Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A large-scale phishing campaign used code of conduct-themed lures and legitimate email services to push victims to attacker-controlled domains and steal authentication tokens, raising the risk of MFA bypass. The operation ran from April 14 to 16, 2026 and targeted more than 35,000 users across over 13,000 organizations in 26 countries. Microsoft said 92% of targets were in the U.S., with heavy targeting of healthcare and life sciences, financial services, professional services, and technology and software. The attack chain used PDF attachments, multiple CAPTCHA pages, and adversary-in-the-middle (AiTM) phishing to harvest Microsoft credentials in real time.
Related Happenings
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
TA4922 expanded European phishing-and-malware campaign
Campaign
H score40
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
TA4922 expanded European phishing-and-malware campaign
CampaignAbout this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
KongTuke Microsoft Teams initial access campaign
Campaign
H score42
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
KongTuke Microsoft Teams initial access campaign
CampaignAbout this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
QR code phishing surged across email threats in Q1 2026
Trend
H score73
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
How related:
Data from Microsoft shows a massive surge in QR code phishing during the three-month time period, as attack volumes jumped from 7.6 million in January to 18.7 million in March, representing a 146% increase.
About this happening:
**Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
QR code phishing surged across email threats in Q1 2026
TrendHow related: Data from Microsoft shows a massive surge in QR code phishing during the three-month time period, as attack volumes jumped from 7.6 million in January to 18.7 million in March, representing a 146% increase.
About this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
Silk Typhoon / Hafnium coordinated intelligence-gathering campaign
Campaign
H score59
First: 27.04.2026 22:56
Last: 27.04.2026 22:56
Sources 1
About this happening:
The **Silk Typhoon / Hafnium** operation is tied to a **coordinated intelligence-gathering campaign** spanning **February 2020 to June 2021**, underscoring a sustained espionage e...
Silk Typhoon / Hafnium coordinated intelligence-gathering campaign
CampaignAbout this happening: The **Silk Typhoon / Hafnium** operation is tied to a **coordinated intelligence-gathering campaign** spanning **February 2020 to June 2021**, underscoring a sustained espionage e...
Latest development: 28.04.2026 15:30
US officials described Silk Typhoon/Hafnium activity from February 2020 to June 2021 as a coordinated intelligence-gathering campaign that targeted US universities and COVID-19 researchers, including a Texas university network, and later expanded into Microsoft Exchange Server vulnerability exploitation. The operation reportedly used stolen mailbox access to search for vaccines, treatments, and testing research, and the FBI said the campaign affected more than 12,700 US organizations.
Timeline
-
05.05.2026 09:35 2 articles · 2mo ago
Microsoft discloses code of conduct-themed AiTM phishing campaign
Initial DisclosureMicrosoft disclosed a large-scale credential theft campaign that used code of conduct-themed lures, legitimate email services, PDF attachments, multiple CAPTCHA gates, and adversary-in-the-middle phishing to steal Microsoft credentials and authentication tokens and bypass multi-factor authentication. The campaign was observed between April 14 and 16, 2026 and targeted more than 35,000 users across over 13,000 organizations in 26 countries, with 92% of targets in the U.S. and heavy targeting of healthcare and life sciences, financial services, professional services, and technology and software.
Show sources
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries — thehackernews.com — 05.05.2026 09:35
- Microsoft Flags Mass Phishing Campaign Using Fake Compliance Emails — www.infosecurity-magazine.com — 05.05.2026 19:00