Microsoft Exposes Large-Scale Phishing Campaign Targeting 35,000 Users in 26 Countries
- May 5
- 4 min read
Key Findings
Large-scale credential theft campaign targeted over 35,000 users across 26 countries between April 14-16, 2026
92% of targets were located in the U.S. across 13,000 organizations
Healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology sectors (11%) were primary targets
Attackers used legitimate email delivery services to distribute phishing messages disguised as internal code of conduct reviews
Campaign employed adversary-in-the-middle (AiTM) phishing to bypass multi-factor authentication and steal authentication tokens in real-time
Multi-stage attack chain used CAPTCHA pages and intermediate staging sites to evade automated defenses
Background
Microsoft's Defender Security Research Team disclosed details of what they describe as one of the most sophisticated code-of-conduct-themed credential theft operations observed to date. The campaign occurred over a three-day window in mid-April 2026 and represents a significant shift in how threat actors are structuring phishing attacks. Rather than relying on obviously suspicious emails, the attackers invested considerable effort in making their messages appear legitimate and creating psychological pressure on recipients to act quickly.
Phishing Email Design and Lures
The emails used in the campaign stood out for their polish and sophistication. They leveraged enterprise-style HTML templates with structured layouts and included preemptive authenticity statements designed to make them appear as legitimate internal communications. Display names mimicked actual company departments like "Internal Regulatory COC" and "Workforce Communications," while subject lines referenced conduct policy violations and compliance issues.
Each message included a notice stating it had been "issued through an authorized internal channel" with language claiming that "links and attachments had been reviewed and approved for secure access." This combination of official-looking formatting and reassuring language about security review significantly increased the emails' credibility compared to typical phishing attempts.
Attack Methodology
The campaign employed a multi-stage attack chain designed to maximize success rates while filtering out automated security systems. Victims received PDF attachments that appeared to contain additional information about alleged conduct reviews. When clicked, these attachments directed users to attacker-controlled domains that led through multiple CAPTCHA challenges and intermediate pages.
These intermediate pages were intentionally included to reinforce the appearance of legitimacy while simultaneously keeping out automated defenses that might otherwise flag the malicious flow. The attackers used urgency and pressure tactics throughout, with time-bound action prompts that compelled victims to proceed quickly without careful verification.
The final stage of the attack presented a convincing Microsoft sign-in page, where victims unknowingly entered their credentials. At this point, the attackers deployed adversary-in-the-middle tactics to intercept authentication tokens in real-time, effectively capturing the credentials and session information. This approach allowed threat actors to bypass multi-factor authentication entirely and gain immediate access to compromised accounts.
Technical Infrastructure
The campaign leveraged legitimate email delivery services to distribute the phishing messages, making it difficult for organizations to block the emails based on sender reputation alone. Attacker-controlled domains were registered with names designed to appear credible, such as acceptable-use-policy-calendly[.]de.
The attack chain's final destination varied depending on whether victims accessed it from mobile or desktop devices, suggesting the threat actors had implemented different payload strategies for different platforms. This level of operational flexibility demonstrates significant technical sophistication and planning.
Broader Phishing Trends in 2026
The April campaign occurred within a context of rapidly evolving phishing tactics. Microsoft's analysis of the email threat landscape between January and March 2026 revealed concerning trends in threat actor capabilities.
QR code phishing emerged as the fastest-growing attack vector during the quarter, with attack volumes jumping from 7.6 million in January to 18.7 million in March, representing a 146% increase. By late March, attackers began embedding QR codes directly in email bodies, further streamlining the attack delivery process.
CAPTCHA-gated phishing also evolved rapidly across different payload types, with attackers increasingly using these security measures not for legitimate purposes but to create the appearance of security. Additionally, large HTML and ZIP files became dominant in malicious payload distribution, accounting for a huge portion of phishing emails detected during the period.
Credential Harvesting and MFA Bypass
Analysis of detected phishing threats revealed that credential harvesting remained the end goal for the vast majority of attacks. Malware delivery declined to just 5-6% by the end of the first quarter, indicating a clear shift in attacker priorities toward gaining account access rather than endpoint compromise.
The use of adversary-in-the-middle tactics specifically designed to bypass multi-factor authentication represents a significant escalation in threat actor capabilities. By intercepting authentication tokens during the login process, attackers can maintain persistent access to accounts even when MFA is enabled, effectively neutralizing this critical security control.
Phishing-as-a-Service Evolution
The Tycoon 2FA phishing-as-a-service platform demonstrated the resilience of the phishing ecosystem following disruption efforts. Following a coordinated disruption operation in March 2026, platform operators attempted to shift their infrastructure away from commonly used hosting providers like Cloudflare and distributed their domains across a variety of alternative platforms.
This migration strategy suggests that PhaaS operators are actively seeking hosting providers offering anti-analysis protections comparable to those they lost, allowing the criminal ecosystem to continue operating despite law enforcement and security industry intervention.
Business Email Compromise Activity
Business email compromise scams showed more volatility during the same period, with attack volumes crossing 4 million in March 2026, up from over 3.5 million in January and more than 3 million in February. Across the first quarter, 10.7 million BEC attacks were recorded, maintaining this fraud vector as a significant threat to organizations globally.
Recommended Defense Measures
Microsoft recommends a multi-layered approach to defend against these sophisticated attacks. Organizations should review Exchange Online Protection and Defender for Office 365 settings, with particular attention to enabling Zero-hour Auto Purge, Safe Links, and Safe Attachments features. Network protection and SmartScreen-enabled browsers provide additional layers of defense.
User awareness training and phishing simulations remain critical, as the sophistication of these attacks makes human judgment an important part of the defense strategy. Manual monitoring and rapid removal of suspicious emails can limit campaign success rates. Strong authentication methods including MFA, passwordless sign-in, and conditional access policies for privileged accounts are essential security baselines. Finally, enabling automated attack disruption in Defender XDR helps detect and contain threats quickly before they cause widespread damage.
Sources
https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html
https://securityaffairs.com/191695/security/microsoft-warns-of-global-campaign-stealing-auth-tokens-from-35k-users.html

Comments