Microsoft Warns of AiTM Phishing Campaign Targeting 35,000 Users

by Emma Davis
May 6, 2026

Microsoft says a code of conduct-themed AiTM phishing campaign targeted more than 35,000 users across 13,000 organizations and could bypass non-phishing-resistant MFA by stealing authentication tokens.

Microsoft has detailed a large code of conduct-themed phishing campaign that used adversary-in-the-middle (AiTM) infrastructure to steal authentication tokens from Microsoft account sign-ins. The activity was observed between April 14 and April 16, 2026.[1] That short window is the worrying part: an AiTM campaign does not need weeks of access if it can capture a working session while the victim sees what looks like a normal sign-in. Microsoft says the campaign targeted more than 35,000 users across over 13,000 organizations in 26 countries.[1] The Hacker News reported the disclosure on May 5, highlighting that the lures were built to pressure recipients into opening supposed internal compliance materials.[2]

What Microsoft observed and what users should do

According to Microsoft, the emails posed as internal conduct or compliance notices, used legitimate-looking templates, and sent recipients to PDF attachments with links to attacker-controlled domains. The flow included CAPTCHA pages and intermediate “review” screens before directing users into a sign-in process where an AiTM proxy could capture session tokens in real time.[1]

The practical risk is that this kind of phishing can bypass MFA methods that only approve a login prompt but do not bind authentication to the legitimate site. A stolen session token may give an attacker immediate access even when the victim believes MFA protected the account.[1] This is the same uncomfortable lesson behind many 2024 stealer campaigns: Solan Stealer targeted session cookies and stored passwords, while Raccoon Stealer focused heavily on browser cookies and saved credentials. The delivery is different, but the attacker goal is similar: get a session that still works after the user closes the tab.

Cartoon showing a fake code of conduct phishing email stealing an MFA token
The policy looked official. The token left through the side door.

For organizations, the useful response is not just to tell users to “look closer.” Microsoft recommends reviewing email protection settings, using Safe Links and Safe Attachments, enabling network protection and SmartScreen-supported browsers, purging delivered phishing mail when indicators are found, and moving high-value accounts toward phishing-resistant authentication such as passkeys, Windows Hello, or FIDO security keys.[1]

Microsoft also published campaign indicators including domains such as compliance-protectionoutlook[.]de, acceptable-use-policy-calendly[.]de, and sender infrastructure tied to the phishing waves. Administrators should use those indicators carefully, because attacker-controlled domains and sender addresses can change quickly, but they are still useful for retrospective mailbox, proxy, and sign-in investigations.[1]

References

  1. Microsoft Defender Security Research Team and Microsoft Threat Intelligence. “Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise.” Microsoft Security Blog, May 4, 2026. https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/
  2. Ravie Lakshmanan. “Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries.” The Hacker News, May 5, 2026. https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment