Microsoft Warns of Compliance-Themed Phishing Campaign Targeting 13,000 Organizations
A sophisticated phishing campaign impersonating internal compliance notices successfully targeted over 35,000 users to conduct adversary-in-the-middle attacks and steal session tokens.
A sophisticated phishing campaign recently targeted over 35,000 users across 13,000 organizations, utilizing deceptive compliance-themed lures to facilitate adversary-in-the-middle (AiTM) attacks. According to Microsoft’s Defender Research team, the campaign operated in waves between April 14 and April 16, 2026, primarily focusing on targets within the United States Help Net Security.
The attack chain began with emails impersonating internal HR and compliance departments, using subject lines like “Internal case log issued under conduct policy” and “Reminder: employer opened a non-compliance case log” Help Net Security. To enhance credibility, the attackers utilized display names such as “Internal Regulatory COC” and included a fake green banner claiming the message was encrypted via Paubox, a legitimate HIPAA-compliant service Help Net Security.
Upon opening an attached PDF and clicking a “Review Case Materials” link, victims were funneled through a complex multi-stage redirect process. This included a Cloudflare CAPTCHA to evade automated analysis, followed by a fake authentication portal. When users attempted to sign in, the attackers employed AiTM techniques to proxy credentials and authentication codes to the real Microsoft sign-in page. By intercepting the resulting session tokens, the attackers gained unauthorized access to victim accounts without needing the original passwords or second-factor codes Help Net Security.
The campaign demonstrated significant technical sophistication, including the use of legitimate email delivery services and varying the final landing page based on whether the victim was using a mobile or desktop device Help Net Security. The attackers also leveraged time-bound prompts, pressuring users to sign in within five minutes to create a sense of urgency Help Net Security.
In response, Microsoft has urged organizations to transition to phishing-resistant authentication methods, specifically FIDO security keys or Windows Hello, which are not vulnerable to AiTM token theft Help Net Security. Additional recommended mitigations include enabling Safe Links and Safe Attachments in Microsoft Defender for Office 365, utilizing Zero-hour auto purge (ZAP) to remove malicious emails, and conducting regular phishing simulation training Help Net Security.
This incident highlights a growing trend of attackers moving beyond simple credential harvesting toward session token theft, which bypasses traditional multi-factor authentication. As phishing tactics become more elaborate and mimic internal corporate communications, organizations must prioritize hardware-backed authentication to defend against these increasingly effective adversary-in-the-middle operations Help Net Security.