Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A large-scale phishing campaign used code of conduct-themed lures and legitimate email services to push victims to attacker-controlled domains and steal authentication tokens, raising the risk of MFA bypass. The operation ran from April 14 to 16, 2026 and targeted more than 35,000 users across over 13,000 organizations in 26 countries. Microsoft said 92% of targets were in the U.S., with heavy targeting of healthcare and life sciences, financial services, professional services, and technology and software. The attack chain used PDF attachments, multiple CAPTCHA pages, and adversary-in-the-middle (AiTM) phishing to harvest Microsoft credentials in real time.
Related Happenings
KongTuke Microsoft Teams initial access campaign
Campaign
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
KongTuke Microsoft Teams initial access campaign
CampaignAbout this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
QR code phishing surged across email threats in Q1 2026
Target Trend
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
How related:
Data from Microsoft shows a massive surge in QR code phishing during the three-month time period, as attack volumes jumped from 7.6 million in January to 18.7 million in March, representing a 146% increase.
About this happening:
**Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
QR code phishing surged across email threats in Q1 2026
Target TrendHow related: Data from Microsoft shows a massive surge in QR code phishing during the three-month time period, as attack volumes jumped from 7.6 million in January to 18.7 million in March, representing a 146% increase.
About this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
Silk Typhoon / Hafnium coordinated intelligence-gathering campaign
Campaign
First: 27.04.2026 22:56
Last: 27.04.2026 22:56
Sources 1
About this happening:
The **Silk Typhoon / Hafnium** operation is tied to a **coordinated intelligence-gathering campaign** spanning **February 2020 to June 2021**, underscoring a sustained espionage e...
Silk Typhoon / Hafnium coordinated intelligence-gathering campaign
CampaignAbout this happening: The **Silk Typhoon / Hafnium** operation is tied to a **coordinated intelligence-gathering campaign** spanning **February 2020 to June 2021**, underscoring a sustained espionage e...
Latest development: 28.04.2026 15:30
US officials described Silk Typhoon/Hafnium activity from February 2020 to June 2021 as a coordinated intelligence-gathering campaign that targeted US universities and COVID-19 researchers, including a Texas university network, and later expanded into Microsoft Exchange Server vulnerability exploitation. The operation reportedly used stolen mailbox access to search for vaccines, treatments, and testing research, and the FBI said the campaign affected more than 12,700 US organizations.
UNC6692 email bombing and Microsoft Teams impersonation campaign
Campaign
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
UNC6692 email bombing and Microsoft Teams impersonation campaign
CampaignAbout this happening: UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
Silent subject/null subject phishing campaign targeting executives and privileged users
Campaign
First: 22.04.2026 16:00
Last: 22.04.2026 16:00
Sources 1
About this happening:
A **widespread silent subject/null subject phishing campaign** is sending subject-less emails to **high-value users**, raising the risk of **credential theft** and follow-on **lat...
Silent subject/null subject phishing campaign targeting executives and privileged users
CampaignAbout this happening: A **widespread silent subject/null subject phishing campaign** is sending subject-less emails to **high-value users**, raising the risk of **credential theft** and follow-on **lat...
Timeline
-
05.05.2026 09:35 2 articles · 22d ago
Microsoft discloses code of conduct-themed AiTM phishing campaign
Initial DisclosureMicrosoft disclosed a large-scale credential theft campaign that used code of conduct-themed lures, legitimate email services, PDF attachments, multiple CAPTCHA gates, and adversary-in-the-middle phishing to steal Microsoft credentials and authentication tokens and bypass multi-factor authentication. The campaign was observed between April 14 and 16, 2026 and targeted more than 35,000 users across over 13,000 organizations in 26 countries, with 92% of targets in the U.S. and heavy targeting of healthcare and life sciences, financial services, professional services, and technology and software.
Show sources
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries — thehackernews.com — 05.05.2026 09:35
- Microsoft Flags Mass Phishing Campaign Using Fake Compliance Emails — www.infosecurity-magazine.com — 05.05.2026 19:00