Microsoft Warns of Mass Phishing Campaign Using Fake Compliance Emails and AiTM Hijacking
Microsoft Defender Research has uncovered a large-scale phishing campaign that targeted over 35,000 users across 13,000 organizations with fake compliance emails, using adversary-in-the-middle session hijacking to steal Microsoft authentication tokens.
Microsoft Defender Research has identified a large-scale phishing campaign that targeted more than 35,000 users across 13,000 organizations between April 15 and 16, 2026. The campaign, detailed in a report published on May 5, 2026, used fake internal compliance or regulatory communications as lures, primarily targeting US firms but observed across 26 countries.
The phishing emails were crafted with polished, enterprise-style HTML templates featuring structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing attempts. Subject lines included phrases like "Internal case log issued under conduct policy" and claimed a "code of conduct review" had been initiated, often referencing organization-specific names embedded within the text. The messages instructed recipients to open a personalized PDF attachment to review case materials, creating a sense of urgency with time-bound action prompts.
The attached PDF contained a link labeled "Review Case Materials" that initiated the credential harvesting flow. When clicked, victims were redirected to a landing page displaying a Cloudflare CAPTCHA, presented as a mechanism to validate that the user was coming from a valid session. Microsoft noted that this was likely intended to deter automated analysis and sandboxes. After passing the CAPTCHA, victims were redirected to another site claiming the documents were encrypted and required account authentication to proceed.
Microsoft observed an attack chain resembling device code phishing but confirmed only the adversary-in-the-middle (AiTM) component. Victims were led through multiple staged pages with email entries, CAPTCHAs, and reassuring status messages before being redirected, based on device type, to a final phishing site. There, users were prompted to sign in with Microsoft under the guise of a compliance review, triggering an AiTM session hijack to steal authentication tokens and compromise accounts.
The attackers further reinforced the email's credibility by including a green banner claiming the message had been encrypted using Paubox, a legitimate service associated with HIPAA-compliant communications. This tactic, combined with the polished templates and organization-specific references, made the phishing emails highly plausible as legitimate internal communications.
Microsoft has recommended several mitigations to reduce the impact of this threat, including reviewing recommended settings for Exchange Online Protection and Microsoft Defender for Office 365, running realistic attack scenarios during awareness training, enabling password-less authentication methods, turning on Safe Links and Safe Attachments in Microsoft Defender for Office 365, and configuring automatic attack disruption in Microsoft Defender XDR.
This campaign highlights the increasing sophistication of phishing attacks that leverage legitimate services and polished templates to bypass traditional security measures. The use of AiTM session hijacking allows attackers to bypass multifactor authentication, making such campaigns particularly dangerous for organizations relying solely on MFA for account protection.