MICROSOFT has disclosed a large-scale credential theft campaign that targeted more than 35,000 users across 26 countries, with 92% of targets in the United States, observed between 14 April and 16 April 2026. The majority of phishing emails focused on healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%).
The lures used polished enterprise-style HTML templates with code of conduct-related themes such as “Internal Regulatory COC” and “Team Conduct Report,” and subject lines like “Internal case log issued under conduct policy.” At the top of messages, notices claimed the messages were issued through an authorized internal channel and that links and attachments had been reviewed for secure access, as per Microsoft.
The attack chain guided victims through CAPTCHA checks and intermediate pages, before a sign-in experience that leveraged adversary-in-the-middle (AiTM) phishing to harvest Microsoft credentials and tokens in real time, effectively bypassing MFA, according to Microsoft Defender Security Research Team and Microsoft Threat Intelligence. Microsoft also notes the final destination depended on whether the flow originated from a mobile device or a desktop system.