Microsoft has revealed a sophisticated large-scale credential theft campaign that employed convincing code of conduct-themed lures and legitimate email services to trick over 35,000 users across 13,000 organizations into visiting malicious sites and compromising their authentication tokens. This extensive phishing operation underscores the evolving tactics of cybercriminals in their pursuit of sensitive user data.
The campaign, which ran from April 14 to April 16, 2026, predominantly targeted organizations in the United States, with 92% of affected users located there. Key sectors that fell victim included healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%). The emails were meticulously crafted to appear as genuine internal communications, leveraging structured HTML templates and preemptive authenticity statements to enhance their credibility.
Evolving Phishing Tactics Employed by Cybercriminals
Threat actors utilized messages with subject lines like “Internal case log issued under conduct policy” and “Reminder: employer opened a non-compliance case log,” creating a sense of urgency. Microsoft noted that these messages included notices claiming they were “issued through an authorized internal channel” and that links and attachments had been “reviewed and approved for secure access,” further solidifying the illusion of legitimacy.
The emails were likely sent from a legitimate email delivery service and contained a PDF attachment that purported to offer further details on conduct reviews. This document, however, contained a malicious link designed to initiate the credential harvesting process. The entire attack chain was engineered to bypass automated defenses through multiple rounds of CAPTCHA challenges and intermediate pages, lending the scheme a deceptive veneer of legitimacy.
Ultimately, the attack culminated in an adversary-in-the-middle (AiTM) phishing tactic. This method allowed threat actors to harvest Microsoft credentials and authentication tokens in real-time, effectively bypassing multi-factor authentication (MFA) protections. The final destination for the compromised data varied depending on whether the malicious flow was initiated from a mobile device or a desktop system.
Phishing Trends and Evolving Threat Landscape in 2026
This disclosure arrives amidst Microsoft’s broader analysis of the email threat landscape in early 2026, which highlights several alarming trends. QR code phishing has emerged as the fastest-growing attack vector, while CAPTCHA-gated phishing has seen rapid evolution across various payload types. In total, Microsoft detected approximately 8.3 billion email-based phishing threats during the first quarter of 2026.
Of these threats, nearly 80% were link-based, with large HTML and ZIP files serving as common distributors of malicious payloads. The primary objective for the vast majority of these attacks was credential harvesting, with malware delivery declining to a mere 5-6% by the end of the quarter. This shift underscores a strategic move by threat actors towards data theft over immediate system compromise.
Additionally, the operators of the Tycoon 2FA phishing-as-a-service (PhaaS) platform have reportedly attempted to alter their hosting providers and domain registration patterns following a coordinated disruption operation in March 2026. Microsoft observed Tycoon 2FA moving away from Cloudflare and distributing its domains across various alternative platforms, indicating an effort to secure services offering comparable anti-analysis protections.
Palo Alto Networks Unit 42 also reported in February 2026 on threat actors abusing QR codes as URL shorteners, deep links to steal credentials, and to bypass app store security by facilitating direct downloads of malicious applications. Microsoft’s data supports this, showing a significant surge in QR code phishing from January to March 2026, with attack volumes increasing by 146%. A notable development late in March was the embedding of QR codes directly within email bodies.
Business email compromise (BEC) scams have also shown fluctuations, with attack volumes crossing 4 million in March 2026. Two particularly noteworthy campaigns in Q1 2026 involved large-scale attacks distributing SVG attachments or HTML files that led victims through CAPTCHA challenges to fake sign-in pages. Interestingly, these campaigns, while sharing common tooling and structure, originated from multiple different PhaaS providers, including Tycoon 2FA, Kratos, and EvilTokens infrastructure.
The findings align with the emergence of phishing and BEC campaigns leveraging Amazon Simple Email Service (SES) to bypass email authentication checks like SPF, DKIM, and DMARC. Attackers gain access to SES through leaked AWS access keys, enabling them to send a high volume of phishing emails that appear legitimate and originate from trusted infrastructure. This tactic allows them to avoid the cost and effort of building dubious domains and mail infrastructure from scratch, making detection more challenging.
Looking ahead, the continued evolution of phishing tactics, including the creative use of legitimate services and advanced persuasion techniques, suggests that organizations must remain vigilant. The ongoing cat-and-mouse game between security researchers and threat actors highlights the need for continuous adaptation of defenses and increased user awareness to counter sophisticated credential theft campaigns and protect sensitive organizational data.