Microsoft Exposes Massive Phishing Campaign: 35,000 Users Targeted via AiTM Credential Theft
Microsoft has disclosed details of a sophisticated large-scale credential theft campaign that leveraged polished enterprise-style templates, legitimate email services, and adversary-in-the-middle (AiTM) phishing techniques to compromise more than 35,000 users across 26 countries in just three days.
Campaign Overview: Breaking the Code
The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries, with 92% of targets located in the United States. The attack demonstrated a level of sophistication that made it significantly more convincing than typical phishing operations.
Targeted Industries
The majority of phishing emails were directed against:
- Healthcare and Life Sciences: 19% of targets - Financial Services: 18% of targets - Professional Services: 11% of targets - Technology and Software: 11% of targets
These sectors were chosen deliberately—they handle sensitive data, have high regulatory compliance requirements, and are more likely to respond urgently to messages framed as compliance or conduct-related issues.
The Lure: Code of Conduct Reviews
The campaign's defining characteristic was its use of code of conduct-themed lures, employing display names like:
- "Internal Regulatory COC" - "Workforce Communications" - "Team Conduct Report"
Subject lines included:
- "Internal case log issued under conduct policy" - "Reminder: employer opened a non-compliance case log"
According to Microsoft's analysis: "The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications."
Psychological Manipulation Tactics
The campaign employed several psychological pressure techniques:
- Accusations: Messages contained implications of non-compliance or policy violations - Time-Bound Action Prompts: Recipients were pressured to act quickly or face consequences - Legitimacy Statements: Notices at the top of each message stated it was "issued through an authorized internal channel" and that links had been "reviewed and approved for secure access" - PDF Attachments: Emails included PDF attachments purportedly providing additional information about the conduct review, with links inside the document to initiate credential harvesting
The Attack Chain: From Email to Compromise
The attack flow was carefully designed to maximize success rates while evading automated defenses:
Stage 1: Legitimate Email Delivery
The emails were sent from a legitimate email delivery service—not compromised accounts or bulletproof hosting. This meant the messages passed SPF, DKIM, and DMARC checks, making them appear authentic to email security gateways.
Stage 2: CAPTCHA-Gated Intermediate Pages
After clicking the link, victims were directed through multiple rounds of CAPTCHA and intermediate pages designed to:
- Lend legitimacy: The presence of CAPTCHA made the flow appear more like a legitimate corporate security measure - Evasion: Keep out automated security scanners and sandboxing tools that typically don't complete CAPTCHA challenges - Filter targets: Ensure only human users proceed to the final phishing stage Stage 3: Adversary-in-the-Middle (AiTM) Phishing
The final destination was a sign-in experience leveraging adversary-in-the-middle (AiTM) phishing tactics to harvest Microsoft credentials and authentication tokens in real-time. This technique effectively allows threat actors to bypass multi-factor authentication (MFA).
Here's how AiTM works:
- Victim enters credentials on the fake login page - Attacker's server proxies those credentials to the real Microsoft login in real-time - Microsoft sends MFA challenge to victim's device - Victim enters MFA code on fake page - Attacker's server proxies MFA code to Microsoft - Microsoft authenticates and returns session token - Attacker captures the session token—bypassing the need for credentials or MFA for future access
Once the attacker has the session token, they can access the victim's account even after the password is changed, because the token represents an authenticated session.
Device-Specific Routing
Microsoft noted that the final destination depended on whether the malicious flow was triggered from a mobile device or a desktop system—suggesting the attackers had optimized phishing pages for different platforms to maximize success rates.
Phishing Trends in Q1 2026
The disclosure coincides with Microsoft's analysis of the email threat landscape between January and March 2026, which revealed several concerning trends:
QR Code Phishing: Fastest-Growing Vector
QR code phishing (or "quishing") emerged as the fastest-growing attack vector:
- January 2026: 7.6 million QR phishing attempts - March 2026: 18.7 million QR phishing attempts - Increase: 146% growth in three months
One notable development in late March was the use of QR codes embedded directly in email bodies—not just as attachments—making them harder for security tools to analyze.
CAPTCHA-Gated Phishing Evolution
CAPTCHA-gated phishing evolved "rapidly" across payload types in Q1 2026. Microsoft detected about 8.3 billion email-based phishing threats during the quarter, with:
- 80% link-based: Malicious URLs as the primary attack vector - Large HTML and ZIP files: Accounted for a huge chunk of malicious payloads - Credential harvesting: End goal of vast majority of attacks - Malware delivery: Declined to mere 5-6% by end of quarter Tycoon 2FA Adaptation Post-Disruption
Following a coordinated disruption operation by Europol in March 2026, operators of the Tycoon 2FA phishing-as-a-service (PhaaS) platform attempted to shift hosting providers and domain registration patterns:
"Toward the end of March, we saw Tycoon 2FA moving away from Cloudflare as a hosting service and now hosts most of its domains across a variety of alternative platforms, suggesting the group is attempting to find replacement services that offer comparable anti-analysis protections."
