A mass phishing campaign identified by the Microsoft Defender Research team targeted more than 35,000 users across 13,000 organisations, using fake internal compliance or regulatory communications as lures. The lures employed polished, enterprise-style HTML templates with preemptive authenticity statements to boost credibility, and the campaign ran between 15 April and 16 April 2026, being detected in organisations across 26 countries, though primarily aimed at US firms.
According to Microsoft’s findings, the messages contained urgent time-bound prompts and referred to a “code of conduct review” with organisation-specific names embedded in the text, prompting recipients to open a personalised attachment. The attached PDF urged users to click the “Review Case Materials” link, initiating the credential harvesting flow, while the attackers claimed the messages came from an authorised internal channel and that all links had been securely reviewed.
Victims were redirected through multiple staged pages, with CAPTCHAs and status messages, before arriving at a final site where they were asked to sign in with Microsoft under the guise of a compliance review, triggering an AiTM session hijack.