Full Report
Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries,
Analysis Summary
# Incident Report: Large-Scale AiTM Phishing Campaign (April 2026)
## Executive Summary
Between April 14 and 16, 2026, a massive phishing campaign targeted over 35,000 users across 13,000 organizations globally. The attack utilized sophisticated "Code of Conduct" lures and Adversary-in-the-Middle (AiTM) techniques to bypass Multi-Factor Authentication (MFA) and steal authentication tokens. The campaign was highly effective due to its use of legitimate email delivery services and polished, high-pressure enterprise templates.
## Incident Details
- **Discovery Date:** Observed/Reported May 2026
- **Incident Date:** April 14 – April 16, 2026
- **Affected Organizations:** 13,000+ organizations
- **Sector:** Healthcare/Life Sciences (19%), Financial Services (18%), Professional Services (11%), Tech/Software (11%)
- **Geography:** Global (26 countries); 92% of targets located in the United States
## Timeline of Events
### Initial Access
- **Date/Time:** April 14, 2026
- **Vector:** Phishing via legitimate email delivery services.
- **Details:** Attackers sent emails with "Code of Conduct" violation lures (e.g., "Internal case log issued under conduct policy"). Messages featured polished HTML templates and "authenticity statements" to appear as official internal communications.
### Lateral Movement
- **Details:** While the article focuses on token theft, the stolen session tokens allow attackers to access corporate environments as the compromised user, facilitating potential lateral movement within cloud tenants.
### Data Exfiltration/Impact
- **Details:** Real-time theft of Microsoft credentials and authentication tokens. This allowed the bypass of MFA, providing full access to user accounts and sensitive corporate data.
### Detection & Response
- **How it was discovered:** Monitored and disclosed by Microsoft Defender Security Research and Microsoft Threat Intelligence.
- **Response actions taken:** Microsoft blocked the infrastructure and published the campaign details to alert affected organizations.
## Attack Methodology
- **Initial Access:** Phishing emails leveraging high-pressure HR-themed lures and PDF attachments.
- **Persistence:** Theft of authentication tokens allows for session persistence without needing to re-authenticate.
- **Defense Evasion:** Use of legitimate email services to bypass spam filters; CAPTCHA gates used to block automated security scanners and "sandboxes."
- **Credential Access:** Adversary-in-the-Middle (AiTM) tactics to intercept credentials and MFA codes in real-time.
- **Discovery:** Philling templates utilized "preemptive authenticity statements" to trick users during the reconnaissance/interaction phase.
- **Impact:** Unauthorized access to cloud-based enterprise resources.
## Impact Assessment
- **Financial:** High potential risk due to the targeting of 13,000+ organizations, though specific dollar amounts were not disclosed.
- **Data Breach:** Compromise of Microsoft 365/Azure authentication tokens for up to 35,000 users.
- **Operational:** Disruption caused by remediation (password resets, session revocations) and potential follow-on attacks.
- **Reputational:** High risk for organizations in the healthcare and financial sectors due to the sensitive nature of their data.
## Indicators of Compromise
- **Network indicators:**
- Attacker-controlled domains (Specific URLs defanged in Microsoft's full technical report).
- Traffic to legitimate email delivery services used maliciously.
- **Behavioral indicators:**
- Sign-ins from unusual locations or "impossible travel" scenarios.
- User interaction with "Internal Regulatory COC" or "Workforce Communications" display names.
## Response Actions
- **Containment:** Revocation of compromised session tokens and forced password resets for affected users.
- **Eradication:** Blocking of malicious domains and IP addresses at the DNS/Firewall level.
- **Recovery:** Restoration of secure access and audits of account activity during the compromise window.
## Lessons Learned
- **MFA is not a Silver Bullet:** Standard MFA can be bypassed by AiTM proxies; organizations need to move toward phishing-resistant MFA (FIDO2/Passkeys).
- **Abuse of Trust:** Attackers are successfully using legitimate delivery services and "Code of Conduct" themes to bypass both technical filters and human suspicion.
- **Urgency as a Weapon:** The "sense of urgency" created by HR-themed accusations remains a highly successful social engineering tactic.
## Recommendations
- **Implement Phishing-Resistant MFA:** Transition to FIDO2-based authentication or certificate-based authentication to prevent AiTM token theft.
- **Security Awareness Training:** Update training to include "AiTM" awareness and the danger of CAPTCHA-gated phishing sites.
- **Conditional Access:** Implement strict Conditional Access policies (e.g., requiring compliant/managed devices) to limit the utility of stolen tokens used on unmanaged attacker systems.