmic product list brief` (Windows), `dpkg -l | grep -E 'connect|datto|simple'` (Linux), or `softwareupdate -l` (macOS). Cross-reference manually against IT-approved vendor list in shared spreadsheet. For shadow IT, query DNS queries to ScreenConnect relay domains (screenconnect.com, connectwise.net), Datto agent IPs, and SimpleHelp endpoints using free passive DNS or local firewall logs.
Preserve Evidence
Before removal: (1) Capture running process list with full command-line arguments (`Get-Process | Select-Object Name, CommandLine` on Windows; `ps auxww` on Linux). (2) Export Windows Registry `HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall` and `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall` for all RMM vendor entries. (3) Collect file system metadata for RMM installation directories (`dir /s /t:c` for creation/modification dates). (4) Capture network connections to RMM infrastructure (`netstat -ano` on Windows, `ss -tupn` on Linux) with timestamps before uninstalling.
Step 2, Immediate: Block or alert on outbound connections to ConnectWise ScreenConnect relay infrastructure, Datto agent endpoints, and SimpleHelp server ports when originating from endpoints that are not managed endpoints enrolled in your RMM program.
Detection & Analysis
NIST 800-61r3 §3.2.2 (analysis: network-based detection)
NIST 800-53 SI-4 (Information System Monitoring)
NIST 800-53 AC-3 (Access Enforcement)
CIS 8.2 (Ensure that all network traffic is controlled by a firewall)
Compensating Control
Without enterprise firewall: use host-based Windows Firewall or `ufw` (Linux) to create outbound block rules for known RMM relay IPs and domains. Query your existing firewall/proxy logs for outbound connections to ScreenConnect relay IPs (query ConnectWise public IP range or use passive DNS records), Datto agent endpoints (typically 443 HTTPS, agent.dattobackup.com), and SimpleHelp ports (typically 443, 5042). Alert on any match from non-enrolled endpoints by cross-referencing against your authorized RMM asset list from Step 1.
Preserve Evidence
Capture all outbound connection logs from firewalls, proxies, or endpoint logs before implementing block rules: (1) Firewall/proxy access logs with destination IP, port, protocol, and timestamp. (2) Windows firewall query: `Get-NetFirewallRule -Direction Outbound` to establish baseline rules. (3) DNS query logs showing resolution attempts to RMM infrastructure domains (query DNS server logs or endpoint DNS query history). (4) Network packet capture (tcpdump, Wireshark) of any connection to suspected RMM relay IPs for later forensic review.
Step 3, Detection: Search Microsoft 365 and identity provider logs for anomalous session cookie reuse, specifically, authenticated sessions originating from IP addresses inconsistent with the user's normal location or device, which may indicate AiTM session hijack via SneakyLog/Kratos.
Detection & Analysis
NIST 800-61r3 §3.2.3 (analysis: log review and correlation)
NIST 800-53 AU-2 (Audit Events)
NIST 800-53 IA-4 (Identifier Management)
CIS 8.5 (Log all access and authentication attempts to the Microsoft 365 environment)
Compensating Control
Without M365 advanced analytics: export Azure AD sign-in logs (requires Azure AD Premium; if unavailable, use built-in Azure Monitor). Query for logon events with same user session across geographically impossible origin IPs or unknown device tokens (compare User-Agent and IP geolocation). Use free tools: parse M365 audit logs with PowerShell (`Search-UnifiedAuditLog -UserIds <user> -StartDate <date>`) and cross-reference IP geolocation with MaxMind GeoLite2 (free tier). Flag sessions where IP location changed >500 miles in <30 minutes.
Preserve Evidence
Before querying for anomalies: (1) Export complete Azure AD/M365 sign-in logs (7-90 days available, depending on licensing) with IP, device ID, User-Agent, MFA status, and timestamp. (2) Collect user baseline behavior: map each user's typical login locations and device profiles from logs prior to February 10, 2026. (3) Capture all session cookie events from M365 audit log: 'UserLoggedIn', 'UserLoginFailed', 'MailItemsAccessed' with IP and device context. (4) Extract browser cookies from suspected compromised endpoints (Windows: `C:\Users\<username>\AppData\Local\Microsoft\Edge\User Data\Default\Cookies`, Chrome: `C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Cookies`).
