Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware

---

meta: canonical: https://yourcompany.com/blog/microsoft-irs-rmm-phishing-2024 description: Microsoft’s IRS-themed phishing campaign exposes over 29k users to RMM malware. Dissecting the technical failures and actionable defense steps for CISOs, SOC leads, and IT managers. articleSection: cybersecurity, phishing, incident response, IAM, cloud, endpoint hardening readTime: 9 min datePublished: 2024-06-14 dateUpdated: 2024-06-15

Author

By Nick Carson, CISSP, CISM — Principal Security Architect
15+ years in DevSecOps/Incident Response. Led breach containment and post-mortem investigations for Fortune 500s, including a redacted client IRS-themed ransomware event (2023). Former Microsoft ATP Threat Hunter. All client identities redacted with permission.
LinkedIn | Credentials

Editorial Review

Reviewed by Jordan Stanz, CISSP, SOC Lead — security fact-checked, technical artifacts verified.

---

For Security Leaders: Here’s What’s Broken, Why It Matters, and How to Fix It

This post dives into Microsoft’s June 2024 IRS-themed RMM phishing advisory (see Microsoft Security Blog) and details technical failings behind it. If you’re a CISO, IT Manager, or SOC lead, expect a streamlined breakdown, actionable fixes, detection KQLs, and brutal honesty. Download the full checklist and detection queries here:
IRS/RMM Attack Defense Playbook PDF

What Happened (Technical Summary)

In June 2024, Microsoft flagged a surge in IRS-themed phishing emails hitting over 29,000 users (source). Attackers delivered RMM malware (AnyDesk, ScreenConnect, ConnectWise) via malicious attachments and links—often ZIP files or PDFs with embedded executables. Once in, attackers leveraged exposed mailbox access, abused legacy authentication, and pivoted to Azure AD enterprise app registration for lateral movement.

• Primary Advisory: Microsoft Security Blog
• CISA Notice: CISA Shields Up
• Vendor Hardening Guides: ConnectWise, AnyDesk Hardening, ScreenConnect Hardening

---

Why We Keep Getting Owned: Patterns That Refuse to Die

Human Error and Technical Debt

This isn’t the result of “advanced threat actors.” It’s the compounding effect of ignored best practices, rushed onboarding, and security controls that exist only on paper:

Common Failures:

• Misconfigured email filters letting “tax_refund_2024.zip.exe” pass because .gov domains are whitelisted.
• Overly permissive IAM policies granting s3:* to broad groups such as AuthenticatedUsers or service accounts (see sample policy AWS docs).
• Users approving MFA prompts based on subject lines—witnessed (client redacted, 2023), CFO accepted a push notification saying “RE: Q4 Tax Adjustment.” Attack began with a phishing email and ended with ransomware encrypting files in AWS S3. The offending IAM policy:

{
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": "*"
}

Remediation:
Restrict S3 access to specific roles, apply resource-level permissions—example:

{
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::organization-data/*",
    "Condition": {
        "StringEquals": {"aws:PrincipalTag/Department": "Finance"}
    }
}

Audit IAM policies monthly; how-to.

---

Architectural Weaknesses That Enable RMM Malware

Microsoft Defaults and Legacy Risk

Attackers exploited weak RMM agent deployments and Azure AD baseline misconfigurations. Here’s how it played out technically:

• RMM Tool Config: Agents installed with default credentials, single shared password, no hardware-backed MFA (ConnectWise guide).

• Azure AD Tenant Settings:

  • Users can register applications: Enabled by default; attackers registered malicious enterprise apps (MS docs).
  • Users can consent to apps: Often overly broad.
  • Recommended:
    • Disable “Users can register applications”
      • Azure Portal: Azure AD > User Settings > App registrations > “Users can register applications” > Set to No.
      • PowerShell:

      Set-AzureADDirectorySetting -Id <SettingId> -DirectorySetting @{EnableAppRegistration='False'}
      

    • Restrict “User consent to apps”
      • Azure AD > Enterprise Applications > Consent and Permissions > User consent settings.
      • MS Consent Guidance
  • Enforce Conditional Access: Require MFA for high-privilege roles and risky sign-ins (MS CA docs).

• Legacy Auth:

  • Block legacy authentication protocols (Exchange Online, IMAP, POP). Portal: Azure AD > Security > Conditional Access > Policies. Reference
  • PowerShell:

  Set-AuthenticationPolicy -Identity "BlockLegacyAuth"
  

---

Concrete Remediation: Prioritized Checklist

Immediate (0–7 Days)

• Disable app registration and broad user consent to enterprise apps in Azure AD.

• Require unique credentials per RMM client; enforce hardware-backed MFA (AnyDesk Hardening).

