Microsoft has revealed a comprehensive credential theft operation that exploited themes related to code of conduct, utilizing legitimate email services to redirect users to domains controlled by attackers and extract authentication tokens. This multi-faceted campaign occurred between April 14 and April 16, 2026, affecting over 35,000 users from more than 13,000 organizations across 26 countries, predominantly in the United States, where 92% of the targets were located. The primary sectors impacted included healthcare and life sciences, financial services, professional services, and technology, with percentages of 19%, 18%, 11%, and 11%, respectively.
The Microsoft Defender Security Research Team outlined that the phishing lures were crafted using sophisticated, enterprise-style HTML templates that featured organized layouts and credentials designed to enhance their appearance of authenticity. Consequently, these emails bore resemblance to legitimate internal communications, increasing the odds of successful user engagement. The campaign’s structure leveraged urgent messaging that heightened pressure on recipients to take immediate action.
Emails in this operation utilized conduct review terminology, appearing under display names such as “Internal Regulatory COC,” “Workforce Communications,” and “Team Conduct Report.” Subject lines included phrases like “Internal case log issued under conduct policy” and “Reminder: employer opened a non-compliance case log,” establishing a deceptive relativity to normal corporate communications. Microsoft noted that crucial statements at the top of each email guaranteed that the message was “issued through an authorized internal channel,” further solidifying the illusion of legitimacy.
Investigations indicated that these deceptive emails likely originated from a legitimate email delivery service and contained PDF attachments purportedly providing additional insight regarding the conduct review. This mechanism ensnared victims by enticing them to click links embedded within these documents, triggering a sequence leading to credential harvesting.
The attack framework included multiple rounds of CAPTCHA challenges and interstitial pages crafted to project a facade of authenticity, while simultaneously deterring automated security defenses. The conclusion of the sequence utilized adversary-in-the-middle (AiTM) phishing techniques to harvest Microsoft credentials and tokens in real-time—effectively circumventing multi-factor authentication measures. Microsoft’s analysis specified that the ultimate destination within the phishing flow varied depending on whether the initial engagement stemmed from a mobile device or desktop system.
Phishing Landscape Insights for 2026
This revelation trails Microsoft’s examination of email threats between January and March 2026, where QR code phishing emerged as the fastest-growing attack vector and CAPTCHA-protected phishing quickly evolved. The tech giant reported detecting around 8.3 billion email-based phishing threats, with nearly 80% categorized as link-based. Large HTML and ZIP file attachments constituted a significant portion of malicious payloads disseminated via these emails. A significant goal of these attacks remains credential harvesting, while malware delivery has decreased significantly to about 5-6% by the quarter’s end.
Palo Alto Networks Unit 42 previously elucidated the exploitation of QR codes as URL shorteners by threat actors, further affirming the versatility of online attack methodologies. Data from Microsoft indicates an extraordinary 146% increase in QR code phishing attacks within the same timeframe.
Business email compromise (BEC) scams likewise displayed notable fluctuations, crossing four million incidents in March 2026. Two significant campaigns were observed within the first quarter: one targeting users with 401(k)- and payment-related themes, while another exceeded 1.5 million confirmed malicious emails sent globally.
Microsoft’s findings illustrate the multifaceted nature of cyber threats, emphasizing the importance of vigilance and layered defenses in safeguarding sensitive organizational data. By detailing the evolving tactics used by cyber adversaries through the MITRE ATT&CK framework—particularly initial access, credential dumping, and user execution—business owners are reminded of the criticality of robust cybersecurity posture and employee training in recognizing phishing attempts.