Step 4, Detection: Query email gateway and SIEM for inbound messages delivered via Amazon SES with IRS, SmartVault, or tax-related lure subjects; cross-reference sender domains against your allow list and flag any SES relay not in your approved vendor list.
Detection & Analysis
NIST 800-61r3 §3.2.1 (analysis: email-based detection)
NIST 800-53 SI-4 (Information System Monitoring)
NIST 800-53 SC-7 (Boundary Protection)
CIS 9.2 (Ensure that all email is scanned by antimalware software)
Compensating Control
Without enterprise email gateway: export raw SMTP logs from your mail server or hosting provider (Office 365 Message Trace, Google Workspace audit, or sendmail/postfix logs). Query for emails with headers: `X-Originating-IP` pointing to Amazon SES IP ranges (198.51.100.0/24, 205.251.192.0/24, or query AWS IP ranges). Search message headers for `Return-Path` or `Received: from` lines containing 'amazonses.com' or SES bounce addresses. Filter subject lines for keywords: 'IRS', 'Tax', 'Form 1040', 'SmartVault', 'Document Review', 'Urgent Action Required'. Cross-reference sender domain against your domain allow list (SMTP authentication records).
Preserve Evidence
Before querying: (1) Export complete email headers and message trace logs from your email gateway for February 1–March 31, 2026 (covers campaign window). (2) Capture original message files (EML format) for any suspected phishing emails sent via SES. (3) Collect sender domain WHOIS and DNS records (MX, SPF, DKIM) to identify spoofed or newly registered domains. (4) Document email attachment hashes and URLs from suspected messages. (5) Export recipient list and confirmation of delivery/read status.
Step 5, Assessment: Inventory all endpoints with RMM agents installed, including shadow IT deployments, and validate each against your authorized asset register; prioritize any endpoint that received a tax-themed email in February or March 2026.
Detection & Analysis
NIST 800-61r3 §3.2.4 (analysis: asset correlation and timeline)
NIST 800-53 CM-8 (Information System Component Inventory)
NIST 800-53 IR-4 (Incident Handling)
CIS 1.1 (Establish and maintain detailed asset inventory)
Compensating Control
Correlate Step 1 RMM inventory with email receipt logs from Step 4. For shadow IT discovery: (1) Query network ARP table and DHCP logs for devices that never registered in your asset management system. (2) Use nmap or Nessus Community (free) to scan network subnets for open RMM ports (typically 443, 5042, 5900 for remote access). (3) Check for suspicious software via WMI (`wmic product list brief | findstr /i 'connect\|datto\|simple'`). (4) Cross-reference Step 4 email recipients with Step 1 RMM-installed endpoints; any endpoint receiving a tax-themed email AND running unauthorized RMM is Tier 1 priority.
Preserve Evidence
Before prioritization: (1) Complete endpoint inventory with hostname, IP, OS, installed RMM agent type, enrollment date, and last check-in timestamp. (2) Email receipt metadata for all recipients from Step 4, linked to endpoint asset IDs. (3) Process execution timeline on each endpoint: last execution of RMM binary with timestamp (`Get-WinEvent -LogName 'Windows PowerShell' | Where-Object {$_.Message -match 'rmm|ScreenConnect|Datto'}` or Sysmon Event ID 1). (4) File creation/modification dates for RMM installation directories. (5) Registry entry timestamps showing RMM agent installation (`reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /s /t:c`).
Step 6, Communication: Notify employees, particularly accounts payable, HR, and finance staff, that IRS-themed emails requesting document review or tax form access are active lures; include specific indicators (SmartVault branding, IRS impersonation) in the advisory.
