Originally reported by Hackread
TL;DR
A phishing campaign is targeting US recipients with fake Social Security Administration emails containing fraudulent tax documents. The attack uses legitimate Datto RMM software to gain persistent remote access to compromised systems.
New phishing campaign targeting US victims with remote access capabilities, but no evidence of widespread deployment or critical infrastructure impact.
Threat actors are leveraging fake Social Security Administration communications to distribute remote access tools, according to research shared with Hackread. The campaign uses fraudulent 2025 and 2026 tax statement documents as lures to convince targets to install legitimate remote monitoring and management (RMM) software.
The phishing emails impersonate official SSA correspondence and reference tax documentation to establish credibility with recipients. Once victims engage with the malicious content, attackers guide them through installing Datto RMM software under false pretenses.
Datto RMM, a legitimate IT management platform, becomes the attack vector for persistent system access. The software's remote control capabilities allow threat actors to:
The campaign's timing coincides with tax season, when recipients expect to receive legitimate tax-related communications from government agencies. This social engineering approach increases the likelihood of successful compromise by exploiting seasonal expectations.
The targeting appears focused on US-based individuals, leveraging the universal recognition of Social Security Administration branding and tax document expectations.
Organizations should implement email filtering rules to detect SSA impersonation attempts and monitor for unauthorized RMM tool installations. Security teams should establish baselines for legitimate remote access tools and alert on unexpected deployments.
End users should verify any unexpected government communications through official channels before downloading attachments or following embedded links. Legitimate SSA communications typically arrive via postal mail rather than email for sensitive tax documentation.
Originally reported by Hackread