AiTM ‘conduct review’ phishing hit 35,000 users in 26 countries

Microsoft’s Defender Security Research Team and Microsoft Threat Intelligence reported a large-scale adversary-in-the-middle (AiTM) phishing campaign that ran April 14-16, 2026 and targeted more than 35,000 users at over 13,000 organizations across 26 countries. The campaign harvested user credentials and captured real-time authentication tokens to bypass multi-factor authentication.

The emails used code-of-conduct review themes and enterprise-style HTML templates with display names such as “Internal Regulatory COC,” “Workforce Communications,” and “Team Conduct Report.” Subject lines included “Internal case log issued under conduct policy” and messages carried PDF attachments that directed recipients to attacker-controlled domains.

Researchers observed that the messages contained preemptive authenticity claims and structured layouts to appear like internal communications. The report assessed the emails were delivered through a legitimate email delivery service and included accusations and time-bound action prompts to create urgency.

Recipients who opened the PDF were routed through multiple intermediate pages and repeated CAPTCHA checks before reaching a fraudulent sign-in page. The final sign-in flow functioned as an AiTM phishing operation that intercepted credentials and session tokens during authentication, enabling attackers to bypass MFA. The landing page varied depending on whether the link was opened on a mobile device or a desktop system.

Geographically, about 92% of targeted accounts were in the United States. The sectors most heavily targeted were healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%).

Microsoft placed this incident in the context of broader email-threat trends for January through March 2026. The company recorded roughly 8.3 billion email-based phishing threats in that period, with nearly 80% of attacks using links and large HTML and ZIP files accounting for a significant share of malicious payloads.

The analysis highlighted a sharp increase in QR code phishing, which rose from 7.6 million incidents in January to 18.7 million in March. CAPTCHA-gated phishing flows also showed rapid development across different payload types. By the end of the quarter, malware delivery accounted for about 5-6% of email threats, while credential harvesting remained the primary objective.

Microsoft linked most observed phishing endpoints to operators using phishing-as-a-service platforms, naming Tycoon 2FA as the most common, with additional activity tied to Kratos and EvilTokens infrastructure. The report noted that Tycoon 2FA operators shifted hosting away from Cloudflare after a coordinated disruption in March and began using a wider range of hosting platforms.

Earlier large campaigns cited by Microsoft used similar techniques. A February 23-25 operation sent more than 1.2 million messages to users at over 53,000 organizations using 401(k), payment and invoice lures and SVG attachments that led to CAPTCHA checks and fake sign-in pages. A March 17 campaign involved more than 1.5 million confirmed malicious messages sent to over 179,000 organizations; those messages funneled victims through screening pages and CAPTCHA challenges to final phishing sign-in forms.

Microsoft’s report warned that attackers were abusing legitimate email infrastructure to improve delivery and evade filters. The company observed threat actors leveraging services like Amazon Simple Email Service by using leaked access keys, allowing phishing emails to pass SPF, DKIM and DMARC checks and originate from trusted IP addresses.

On the campaign’s social-engineering tactics, researchers wrote, “The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications.” The report added that the messages’ accusations and time-bound prompts “created a sense of urgency and pressure to act.”