• Block Office macros, OneNote files, ISO mounts using Group Policy:

  • MacroBlocking: User Configuration > Policies > Administrative Templates > Microsoft Office > Block macros from running in files from the Internet (MS Macro Guide)
  • ISO/OneNote blocking: WDAC policy (WDAC Guide), or AppLocker (deny OneNote.exe, ISO mount).
  • Deploy Microsoft Defender for Office 365 Safe Attachments (Defender Guide).

• Network Segmentation: Isolate HR/Finance from production and critical assets. Apply VLANs and enforce subnet-level ACLs (CIS Segmentation Controls).

• Enable logging on Azure AD (Entra ID):

  • Log sign-ins and audit activities; forward to SIEM (Log Guide).
  • Retention: Minimum 90 days.
  • Example KQL:

  SigninLogs
  | where CreatedDateTime > ago(7d)
  | where AppDisplayName in ("AnyDesk", "ConnectWise", "ScreenConnect")
  | project UserPrincipalName, AppDisplayName, IPAddress, Location
  

• AWS S3: Review bucket policies for wildcard resource/principal assignment.

  • Command:

  aws s3api get-bucket-policy --bucket <bucket-name>
  

  • Policy: Remove "Principal": "*" or overly broad service account assignments.

Short-Term (8–30 Days)

• Conduct internal phishing simulation exercises (PhishSim Guide).
• Review Conditional Access policies: enforce MFA across all privileged accounts; enable sign-in risk policy.
• Audit Entra ID for recent enterprise app registrations:
  • KQL:

  AuditLogs
  | where OperationName == "Add application"
  | where CreatedDateTime > ago(30d)
  | project InitiatedBy, ApplicationId, AppName, IPAddress
  

• RMM Restriction: Limit agent installation from designated jump hosts and whitelisted IPs (ConnectWise Security Advisory).
• Establish incident notification playbook, legal/PR readiness; ensure notification criteria meet regulatory guidelines (NIST IR Guide).

Long-Term (30+ Days)

• Monthly IAM policy review (AWS, Azure).
• Quarterly tabletop incident response exercise.
• Review and tighten RBAC: minimize privileged group membership (CIS IAM Benchmark).
• Annual audit of RMM tools; hardware-backed MFA enforcement; vendor config review.
• Develop and maintain asset inventory for RMM clients, SaaS apps (CIS Control 1).

---

Indicators of Compromise (IOCs) and Detection Signals

Public IOCs

• MS’s Detailed IOC List:
  • Malicious domains: irs-tax-refund[.]com, irs-email[.]net
  • Sample hashes: See advisory link above.

Behavioral Indicators

• Sudden installation of RMM clients (AnyDesk, ConnectWise, ScreenConnect) on endpoints.
• Unexpected Azure AD app registrations with broad permissions; abnormal consent activity.
• Mass mailbox forwarding rules created via PowerShell.
• Sign-ins from geolocations atypical for your org (e.g., Russia, Vietnam, etc.).
• Parent process analysis: PowerShell launched from Office apps or RMM executables.
• Spike in S3 access actions from non-standard principals.

---

Detection Playbook (Sample Queries)

Azure AD / Entra ID — New Enterprise App Registration

AuditLogs
| where OperationName == "Add application"
| where CreatedDateTime > ago(7d)
| project InitiatedBy, ApplicationId, AppName, IPAddress

RMM Install Hunt — Windows Endpoints

Get-WmiObject -Class Win32_Product | where {$_.Name -match "AnyDesk|ConnectWise|ScreenConnect"}

PowerShell Abuse — Parent Process

Check for PowerShell spawned from suspicious parent process:

DeviceProcessEvents
| where ProcessCommandLine contains "powershell"
| where InitiatingProcessFileName in ("WINWORD.EXE","EXCEL.EXE","ONENOTE.EXE","AnyDesk.exe")

S3 Bucket Policy — Wildcard Principal Audit

aws s3api get-bucket-policy --bucket <bucket-name>
# Review if "Principal": "*" exists; tighten to specific roles

---

Legal and Privacy Considerations

All incident anecdotes anonymized. Breach response clients have granted permission for technical redaction. For real-world compromises:

• Notify affected parties/regulators per local laws (GDPR, HIPAA, CCPA).
• Preserve logs and evidence; initiate legal hold with counsel.
• Coordinate PR messaging via approved playbook (NIST IR Guide).

---

References and Best Practice Links

• Microsoft IRS Phishing Advisory
• CISA Shields Up
• NIST Incident Response Guide
• CIS Controls: IAM, Segmentation, Asset Inventory
• ConnectWise RMM Security
• AnyDesk/ScreenConnect Security
• Azure AD Consent Settings
• Defender for Office 365 Safe Attachments
• AWS S3 IAM Policy Guide

Internal link: Full Guide to Cloud IAM Hardening

---

Updated

No major updates. Will revise if Microsoft, CISA, or vendors publish new IOCs or guidance.

---

Closing Thought:

You can harden systems, lockdown permissions, and segment networks, but attackers only need one mistake. If you’re waiting for a “safer default,” you’re already gambling with your job.