Microsoft has revealed details of a large-scale phishing campaign that tricked tens of thousands of users into handing over their login credentials by using convincing internal-style emails and advanced evasion tactics.
The attack, observed between April 14 and April 16, 2026, impacted more than 35,000 users across 13,000 organizations in 26 countries, with the majority of victims based in the United States.
Highly Convincing Email Lures
Unlike typical phishing emails, this campaign used polished, corporate-style templates designed to look like official internal communications.
The messages claimed to relate to workplace conduct investigations, using names such as:
- “Internal Regulatory COC”
- “Workforce Communications”
- “Team Conduct Report”
Subject lines suggested urgent compliance issues, pushing recipients to act quickly. Some emails even included statements claiming the message was sent through an “authorized internal channel” to build trust.
Multi-Step Attack Chain
Victims received emails that often included a PDF attachment. The document directed them to click a link, which triggered a multi-stage phishing process.
The attack flow included:
- Redirecting users through several intermediate pages
- Displaying CAPTCHA challenges to appear legitimate
- Blocking automated security tools
- Delivering a fake login page
This layered approach made the attack harder to detect and more convincing to users.
MFA Bypass With Token Theft
At the final stage, attackers used adversary-in-the-middle (AiTM) techniques to capture login credentials and authentication tokens in real time.
This method allows attackers to bypass multi-factor authentication (MFA), since they intercept valid session tokens instead of relying on stolen passwords alone.
Industries Most Affected
The campaign heavily targeted sectors that handle sensitive data, including:
- Healthcare and life sciences
- Financial services
- Professional services
- Technology and software
Growing Phishing Trends in 2026
Microsoft’s broader analysis of email threats shows phishing is evolving rapidly:
- Over 8.3 billion phishing emails were detected in early 2026
- Nearly 80% were link-based attacks
- Credential theft remains the main objective, while malware delivery is declining
A major trend is the rise of QR code phishing, which saw a sharp increase in activity during the first quarter of the year.
Attackers Adapting Quickly
Phishing groups are also changing tactics to avoid detection. For example, operators behind the Tycoon 2FA phishing platform have shifted hosting providers after recent disruptions.
Other campaigns have abused trusted services like Amazon SES to send phishing emails that pass standard security checks such as SPF, DKIM, and DMARC. This makes malicious messages appear legitimate and harder to block.
Why This Matters
This campaign highlights how phishing attacks are becoming more sophisticated and harder to detect. By combining realistic messaging, trusted infrastructure, and MFA bypass techniques, attackers can gain access to accounts even in well-secured environments.
Recommended Action
Organizations should:
- Train employees to recognize high-pressure phishing tactics
- Monitor for unusual login activity and session behavior
- Use advanced email filtering and token protection tools
Users should avoid clicking links in unexpected emails and verify requests through official channels before taking action.