Microsoft Exposes AiTM Phishing Campaign Targeting 35,000 Users Across 26 Countries With Code of Conduct Lures and Real-Time Token Theft

Microsoft has disclosed a large-scale credential theft campaign that targeted more than 35,000 users across 13,000 organizations in 26 countries over a three-day window between April 14 and 16, 2026. The campaign combined polished enterprise-style lures with adversary-in-the-middle (AiTM) phishing to harvest Microsoft credentials and authentication tokens in real time — effectively bypassing multi-factor authentication.

92% of targets were located in the United States, with the heaviest concentration in healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology (11%). The emails used code-of-conduct review themes with display names like "Internal Regulatory COC," "Workforce Communications," and "Team Conduct Report." Subject lines included variations of "Internal case log issued under conduct policy" and "Reminder: employer opened a non-compliance case log."

The lures were unusually refined. Each message used structured HTML templates with preemptive authenticity statements — headers declaring the message had been "issued through an authorized internal channel" with links and attachments "reviewed and approved for secure access." Combined with accusations and repeated time-bound action prompts, the campaign manufactured urgency designed to override normal caution.

The emails were sent through a legitimate email delivery service and included PDF attachments purporting to contain additional conduct review details. Clicking the link inside the PDF initiated a multi-stage credential harvesting flow that routed victims through multiple CAPTCHA challenges and intermediate pages — simultaneously lending legitimacy to the process and screening out automated analysis tools. The final stage presented a sign-in experience using AiTM techniques to capture Microsoft credentials and session tokens in real time, with the phishing endpoint adapting its behavior based on whether the victim was on mobile or desktop.

Microsoft's broader Q1 2026 email threat analysis adds context to the scale of the problem. The company detected approximately 8.3 billion email-based phishing threats in the first quarter, with nearly 80% being link-based attacks. QR code phishing emerged as the fastest-growing vector, surging 146% from 7.6 million attacks in January to 18.7 million in March. Business email compromise attacks crossed 10.7 million for the quarter.

Two additional campaigns stood out during the period: a 1.2 million message campaign in late February using 401(k) and payment-themed lures with SVG attachments targeting 53,000 organizations across 23 countries, and a 1.5 million message campaign on March 17 that accounted for 7% of all malicious HTML attachments observed that month. Infrastructure analysis linked the phishing endpoints to multiple PhaaS providers including Tycoon 2FA, Kratos (formerly Sneaky 2FA), and EvilTokens.

Microsoft also noted that Tycoon 2FA operators have begun migrating away from Cloudflare following a coordinated disruption operation in March 2026, redistributing their infrastructure across alternative hosting platforms that offer comparable anti-analysis protections.

Defensive Guidance:

The code-of-conduct theme is particularly effective because it triggers anxiety and urgency — employees are conditioned to take HR-related communications seriously. Security awareness training should specifically address this lure category. Deploy conditional access policies that evaluate sign-in risk signals beyond MFA, including device compliance, location anomalies, and token replay detection. Monitor for AiTM indicators including authentication flows that originate from proxy infrastructure and session tokens being used from different IPs than where the initial authentication occurred. Block known PhaaS infrastructure associated with Tycoon 2FA, Kratos, and EvilTokens at the network and email gateway level. The surge in QR code phishing — now embedded directly in email bodies — requires detection capabilities that can parse and evaluate QR code destinations inline.