Amazon SES Abuse: Weaponizing Trusted Infrastructure
The findings also coincide with the emergence of phishing and business email compromise (BEC) campaigns that abuse Amazon Simple Email Service (SES) as a delivery vector.
How Amazon SES Attacks Work - Gain Access: Attackers obtain AWS access keys through leaks, breaches, or credential stuffing - Weaponize SES: Use legitimate Amazon SES infrastructure to send phishing emails - Bypass Defenses: Messages pass SPF, DKIM, and DMARC because they're sent from legitimate AWS infrastructure - Evade Blocklists: Amazon SES IP addresses are unlikely to be blocklisted - Harvest Credentials: Direct victims to phony sign-in pages that look entirely legitimate
According to Kaspersky: "The insidious nature of Amazon SES attacks lies in the fact that attackers aren't using suspicious or dangerous domains; instead, they are leveraging infrastructure that both users and security systems have grown to trust."
Notable Q1 2026 Campaigns
Microsoft highlighted two noteworthy campaigns from Q1 2026:
Campaign 1: 401(k)-Themed Attack (February 23-25, 2026) - Scale: 1.2+ million messages - Targets: 53,000+ organizations in 23 countries - Lures: 401(k)-, payment-, and invoice-themed - Payload: SVG attachment - Flow: Open SVG → CAPTCHA check → fake sign-in page Campaign 2: Massive HTML Attachment Blitz (March 17, 2026) - Scale: 1.5+ million confirmed malicious messages - Targets: 179,000+ organizations across 43 countries - Significance: Accounted for 7% of all malicious HTML attachments observed in March - Flow: Open HTML → initial phishing page (screening) → CAPTCHA challenge → fraudulent sign-in page - Infrastructure: Multiple PhaaS providers (Tycoon 2FA, Kratos/Sneaky 2FA, EvilTokens)
Business Email Compromise (BEC) Trends
BEC scams exhibited fluctuations in Q1 2026:
- January: 3+ million attacks - February: 3+ million attacks - March: 4+ million attacks - Q1 Total: 10.7 million BEC attacks
Protection and Mitigation
For Organizations: - Implement FIDO2/WebAuthn: Hardware security keys or platform authenticators are resistant to AiTM attacks because they bind authentication to the legitimate domain - Deploy Conditional Access: Restrict sign-ins based on location, device compliance, and risk signals - Monitor for Token Theft: Use Microsoft Defender for Identity or similar tools to detect impossible travel, anomalous token usage, and other indicators of session hijacking - Email Security: Implement advanced phishing protection that can analyze QR codes, complete CAPTCHA challenges, and detect AiTM infrastructure - User Training: Educate users about code of conduct lures, time-pressure tactics, and the importance of verifying unexpected compliance-related communications - AWS Credential Hygiene: Rotate AWS access keys regularly, use IAM roles instead of long-term credentials, and monitor for leaked keys For Users: - Verify Unexpected Communications: If you receive a compliance or conduct-related email, verify through official channels before clicking links - Check URLs Carefully: AiTM phishing sites often use domains that look similar to legitimate ones (e.g., "micros0ft.com" or "login.microsoft0365.com") - Use MFA Methods Resistant to AiTM: FIDO2 security keys, Windows Hello, or authenticator apps with number matching are more resistant than SMS or push notifications - Report Suspicious Emails: Forward phishing attempts to your IT security team immediately
Key Takeaways
- 35,000+ users targeted: Across 13,000+ organizations in 26 countries (92% in U.S.) - Code of conduct lures: Polished enterprise templates with accusations and time-pressure tactics - Legitimate email services: Campaign sent from approved email delivery infrastructure - CAPTCHA-gated: Multiple CAPTCHA challenges to evade automated defenses - AiTM phishing: Real-time credential and token harvesting bypasses MFA - QR phishing surge: 146% increase in Q1 2026 (7.6M → 18.7M) - Tycoon 2FA adaptation: Moved from Cloudflare to alternative hosting post-disruption - Amazon SES abuse: Weaponizing trusted email infrastructure to bypass SPF/DKIM/DMARC - 8.3 billion phishing threats: Total detected by Microsoft in Q1 2026
The Bottom Line
This campaign represents the evolution of phishing from crude, easily-detectable attacks to sophisticated, multi-stage operations that leverage legitimate infrastructure, psychological manipulation, and advanced technical capabilities to compromise even security-conscious organizations.
The combination of enterprise-grade templates, CAPTCHA-gated flows, and AiTM token harvesting creates a perfect storm that can bypass traditional email security controls and MFA protections. Organizations must adopt a defense-in-depth strategy that includes FIDO2 authentication, advanced threat detection, user education, and continuous monitoring for signs of token-based account compromise.
The attackers aren't just after passwords anymore—they're after session tokens that grant persistent access regardless of password changes. Defending against this new reality requires understanding that MFA is necessary but not sufficient, and that the next frontier of authentication security lies in phishing-resistant methods like FIDO2/WebAuthn.
