A phishing campaign targeting more than 35,000 users across 13,000 organizations has been identified by the Microsoft Defender Research team.
The large-scale credential theft campaign used fake internal compliance or regulatory communications as lures for the campaign.
The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications.
The campaign ran between April 15 and 16, 2026, and primarily targeted US firms, but was identified in organizations across 26 countries total.
Urgent Compliance Phishing Lure
According to Microsoft’s findings, the messages contained concerning accusations and repeated time-bound action prompts. This gave the campaign a sense of urgency and pressure for victims to act.
For example, subject lines included “Internal case log issued under conduct policy” and the messages claimed that a “code of conduct review” had been initiated, and referenced organization-specific names embedded within the text.
The emails instructed recipients to “open the personalized attachment” to review case materials.
The attached PDF encouraged recipients to click the “Review Case Materials” link, this is what initiated the credential harvesting flow.
The attackers designed the message to appear legitimate by claiming it came from an authorized internal channel and that all links and attachments had been securely reviewed.
A green banner claiming the message had been encrypted using Paubox, a legitimate service associated with HIPAA-compliant communications, further reinforced credibility.
When the recipient clicked on the link within the PDF they were redirected to a landing page which displayed a Cloudflare CAPTCHA, presented as a mechanism to validate that the user was coming “from a valid session”. This was likely to deter automated analysis and sandboxes, according to Microsoft.
After passing the CAPTCHA, victims were redirected to another site claiming the documents were encrypted and required account authentication to proceed.
Microsoft observed an attack chain resembling device code phishing but confirmed only the adversary-in-the-middle (AiTM) component.
Victims were led through multiple staged pages with email entries, CAPTCHAs and reassuring status messages before being redirected, based on device type, to a final phishing site.
There, users were prompted to sign in with Microsoft under the guise of a compliance review, triggering an AiTM session hijack to steal authentication tokens and compromise accounts.
Protection Guidance From Microsoft
Microsoft recommended serval mitigations to reduce the impact of this threat, including, but not limited to:
- Review the recommended settings for Exchange Online Protection and Microsoft Defender for Office 365 to ensure your organization has established essential defenses and knows how to monitor and respond to threat activity
- Run realistic attack scenarios during awareness training so employees are prepared to spot such phishing attempts
- Enable password-less authentication methods for accounts that support password-less. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for multifactor authentication (MFA)
- Turn on Safe Links and Sade Attachments in Microsoft Defender for Office 365
- Configure automatic attack disruption in Microsoft Defender XDR
