ACCORDING to Microsoft Defender Security Research Team and Microsoft Threat Intelligence, phishing campaigns themed around a code of conduct used a multi-stage AiTM flow to harvest credentials, affecting tens of thousands of users across 13,000 organisations in 26 countries, with 92% of targets in the United States.
Between 14 and 16 April 2026, the attackers deployed waves of messages posing as internal regulatory communications, directing recipients through CAPTCHA gates and intermediate pages before prompting sign-in prompts that wired users into an AiTM session to capture tokens in real time. The lures included enterprise-style templates and language suggesting a confidential, time-bound review, with attachments and links designed to appear legitimate and encrypted.
The campaign culminated in a Microsoft sign-in redirect that initiated the AiTM session hijack, enabling account access through stolen authentication tokens, and defeating non-phishing-resistant MFA. Microsoft recommends mitigations such as enhanced Defender for Office 365 settings, user awareness and phishing simulations, Safe Links and Safe Attachments, network protection, and using password-less authentication where possible.