Mass phishing campaign abuses fake compliance notifications to harvest Microsoft credentials via AiTM

First reported

05.05.2026 19:00

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A large-scale phishing campaign targeted over 35,000 users across 13,000 organizations between April 15–16, 2026, using forged internal compliance emails to harvest Microsoft credentials via adversary-in-the-middle (AiTM) techniques. The attack leveraged polished, enterprise-style HTML templates that mimicked legitimate internal communications, including preemptive authenticity claims and organization-specific references to increase credibility. Targets in 26 countries were affected, with a primary focus on US firms. The campaign employed urgent, time-bound prompts and fake PDF attachments with links to phishing pages protected by Cloudflare CAPTCHAs to evade detection and sandboxing.

Timeline

05.05.2026 19:00 1 articles · 10h ago

Fake compliance phishing campaign compromises credentials via AiTM in 26 countries
Between April 15–16, 2026, a large-scale phishing operation sent enterprise-styled compliance emails to over 35,000 users across 13,000 organizations in 26 countries, primarily targeting US firms. Recipients were directed to open a PDF attachment that linked to a CAPTCHA-protected landing page, which then staged a multi-step Microsoft login flow to harvest credentials via AiTM session hijacking. The campaign employed urgency-based themes, organization-specific references, and false encryption banners to enhance legitimacy.
Show sources

Microsoft Flags Mass Phishing Campaign Using Fake Compliance Emails — www.infosecurity-magazine.com — 05.05.2026 19:00
Open in new tab

Information Snippets

Campaign duration: April 15–16, 2026.
First reported: 05.05.2026 19:00

1 source, 1 article
Show sources
- Microsoft Flags Mass Phishing Campaign Using Fake Compliance Emails — www.infosecurity-magazine.com — 05.05.2026 19:00
Targets: Over 35,000 users across 13,000 organizations in 26 countries; primarily US firms.
First reported: 05.05.2026 19:00

1 source, 1 article
Show sources
- Microsoft Flags Mass Phishing Campaign Using Fake Compliance Emails — www.infosecurity-magazine.com — 05.05.2026 19:00
Initial access vector: Fake compliance emails with embedded PDF attachments containing links to phishing pages.
First reported: 05.05.2026 19:00

1 source, 1 article
Show sources
- Microsoft Flags Mass Phishing Campaign Using Fake Compliance Emails — www.infosecurity-magazine.com — 05.05.2026 19:00
Social engineering themes: Claims of internal conduct reviews and code of conduct investigations to create urgency.
First reported: 05.05.2026 19:00

1 source, 1 article
Show sources
- Microsoft Flags Mass Phishing Campaign Using Fake Compliance Emails — www.infosecurity-magazine.com — 05.05.2026 19:00
Landing page defenses: Cloudflare CAPTCHA to deter automated analysis and sandboxes, followed by staged authentication prompts.
First reported: 05.05.2026 19:00

1 source, 1 article
Show sources
- Microsoft Flags Mass Phishing Campaign Using Fake Compliance Emails — www.infosecurity-magazine.com — 05.05.2026 19:00
Credential theft mechanism: Adversary-in-the-middle (AiTM) session hijacking via staged Microsoft login prompts to steal authentication tokens.
First reported: 05.05.2026 19:00

1 source, 1 article
Show sources
- Microsoft Flags Mass Phishing Campaign Using Fake Compliance Emails — www.infosecurity-magazine.com — 05.05.2026 19:00
Defensive claims in lure: Fake Paubox encryption banner to simulate secure, HIPAA-compliant internal communications.
First reported: 05.05.2026 19:00

1 source, 1 article
Show sources
- Microsoft Flags Mass Phishing Campaign Using Fake Compliance Emails — www.infosecurity-magazine.com — 05.05.2026 19:00

Summary

Timeline

Fake compliance phishing campaign compromises credentials via AiTM in 26 countries

Information Snippets