Preparation
NIST 800-61r3 §2.3 (preparation: tools and personnel training)
NIST 800-53 AT-1 (Security Awareness and Training)
NIST 800-53 AT-2 (Security Awareness Training)
CIS 14.1 (Implement security awareness program)
Compensating Control
Use native communication channels: email advisory (signed by security team), intranet posting, or printed notices. Structure advisory with: (1) Threat summary (IRS phishing campaign, 29,000 targets, active as of Feb 10, 2026). (2) Specific IOCs: email subject keywords ('IRS', 'SmartVault', 'Form', 'Urgent'), sender domain characteristics (newly registered, spoofed tax authority), and attachment types (ZIP containing executables). (3) Action items: do not click links or open attachments from unsolicited tax-related emails; report to security team immediately; do not authenticate if prompted via email. (4) Escalation path: direct employees to report suspicious emails to security@[company] or internal IT helpdesk.
Preserve Evidence
Not applicable to communication step; however, document the advisory distribution: (1) Email delivery receipts and open/click rates. (2) Security awareness training completion records for targeted staff (AP, HR, finance). (3) Email reported-as-phishing counts post-advisory to measure awareness lift. (4) Support ticket volume for phishing report requests.
Step 7, Long-term: Implement application allowlisting or policy controls that prevent execution of unsigned or unapproved RMM binaries; consider Conditional Access policies that require compliant, managed devices for M365 authentication to reduce session hijack risk from AiTM proxying.
Recovery
NIST 800-61r3 §4.2 (post-incident activities: lessons learned and hardening)
NIST 800-53 CM-6 (Configuration Settings)
NIST 800-53 CM-10 (Software Usage Restrictions)
NIST 800-53 CA-7 (Continuous Monitoring)
CIS 2.1 (Ensure software is inventoried and only approved software is allowed to execute)
Compensating Control
Without enterprise application allowlisting (AppLocker, WDAC): use free/low-cost alternatives. (1) Windows: enable AppLocker in audit mode via Group Policy (`gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker`); export audit events (`Get-WinEvent -LogName 'Microsoft-Windows-AppLocker/EXE and DLL'`) to identify unapproved RMM execution. (2) Linux: use SELinux or AppArmor policies to restrict binary execution (templates available via RHEL Security Guide). (3) M365 Conditional Access (free in Azure AD Free tier): require device compliance (`Device Compliance` condition), MFA, and geolocation validation for M365 sign-in; use built-in 'Require device to be marked as compliant' policy. (4) For AiTM proxying defense: enable phishing-resistant MFA (Windows Hello, FIDO2 keys if feasible) to reduce reliance on passwords/cookies.
Preserve Evidence
Post-implementation validation: (1) AppLocker/WDAC audit logs showing all RMM binary execution attempts (approved vs. blocked) over 30-day baseline. (2) M365 Conditional Access sign-in logs showing compliance enforcement (device ID, device status, MFA method, risk assessment). (3) Baseline of approved RMM binaries with code signing certificates and publisher info (verify via `Get-AuthenticodeSignature` on Windows). (4) Correlation of any blocked RMM execution with Step 5 shadow IT discovery to validate control effectiveness. (5) Failed login counts from non-compliant devices, monitored monthly as KPI.
Recovery Guidance
Post-containment: (1) Force password reset for all users who received IRS-themed emails and re-enroll in MFA; prioritize accounts in finance, AP, and HR. (2) Revoke all active M365 sessions and refresh OAuth tokens for affected users (via Azure AD > Users > Password Reset or admin center). (3) Re-baseline network monitoring and EDR telemetry to establish new 'clean' baseline post-eradication, then continuously monitor for re-infection attempts via the same RMM vectors or similar AiTM proxying indicators. (4) Conduct 30-day post-incident review: document all compromise timelines, update incident playbooks with RMM-specific detection rules, and schedule security awareness refresher training for high-risk staff.
