MICROSOFT disclosed a major phishing campaign that targeted over 35,000 users across 26 countries in mid-April 2026, stealing authentication tokens via fake code-of-conduct emails and legitimate services. According to the report published by Microsoft, attackers used multi-stage, AiTM-style phishing flows to intercept tokens in real time, bypassing weak MFA. Most victims (92%) were in the United States, with the majority centred in healthcare and finance sectors.
The operation involved presenters that mirrored enterprise communications, using polished HTML templates and urgency to direct users to attacker-controlled domains, culminating in a final stage that proxied authentication and captured tokens for immediate account access.
Microsoft urges organisations to implement a layered defence, including Defender for Office 365 protections, Safe Links, Safe Attachments, and automated attack disruption in Defender XDR, alongside user awareness training and robust MFA or passwordless methods.