VYPR
breachPublished May 5, 2026· Updated May 17, 2026· 1 source

Microsoft Warns of Large-Scale AitM Phishing Campaign Targeting US Organizations

A sophisticated phishing campaign targeting 13,000 organizations has been identified, utilizing adversary-in-the-middle techniques to bypass multifactor authentication.

Microsoft has issued a warning regarding a sophisticated, large-scale phishing campaign that has targeted approximately 13,000 organizations across 26 countries. The campaign, which was most active between April 14 and 16, saw over 35,000 individual phishing attempts. While the activity was global, 92% of the targeted organizations are based in the United States, with a particular focus on the healthcare, life sciences, financial services, professional services, and technology sectors SecurityWeek.

The attackers utilize a "code of conduct review" theme to deceive employees, employing email display names such as "Team Conduct Report," "Workforce Communications," and "Internal Regulatory COC." The messages use urgent subject lines like "Reminder: employer opened a non-compliance case log" to prompt action. According to SecurityWeek, the emails are sent via legitimate delivery services, likely originating from cloud-hosted Windows virtual machines, using attacker-controlled domains.

The attack chain begins when a victim opens a PDF attachment titled "Awareness Case Log File" or "Disciplinary Action." These documents contain a link labeled "Review Case Materials." Once clicked, the user is directed to a Cloudflare CAPTCHA page, which Microsoft identifies as a gating mechanism designed to prevent automated security analysis. The victim is then guided through a series of verification steps, including entering their email address and completing a second CAPTCHA, before being prompted to sign in to their Microsoft account SecurityWeek.

The final stage of the attack employs adversary-in-the-middle (AitM) techniques. By proxying the authentication session in real time, the attackers can capture session tokens, effectively bypassing non-phishing-resistant multifactor authentication (MFA). This allows the threat actors to gain immediate, unauthorized access to the targeted accounts SecurityWeek.

In response to the campaign, Microsoft has provided affected enterprises with specific mitigation recommendations, threat-hunting queries, and indicators of compromise (IoCs) to help identify and block the malicious activity. Organizations are encouraged to review these materials to harden their defenses against AitM-style credential harvesting SecurityWeek.

This campaign highlights a growing trend in the threat landscape where attackers leverage legitimate infrastructure and sophisticated gating mechanisms to bypass security controls. The use of AitM techniques to circumvent traditional MFA remains a significant challenge for enterprise security, emphasizing the need for phishing-resistant authentication methods. Security teams should remain vigilant for themed phishing lures that mimic internal corporate communications.

Synthesized by Vypr AI