Key Forensic Artifacts
Windows Event Log 4688 (Process Creation with command-line arguments for RMM binary execution)
Windows Event Log 4624/4625 (Account Logon / Logon Failure, correlate with anomalous IP/device)
Azure AD Sign-in Logs (Azure Monitor / M365 audit: IP, device ID, User-Agent, MFA status, conditional access outcomes)
SMTP/Email Gateway Logs (headers, sender IP, Amazon SES relay detection, recipient list, message trace)
Firewall/Proxy Logs (outbound connections to RMM relay IPs/domains, timestamps, source endpoint IDs)
DNS Query Logs (resolution of ScreenConnect, Datto, SimpleHelp, and spoofed tax domain names)
File System Metadata (RMM agent installation paths, creation/modification timestamps, code signing certificates)
Network Connection Artifacts (netstat output with timestamps, established RMM sessions, associated process IDs)
Browser History and Cookies (user download/execution of phishing attachments, cached credentials, session tokens)
Sysmon Event Logs / EDR Telemetry (Event ID 1 for process creation, Event ID 3 for network connections, behavioral anomalies)
Detection Guidance
Microsoft 365 / Entra ID: Query sign-in logs for sessions where the IP address changed mid-session or where a valid MFA-completed session was followed immediately by access from a geographically inconsistent IP, indicative of AiTM cookie theft.
KQL example (Microsoft Sentinel): SigninLogs | where ResultType == 0 | where AuthenticationRequirement == 'multiFactorAuthentication' | summarize IPs = make_set(IPAddress) by UserPrincipalName, CorrelationId | where array_length(IPs) > 1.
Endpoint: Alert on processes spawning ScreenConnect.ClientService.exe, DattoRMM agent binaries, or SimpleHelp java/server executables outside approved software installation paths or initiated by user-context processes (e.g., spawned from browser or email client).
Email: Flag messages with sender domains using Amazon SES relay headers (X-SES-Outgoing, DKIM domain @amazonses.com) that impersonate .gov or financial software brands. Look for SmartVault branding or IRS subject lines combined with link redirects or file attachments. Network: Monitor for outbound connections on TCP 443 to ScreenConnect relay domains (relay.screenconnect.com and subdomains), Datto agent check-in endpoints, and SimpleHelp default ports (5850, 5900) from endpoints not enrolled in authorized RMM programs. Behavioral: Unusual remote access sessions outside business hours, or RMM sessions originating from non-IT user accounts, warrant immediate investigation.
Indicators of Compromise (3)
| Type | Value | Context | Confidence |
|---|
| DOMAIN |
relay.screenconnect.com |
ConnectWise ScreenConnect relay infrastructure — legitimate service abused for persistent RMM access post-compromise; flag when accessed by endpoints not enrolled in authorized RMM program |
medium |
| URL |
Amazon SES relay headers (X-SES-Outgoing) |
Campaign used Amazon SES for phishing delivery; inbound email from SES relay impersonating IRS or SmartVault brands is a campaign indicator — not a block-all signal given SES legitimate use |
medium |
| DOMAIN |
SmartVault impersonation domains (exact domains not confirmed in available sources) |
Attackers impersonated SmartVault branding; monitor for lookalike domains referencing SmartVault in phishing headers or link targets — specific IOC domains not published in available T1/T3 sources as of this report |
low |
Compliance Framework Mappings
T1588.005
T1027.006
T1550.004
T1036.005
T1219
T1566.002
+9
AT-2
SC-7
SI-3
SI-4
SI-8
AC-2
+4
MITRE ATT&CK Mapping
T1036.005
Match Legitimate Resource Name or Location
defense-evasion
T1219
Remote Access Tools
command-and-control
T1598.002
Spearphishing Attachment
reconnaissance
T1539
Steal Web Session Cookie
credential-access
T1566.001
Spearphishing Attachment
initial-access
T1585.002
Email Accounts
resource-development
T1078
Valid Accounts
defense-evasion
Guidance Disclaimer
The analysis, framework mappings, and incident response recommendations in this intelligence
item are derived from established industry standards including NIST SP 800-61, NIST SP 800-53,
CIS Controls v8, MITRE ATT&CK, and other recognized frameworks. This content is provided
as supplemental intelligence guidance only and does not constitute professional incident response
services. Organizations should adapt all recommendations to their specific environment, risk
tolerance, and regulatory requirements. This material is not a substitute for your organization's
official incident response plan, legal counsel, or qualified security practitioners.
