The Center for Internet Security® (CIS®) Cyber Threat Intelligence (CTI) team has identified an ongoing phishing campaign impacting U.S. State, Local, Tribal, and Territorial (SLTT) entities in which threat actors masquerade as Vimeo video hosting platform support to harvest victims’ personal data, including banking details. Additionally, CIS CTI analysis showed very likely related threat actor infrastructure was using tax-themed phishing lures to deliver Datto remote monitoring and management (RMM) software for follow-on actions.
This type of threat activity isn’t new. Threat actor abuse of legitimate RMM tools rose 277% between 2025 and 2026, according to Huntress. Additionally, in late March 2026, CIS CTI reported on another phishing campaign in which threat actors used tax-themed lures to trick users at U.S. SLTTs into clicking a TryCloudflare phishing link that automatically downloaded legitimate RemotePC software, another RMM technology product.
CIS CTI was unable to observe the RMM impact directly in this newest phishing campaign, but as noted by Microsoft, RMMs like Datto grant threat actors persistent remote access to compromised devices and enable hands-on-keyboard activity, credential theft, and additional payload delivery.
Analysis of the Vimeo-Themed Phishing Sample
Initial analysis stemmed from a Vimeo-themed phishing sample submitted by a member of the Multi-State Information Sharing and Analysis Center® (MS-ISAC®). CIS CTI’s analysis of the member-reported phishing sample (See Figure 1.) revealed the email passed Sender Policy Framework (SPF) as a designated sender for mg[.]vimeo[.]com, which is Vimeo’s Mailgun sending domain. Passing SPF for Mailgun indicates the threat actor sent the email through a legitimate Vimeo mail path, likely by abusing a Vimeo platform feature.
The included link (https[:]//vimeo[.]verify389[.]live/255126394) was not active at the time of analysis, so CIS CTI directed its focus to the vimeo[.]verify389[.]live registered domain. VirusTotal relations for vimeo[.]verify389[.]live included a communicating file titled “Alice Support sent you a message on Vimeo – Vimeo https[:]//vimeo[.]verify389[.]live/253553798. The HTML contents of the URL indicated the page attempted to harvest victims’ credit card information, Social Security Number, date of birth, PayPal credentials, and other personal data.
Figure 1: MS-ISAC member-submitted phishing sample
Broader Infrastructure Downloaded Datto RMM
Additional analysis revealed a broader network of domains tied to verify389[.]live and staged to engage in similar social engineering efforts, including leveraging tax-themed lures. CIS CTI pivoted on the body SHA (a VirusTotal similarity hash of a webpage’s HTML content) hosted at http[:]//www[.]verify389[.]live/ to identify additional URLs:
https[:]//mytax-organizer[.]amosdadabooks[.]com/https[:]//mytax-organizer[.]arpublication[.]com/https[:]//mytax-organizer[.]noisetteroseproductions[.]com/de.phphttps[:]//tax-filecenter-irs[.]matthewtarwater[.]com/de[.]phphttps[:]//tax-filecenter[.]verrassendmykonos[.]nl/de[.]phphttps[:]//bitbucket[.]org/guendennbvqplks638363638363863/ytrr/downloads/Documentation_T[…]95-0f66-4e61-85e7-52a5b86b551ce19f084b71dac5b410638bedc3efeb4fhttps[:]//s3[.]us-east-2[.]amazonaws[.]com/vdjdj.thursfri/_EFIN_TRANSCRIPT_VIEWER_02_18_2026[.]exe?2fjGoQJf3h2fjGoQJf3h2fjGoQJf3h
The matching similarity hashes indicate these URLs were built off nearly identical HTML structure, suggesting they are all very likely part of the same threat activity cluster or built from the same template.
Identification of Tax-Themed Phishing Lures
This was the first point at which CIS CTI identified tax-themed lures associated with this infrastructure. Running a passive DNS query identified 24 domains using mytax-organizer as a subdomain across varying registered domains and 14 domains using variations of tax-filecenter as a subdomain.
The following hashes represent Datto RMM files downloaded from URLs hosted at various malicious domains, including mytax-organizer and tax-filecenter subdomains. The files are both signed as Datto RMM and contact legitimate Centrastage or Datto domains:
9021c1b954334d1743eaf2b7ca3bab35227c7ac701d2c90de38713864c5792faefdb468a04e77d6cd0c55e6667ba0b370e5c0de6c6ad4f6c7507af2474d04182
In addition to URLs containing variations of tax-filecenter and mytax-organizer subdomains, CIS CTI identified 94 URLs downloading these executables, including additional tax-themed URLs, Amazon Web Service (AWS) buckets, and Bitbucket URLs, suggesting broad malicious infrastructure abusing the Datto RMM. CIS CTI has since shared these domains in the MS-ISAC Real-Time Indicator Feeds and blocked the domains in the Malicious Domain Blocking and Reporting (MDBR) service.
The overlaps across this infrastructure and tax-themed domains delivering Datto RMM indicate this is likely a broader financially motivated social engineering campaign exploiting tax season.
Don’t Delay Your Cyber Defenses until Next Tax Season
To continually receive tailored mitigations and IOCs related to active cyber threats like the Vimeo-themed phishing campaign discussed above, you can join the MS-ISAC, a community dedicated to the Collective Cyber Defense of U.S. SLTTs. Members received early reporting on this phishing campaign, including over 1,000 IOCs through the CIS Indicator Sharing Program. Members also regularly receive support through services like MDBR, which at the time of publication has already blocked nearly 74,000 queries since March 26 to malicious domains associated with this campaign.
Ready to counter tax-themed phishing lures through Collective Cyber Defense?
