Microsoft Uncovers Sophisticated Phishing Campaign Hitting 35,000 Users Globally

Executive Summary

The Microsoft Threat Intelligence team has published a detailed report on a large-scale credential theft campaign that targeted over 35,000 users across 13,000 organizations. The attack, which occurred in waves from April 14-16, 2026, employed sophisticated social engineering lures themed around corporate 'code of conduct' policies. The attackers utilized an adversary-in-the-middle (AiTM) phishing architecture to proxy user authentication sessions in real-time, allowing them to steal valid session cookies and bypass even non-phishing-resistant multi-factor authentication (MFA). The campaign was highly targeted, with 92% of victims in the United States, and a focus on the healthcare, financial services, and professional services industries. This report serves as a critical reminder of the evolving nature of phishing attacks and the limitations of certain types of MFA.

Threat Overview

The attack chain was multi-staged and designed to evade both automated security tools and user suspicion.

1. Initial Lure: The campaign began with phishing emails sent from attacker-controlled domains using a legitimate email delivery service. The emails impersonated internal HR or compliance departments and contained urgent 'code of conduct' notifications.
2. Evasion: The emails contained PDF attachments with links, rather than links in the email body, to bypass some scanners. The attack flow also incorporated CAPTCHA challenges to hinder automated analysis.
3. Redirection: The link directed the user through a series of redirects, which varied the final landing page based on whether the user was on a desktop or mobile device.
4. AiTM Phishing: The victim was ultimately presented with a convincing, pixel-perfect replica of their organization's sign-in page. This page was not a simple credential harvester; it was an AiTM proxy. When the user entered their credentials and satisfied the MFA prompt, the AiTM server intercepted the authentication flow in real-time, captured the resulting session token (cookie), and forwarded it to the attacker.
5. Account Takeover: With the stolen session token, the attacker could gain immediate access to the user's account (e.g., Office 365, Outlook) without needing the password or to re-authenticate, effectively bypassing the MFA.

Technical Analysis

The use of an AiTM setup is the most critical technical aspect of this campaign. Unlike traditional phishing that just steals passwords, AiTM phishing defeats most forms of MFA, including SMS and authenticator app OTPs. It works by acting as a proxy between the victim and the real login service. The only forms of MFA that are resistant to this are phishing-resistant methods like FIDO2.

• Targeting: 92% of targets were in the United States.
• Top Affected Industries: Healthcare and life sciences (19%), financial services (18%), and professional services (11%).
• Trending Threat: Microsoft's report also noted a 146% increase in QR code phishing (quishing) attacks from January to March 2026, indicating another rapidly growing vector for credential theft.

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link: The core of the attack relies on tricking users into clicking a malicious link.
• T1566.001 - Phishing: Spearphishing Attachment: The use of PDF attachments to deliver the link.
• T1189 - Drive-by Compromise: The user is led to a malicious site that facilitates the attack.
• T1539 - Steal Web Session Cookie: This is the primary technical goal of the AiTM attack, stealing the session token after a successful login.
• T1078 - Valid Accounts: The stolen session token provides the attacker with access to a valid, authenticated session.

Impact Assessment

• Account Compromise: Successful attacks lead to full account takeover, giving attackers access to sensitive emails, files, and corporate resources.
• Data Exfiltration: Attackers can exfiltrate sensitive data from compromised mailboxes and cloud storage (e.g., SharePoint, OneDrive).
• Business Email Compromise (BEC): A compromised account is often used as a launchpad for internal phishing or BEC attacks, abusing the trust associated with the legitimate account.
• Lateral Movement: Attackers can use the access to search for information or credentials that allow them to move to other systems within the network.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as domains or IP addresses were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams can hunt for AiTM activity by looking for suspicious sign-in patterns.

Detection & Response

1. Analyze Sign-in Logs: Regularly audit Azure AD (Entra ID) sign-in logs for anomalies. Look for successful sign-ins from geographically impossible locations (e.g., a user logging in from the US and then 10 minutes later from a different continent). Reference D3FEND's User Geolocation Logon Pattern Analysis.
2. Conditional Access Policies: Implement strict Conditional Access policies in Azure AD that block sign-ins from non-compliant devices, untrusted locations, or those that exhibit signs of risk.
3. Token Theft Detection: Leverage Microsoft 365 Defender and Defender for Cloud Apps, which have built-in detections for suspicious session cookie activity and AiTM phishing.

Mitigation

1. Phishing-Resistant MFA: This is the most important mitigation. Mandate the use of phishing-resistant MFA, such as FIDO2 security keys or certificate-based authentication. These methods cryptographically bind the authentication session to the user's device, which AiTM attacks cannot proxy.
2. User Training: Continuously train users to be suspicious of unexpected emails, especially those creating a sense of urgency or related to HR/compliance. Teach them to verify such requests through a separate communication channel.
3. Email Security: Implement advanced email security solutions that can analyze links and attachments in real-time and block known phishing infrastructure.
4. Limit Session Lifetimes: Reduce the lifetime of session tokens. While this doesn't prevent theft, it reduces the window of opportunity for an attacker to use a stolen token.