Large-scale AiTM phishing campaign abuses code-of-conduct lures and CAPTCHA gates to harvest credentials

First reported

05.05.2026 09:35

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A credential theft campaign spanning April 14–16, 2026, leveraged polished code-of-conduct-themed HTML phishing emails to trick recipients into visiting attacker-controlled domains and surrendering authentication tokens. The operation targeted more than 35,000 users across 13,000 organizations in 26 countries, with 92% of targets in the U.S. The emails impersonated internal communications about conduct reviews, incorporating fake authenticity statements, urgency cues, and PDF attachments pointing to CAPTCHA-gated phishing pages. Victims were ultimately routed through adversary-in-the-middle (AiTM) phishing infrastructure to harvest Microsoft credentials and session tokens in real time, effectively bypassing multi-factor authentication (MFA). The final landing experience varied based on whether the flow originated from mobile or desktop environments.

Timeline

05.05.2026 09:35 1 articles · 19h ago

AiTM phishing campaign abuses code-of-conduct lures and CAPTCHA gates to harvest credentials
A credential theft campaign spanning April 14–16, 2026, used enterprise-style phishing emails themed around code-of-conduct reviews to direct victims through CAPTCHA-gated pages to adversary-in-the-middle sign-in flows. The operation targeted 35,000+ users across 26 countries and harvested Microsoft credentials and tokens in real time, effectively bypassing MFA. The campaign employed PDF attachments, polished HTML lures with fake authenticity statements, and legitimate email delivery services to enhance credibility and evade detection.
Show sources

Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries — thehackernews.com — 05.05.2026 09:35
Open in new tab

Information Snippets

Campaign activity occurred between April 14 and 16, 2026, targeting 35,000+ users across 13,000+ organizations in 26 countries.
First reported: 05.05.2026 09:35

1 source, 1 article
Show sources
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries — thehackernews.com — 05.05.2026 09:35
92% of targeted users were located in the U.S., with highest concentration in healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology/software (11%).
First reported: 05.05.2026 09:35

1 source, 1 article
Show sources
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries — thehackernews.com — 05.05.2026 09:35
Emails used enterprise-style HTML templates, preemptive authenticity statements, and urgency-driven action prompts to appear legitimate.
First reported: 05.05.2026 09:35

1 source, 1 article
Show sources
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries — thehackernews.com — 05.05.2026 09:35
Lures referenced "code of conduct" reviews with display names such as "Internal Regulatory COC," "Workforce Communications," and "Team Conduct Report."
First reported: 05.05.2026 09:35

1 source, 1 article
Show sources
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries — thehackernews.com — 05.05.2026 09:35
Messages included a PDF attachment and a link that redirected victims through multiple CAPTCHA and intermediate pages to evade detection and filter automated defenses.
First reported: 05.05.2026 09:35

1 source, 1 article
Show sources
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries — thehackernews.com — 05.05.2026 09:35
The final sign-in flow employed adversary-in-the-middle techniques to harvest Microsoft credentials and tokens in real time, bypassing MFA protections.
First reported: 05.05.2026 09:35

1 source, 1 article
Show sources
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries — thehackernews.com — 05.05.2026 09:35
QR code phishing grew 146% from January to March 2026, rising from 7.6 million to 18.7 million attacks, with email-embedded QR codes observed in late March.
First reported: 05.05.2026 09:35

1 source, 1 article
Show sources
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries — thehackernews.com — 05.05.2026 09:35
Between January and March 2026, Microsoft detected approximately 8.3 billion email-based phishing threats, with 80% being link-based and the majority aimed at credential harvesting.
First reported: 05.05.2026 09:35

1 source, 1 article
Show sources
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries — thehackernews.com — 05.05.2026 09:35
Tycoon 2FA PhaaS operators shifted hosting from Cloudflare to alternative platforms following a coordinated disruption in March 2026 to regain anti-analysis protections.
First reported: 05.05.2026 09:35

1 source, 1 article
Show sources
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries — thehackernews.com — 05.05.2026 09:35