Microsoft Exposes Large-Scale Phishing Campaign Targeting 35,000 Users Globally
Microsoft has uncovered a massive, multi-stage phishing campaign that leveraged enterprise-themed lures and adversary-in-the-middle tactics to bypass multi-factor authentication for over 35,000 users.
Microsoft has disclosed a sophisticated, large-scale credential theft campaign that targeted over 35,000 users across 13,000 organizations in 26 countries between April 14 and 16, 2026 The Hacker News. The campaign primarily focused on the United States, which accounted for 92% of the targeted users, with significant activity directed at the healthcare, financial services, professional services, and technology sectors The Hacker News.
The attack utilizes highly polished, enterprise-style HTML email templates designed to mimic legitimate internal corporate communications. These emails often use themes related to "code of conduct" reviews, employing subject lines such as "Internal case log issued under conduct policy" and "Reminder: employer opened a non-compliance case log" The Hacker News. To further enhance credibility, the messages include preemptive authenticity statements claiming the content was reviewed and approved for secure access, creating a sense of urgency that pressures victims to act The Hacker News.
The technical execution of the attack involves a multi-stage process. Victims are prompted to open a PDF attachment, which contains a link that initiates the credential harvesting flow. This flow directs users through multiple rounds of CAPTCHA and intermediate pages, a technique used to evade automated security defenses and provide a veneer of legitimacy The Hacker News. Ultimately, the campaign employs adversary-in-the-middle (AiTM) phishing tactics to capture Microsoft credentials and authentication tokens in real-time, allowing attackers to bypass multi-factor authentication (MFA) The Hacker News.
The impact of this campaign is significant, reflecting broader trends in the current threat landscape. Microsoft reported that between January and March 2026, it detected approximately 8.3 billion email-based phishing threats The Hacker News. While credential harvesting remains the primary goal of these attacks—accounting for the vast majority of malicious activity—the methods are evolving rapidly. Specifically, CAPTCHA-gated phishing has seen significant growth, and QR code phishing has emerged as the fastest-growing attack vector The Hacker News.
The disclosure also highlights the resilience of phishing-as-a-service (PhaaS) operations. Following a coordinated disruption in March 2026, operators of the Tycoon 2FA platform have been observed shifting their infrastructure, moving away from Cloudflare to alternative hosting providers in an attempt to maintain their anti-analysis protections The Hacker News.
This campaign underscores the ongoing shift toward highly targeted, socially engineered phishing that exploits trust in internal corporate processes. As attackers continue to refine their ability to bypass MFA through AiTM techniques and evade automated detection via CAPTCHA-gating, organizations face an increasingly complex environment. Security teams are encouraged to remain vigilant against these sophisticated lures and to prioritize defenses that can detect real-time token theft and anomalous sign-in behavior The Hacker News.