Microsoft Flags Code-of-Conduct Phishing Campaign Targeting 35,000 Users Across 26 Countries

The multi-stage operation used CAPTCHA-gated landing pages and adversary-in-the-middle infrastructure to grab sign-in tokens and bypass non-phishing-resistant MFA.

Published on May 5, 2026

Written by Alessandro Mascellino

Share

Microsoft Flags Code-of-Conduct Phishing Campaign Targeting 35,000 Users Across 26 Countries

Microsoft Defender Research has tracked a phishing operation that hit more than 35,000 users at over 13,000 organizations across 26 countries.

The activity ran between April 14 and 16, 2026, with code of conduct-themed lures and an attack chain ending in Adversary-in-the-Middle (AiTM) credential theft.

Roughly 92% of the emails landed in US inboxes. Healthcare and life sciences took the biggest hit, accounting for 19% of total volume. Subject lines played on internal case logs and supposed conduct breaches, pushing potential victims to respond to what looked like a real disciplinary matter.

*Campaign recipients by country and industry. Credit: Microsoft.*

Each message came from likely attacker-controlled domains via a legitimate email delivery service, probably running on a cloud-hosted Windows VM. Attached PDFs, with filenames pointing at disciplinary action or case logs, told users to open a “Review Case Materials” link.

Clicking the link triggered a chain of attacker-controlled landing pages, starting with a Cloudflare CAPTCHA presented as a session validation step.

Microsoft Defender Research said the CAPTCHA likely served to “impede automated analysis and sandbox detonation.” The lures themselves used polished, enterprise-style HTML layouts and preemptive authenticity claims, all built to look more credible than a typical phishing email.

AiTM Flow Captures Sign-In Tokens, Sidestepping MFA

After two CAPTCHA challenges and several intermediate staging pages, users landed on a page presenting a fake Microsoft sign-in prompt. Microsoft confirmed the final stage was an AiTM phishing flow that proxied the authentication session and grabbed tokens for immediate account access.

For context, older credential phishing relied on harvesting static logins. AiTM attacks instead intercept authentication traffic in real time; this lets malicious actors walk past non-phishing-resistant MFA. Microsoft also flagged signs of device code phishing earlier in the chain, though only the AiTM portion was confirmed.

To reduce exposure, Microsoft recommends enabling zero-hour auto purge in Defender for Office 365, rolling out phishing-resistant MFA like FIDO keys or Windows Hello, and turning on Safe Links and Safe Attachments. Scoping conditional access to privileged accounts can further harden defenses against token replay.

The full analysis, with hunting queries and Defender detections, is available on the Microsoft Security blog.

Explore More

cPanel Flaw Goes From Disclosure to Mass Compromise in Hours as ‘.sorry’ Ransomware Spreads

A newly disclosed cPanel and WHM authentication bypass is being exploited in multiple campaigns, including botnet deployment and suspected ransomware activity affecting exposed hosting infrastructure.

Alessandro Mascellino Last updated on May 5, 2026

Read Now

Written By

Alessandro Mascellino Cybersecurity Reporter

Alessandro Mascellino is a British-Italian freelance journalist specializing in technology and gaming. He has contributed to several publications, including Wired, The Independent, and Android Police. By day, he works as a journalist. By night, he co-manages a game studio that creates narrative games.