248/69 Thursday, May 7, 2026
Microsoft has disclosed a large-scale phishing campaign targeting more than 35,000 users across 26 countries during mid-April 2026. The attackers used fraudulent emails themed around “Code of Conduct” violations, delivered through legitimate email services, to lure victims into visiting fake websites designed to steal authentication tokens and login credentials.
Microsoft stated that the attackers employed Adversary-in-the-Middle (AiTM) techniques to intercept authentication tokens in real time, even when victims had Multi-Factor Authentication (MFA) enabled. The phishing emails were crafted to resemble internal corporate documents, using subjects such as “Internal case log issued under conduct policy” to create urgency and credibility. When victims clicked links embedded in PDF attachments, they were redirected to fake CAPTCHA pages and subsequently to counterfeit Microsoft login pages designed to closely mimic legitimate authentication portals, allowing attackers to capture session tokens and account credentials.
According to Microsoft, approximately 92% of the targeted victims were located in the United States, particularly within the healthcare and financial sectors, which are considered high-value targets due to the sensitive nature of their data. Microsoft recommends that organizations strengthen defenses by enabling phishing protection features in Microsoft Defender and Exchange Online Protection, adopting phishing-resistant MFA or passwordless authentication methods, and conducting regular employee awareness training to help users identify suspicious emails and fraudulent websites.