Ethical Hacking News
A massive credential theft campaign has targeted 35,000 users across 26 countries in an attempt to harvest their Microsoft credentials and tokens. The attack used legitimate email services, polished HTML templates, and adversary-in-the-middle phishing tactics to trick victims into divulging sensitive information.
Microsoft detected a massive phishing campaign targeting over 35,000 users in 26 countries.The attackers used legitimate email services and polished HTML templates to appear credible.The campaign aimed to harvest Microsoft credentials and tokens using adversary-in-the-middle (AiTM) phishing tactics.92% of targets were located in the US, with healthcare and life sciences being the most affected sector.The use of PhaaS platforms and QR code phishing attacks increased significantly between January and March 2026.BEC scams saw a surge in attack volume, crossing over 4 million in March 2026.
Microsoft has revealed details of a massive phishing campaign that targeted over 35,000 users across 26 countries in April and May 2026. The attackers employed a multi-stage strategy to trick victims into divulging their authentication tokens. This campaign was notable for its use of legitimate email services and polished HTML templates designed to appear more credible than typical phishing emails.
According to the Microsoft Defender Security Research Team, the attackers utilized code of conduct-themed lures in an attempt to create a sense of urgency and pressure on the recipients. The messages contained accusations and time-bound action prompts that made them appear as legitimate internal communications. These emails were sent from email delivery services that appeared to be authorized channels.
The campaign was designed to harvest Microsoft credentials and tokens by using adversary-in-the-middle (AiTM) phishing tactics. This resulted in real-time credential theft, bypassing multi-factor authentication (MFA). The attackers used CAPTCHA and intermediate pages to create a veneer of legitimacy while keeping out automated defenses.
An analysis conducted by the team revealed that 92% of targets were located in the United States. The majority of victims belonged to healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software sectors (11%).
The attackers employed PhaaS platforms such as Tycoon 2FA, Kratos, and EvilTokens, which linked the phishing endpoints to various domains. Microsoft found that 146% more QR code phishing attacks emerged between January and March 2026. One notable development observed was the use of QR codes embedded directly in email bodies.
Business email compromise (BEC) scams displayed fluctuations with a surge in attack volume in March 2026, crossing over 4 million in attack volume. The attacks involved messages sent to users at more than 53,000 organizations in 23 countries using 401(k)-, payment-, and invoice-themed lures.
In conclusion, the recent phishing campaign highlights the cunning tactics employed by attackers to target victims. By utilizing legitimate email services, polished HTML templates, and a multi-stage strategy, the attackers successfully harvested thousands of Microsoft credentials and tokens.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Massive-Credential-Theft-Campaign-How-Phishing-Emails-Utilized-Legitimate-Email-Services-to-Target-35000-Users-Across-26-Countries-ehn.shtml
https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html
https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/
Published: Tue May 5 04:21:34 2026 by llama3.2 3B Q4_K_M
