Microsoft has disclosed details of a large scale phishing campaign that targeted more than 35000 users across over 13000 organizations in 26 countries, highlighting a coordinated effort to steal credentials using advanced social engineering and technical evasion methods. The activity, observed between April 14 and April 16 2026, primarily impacted users in the United States, accounting for 92 percent of the targets. The campaign focused on multiple sectors including healthcare and life sciences, financial services, professional services, and technology and software, reflecting a broad targeting strategy aimed at organizations with access to sensitive data and operational systems.
According to findings shared by Microsoft Defender Security Research Team and Microsoft Threat Intelligence, the attackers used code of conduct themed lures designed to appear as legitimate internal communications. The phishing emails were built using polished HTML templates with structured layouts and authenticity statements that reinforced credibility. Messages often included subject lines referencing internal compliance cases or conduct policy violations, creating urgency and prompting recipients to take immediate action. Display names such as Internal Regulatory COC, Workforce Communications, and Team Conduct Report were used to mimic organizational communication channels. Each email included a notice claiming that the message had been issued through an authorized internal system and that all links and attachments had been reviewed for secure access, increasing the likelihood of user interaction.
The phishing emails were delivered through legitimate email services, which helped bypass traditional security filters and reduced suspicion among recipients. Each message contained a PDF attachment that directed users to click on a link for further details regarding the alleged conduct review. Once engaged, victims were guided through multiple layers of CAPTCHA challenges and intermediary pages that were designed to simulate legitimate verification processes while preventing automated detection systems from identifying malicious activity. The attack ultimately led to a fraudulent sign in page using adversary in the middle AiTM phishing techniques. This method allowed attackers to capture user credentials and authentication tokens in real time, effectively bypassing multi factor authentication protections. Microsoft noted that the final stage of the attack flow varied depending on whether the victim accessed the link through a mobile device or a desktop system.
The disclosure also aligns with broader phishing trends identified by Microsoft between January and March 2026, where email based threats reached approximately 8.3 billion incidents. The analysis revealed that nearly 80 percent of phishing attacks were link based, often using large HTML and ZIP file attachments as delivery mechanisms. Credential harvesting remained the primary objective of these campaigns, while malware distribution declined to a smaller percentage. A significant rise was observed in QR code phishing attacks, with volumes increasing from 7.6 million in January to 18.7 million in March, representing a sharp increase in usage. Business email compromise activity also showed fluctuations, reaching more than 4 million incidents in March alone. Additional campaigns identified during the same period involved millions of phishing messages targeting organizations across multiple countries using CAPTCHA gated pages and fake sign in portals to capture credentials.
Microsoft further noted that phishing as a service platforms such as Tycoon 2FA have adapted their infrastructure following disruption efforts, shifting away from certain hosting providers and diversifying their operational setup to maintain effectiveness. Other infrastructure linked to phishing campaigns included platforms such as Kratos and EvilTokens, indicating a distributed ecosystem of threat actors and service providers supporting credential theft operations. The findings also highlight the misuse of trusted platforms such as Amazon Simple Email Service, where attackers leverage compromised access keys to send large volumes of phishing emails that pass authentication checks. This approach allows malicious messages to originate from trusted infrastructure, making detection more challenging for both users and security systems while enabling large scale credential harvesting operations.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
