Ethical Hacking News
A sophisticated phishing campaign has targeted over 35,000 users across 26 countries, stealing authentication tokens via fake "code of conduct" emails and legit services. Microsoft warns of the importance of layered security measures and user awareness training in defending against such attacks.
Microsoft detected a global phishing campaign targeting over 35,000 users in 26 countries. The attackers used fake "code of conduct" emails with alarming messages to trick victims into visiting bogus sites that stole authentication tokens. The phishing campaign employed an adversary-in-the-middle (AiTM) tactic to bypass weak multi-factor authentication (MFA). Most victims were in the healthcare and finance sectors, suggesting a motive for targeting sensitive information related to patient care or financial transactions. Microsoft recommended measures to defend against such threats, including user awareness training, phishing simulations, and strong authentication methods.
Microsoft, a technology giant known for its innovative products and services, has sounded an alarm about a global phishing campaign that targeted over 35,000 users across 26 countries in mid-April 2026. The attack, which was carried out by attackers who used fake "code of conduct" emails sent through legitimate platforms to trick recipients into visiting bogus sites that stole authentication tokens.
The phishing campaign, which is considered one of the most sophisticated code-of-conduct-themed credential theft operations observed to date, employed a number of tactics to achieve its objectives. First, it used alarming and time-sensitive messages to pressure victims into action, leading them to a fake but legitimate-looking sign-in page. This adversary-in-the-middle (AiTM) phishing flow allowed attackers to intercept authentication tokens in real-time, bypassing weak multi-factor authentication (MFA).
The attackers distributed emails via a legitimate email delivery service, embedding links in PDF attachments that led to attacker-controlled domains such as acceptable-use-policy-calendly.de. After completing fake Cloudflare CAPTCHAs, victims were asked to "Review & Sign" documents and then redirected to a deceptive Microsoft sign-in page. This final step launched an AiTM attack chain that proxied authentication and captured tokens, giving immediate access to user accounts despite MFA.
The campaign's structure mimicked legitimate workflow and compliance verification processes, making detection difficult. According to Microsoft, the attackers' methods reflected a high degree of operational planning and technical adaptability. The phishing campaign was successful in targeting victims primarily in the United States, with 92% of the affected users being from this country alone.
Most of the victims were in the healthcare and finance sectors, which suggests that the attackers had a clear motive for targeting these industries. It is likely that the attackers were seeking sensitive information related to patient care or financial transactions.
Microsoft has recommended a number of measures to defend against such threats. These include reviewing Exchange Online Protection and Defender for Office 365 settings, enabling features like Zero-hour Auto Purge, Safe Links, and Safe Attachments, and using network protection and SmartScreen-enabled browsers. Additionally, user awareness training and phishing simulations are key, along with manual monitoring and removal of suspicious emails.
Strong authentication is essential, including MFA or passwordless methods, plus conditional access for privileged accounts. Finally, enabling automated attack disruption in Defender XDR can help detect and contain threats quickly, limiting their impact.
In conclusion, the global phishing campaign highlighted by Microsoft serves as a reminder of the sophistication and menace that modern phishing attacks can pose. As technology continues to evolve, it is essential that individuals and organizations remain vigilant and take proactive steps to protect themselves against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Global-Phishing-Campaign-A-Cautionary-Tale-of-Sophistication-and-Exploitation-ehn.shtml
https://securityaffairs.com/191695/security/microsoft-warns-of-global-campaign-stealing-auth-tokens-from-35k-users.html
Published: Tue May 5 07:04:41 2026 by llama3.2 3B Q4_K_M
