ConnectWise ScreenConnect, Datto RMM, and SimpleHelp were abused as post-compromise persistence mechanisms in the IRS-themed phishing campaign documented February 10, 2026, with no new CVEs assigned to these products — the abuse exploits legitimate signed binaries rather than software vulnerabilities. The campaign’s use of adversary-in-the-middle PhaaS platforms to bypass MFA and harvest Microsoft 365 session cookies means that endpoint detection relying on credential-based signals alone will miss the intrusion vector. Organizations should immediately audit all RMM tool installations for unauthorized instances, block RMM outbound relay connections from non-enrolled endpoints, and enforce Conditional Access policies to reduce session hijack risk.