Subscribe to the Non-Human & AI Identity Journal

How should security teams respond to tax-themed phishing campaigns?

Treat them as identity-focused intrusion attempts, not just spam. Prioritise email detections for tax, payroll, and W-2 lures, then correlate those messages with sign-in anomalies, MFA prompts, and endpoint execution. If a tax-themed email leads to a download, authentication page, or RMM install, investigate it as a potential access event.

Why This Matters for Security Teams

Tax-themed phishing is rarely just a nuisance message. It is often a fast-moving identity attack designed to capture credentials, push a malicious download, or trigger a secondary workflow such as MFA fatigue, token theft, or remote access enrollment. Security teams should treat these campaigns as potential access events because the objective is usually account takeover, not simple fraud. That framing matters when deciding whether to block, triage, or escalate activity. Guidance from the NIST Cybersecurity Framework 2.0 supports correlating detection and response across identity, endpoint, and email telemetry rather than handling email in isolation. In NHIMG research, campaigns that start with a lure can quickly move into credential abuse or downstream system compromise, as seen in the CoPhish OAuth Token Theft via Copilot Studio analysis. Practitioners often miss the real risk because the first indicator looks like routine payroll spam, while the attacker is already testing the account for interactive access. In practice, many security teams encounter the compromise only after the mailbox, payroll portal, or MFA system has already been used for follow-on access.

How It Works in Practice

A solid response starts with detections tuned to the lure. Tax-season messages should be grouped with payroll, W-2, invoice, and refund themes, then enriched with sender reputation, URL behaviour, attachment type, and user interaction data. If a user clicks, the next step is not just mail quarantine. It is to check whether the click was followed by a sign-in prompt, unusual token grant, suspicious browser session, or endpoint execution. This is where identity and endpoint telemetry need to be joined.

Useful operational checks include:

  • Search for credential harvesting pages, especially lookalike Microsoft 365, payroll, or tax portals.
  • Review MFA events for prompt bombing, new device enrollment, or consent grant anomalies.
  • Look for downloads of HTML files, ZIP archives, ISO images, or scripts after the message was opened.
  • Correlate mailbox rules, forwarding changes, and abnormal login geography within the same time window.
  • Escalate any remote management tool install or browser-based session hijack as a likely intrusion path.

This is consistent with the broader identity-first posture described in the LLMjacking: How Attackers Hijack AI Using Compromised NHIs research, where compromised identities become the pivot for wider abuse, and with NIST guidance on coordinated detection and response. The practical goal is to determine whether the campaign stayed in the inbox or crossed into authenticated activity. These controls tend to break down in high-volume mail environments where telemetry is fragmented across email security, IAM, and endpoint tools because the chain of evidence is too slow to assemble during the first hour.

Common Variations and Edge Cases

Tighter email controls often increase false positives during tax season, so teams must balance aggressive blocking against business disruption for finance, HR, and payroll workflows. Current guidance suggests using context and user role to separate routine tax correspondence from malicious impersonation, but there is no universal standard for this yet.

Edge cases matter. A tax-themed email with no attachment can still be dangerous if it links to a consent screen or OAuth grant page. A seemingly harmless PDF can be used to drive the user toward a fake portal. In some environments, attackers exploit seasonal urgency to push users into bypassing normal approval paths, especially when payroll changes or document collection is time-sensitive. That is why current best practice is evolving toward content, identity, and session correlation rather than attachment-only analysis.

For organisations with hybrid identity stacks, the risk extends beyond the primary mailbox. If a user reuses passwords, syncs tokens across devices, or has weak session controls, one phishing click can lead to lateral access in HR, payroll, or document systems. The lesson is to treat the lure as the beginning of an identity incident, not the end of an email incident. This is especially important when tax campaigns overlap with broader credential theft activity like the patterns documented in DeepSeek breach, where exposed secrets and compromised access paths amplified downstream risk.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Phishing often targets NHI credentials and session tokens for takeover.
OWASP Agentic AI Top 10 A-03 Phishing can initiate unauthorized tool use and session abuse in agentic workflows.
CSA MAESTRO MAESTRO-3 Covers identity and access risks in autonomous or semi-autonomous workflows.
NIST CSF 2.0 DE.AE-2 Email lures become incidents when correlated with unusual identity and endpoint activity.
NIST AI RMF Useful for governing automated detections and response decisions around phishing.

Inventory and monitor non-human and human-access paths that can be abused after phishing.