Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Exposes Large-Scale Phishing Campaign Targeting 35,000 Users Worldwide

Laptop workstation in a brightly-lit hospital corridor with medical equipment and computers in the background.

"The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications," Microsoft Defender Security Research Team and Microsoft Threat Intelligence said.

Scale and targets of the April 14–16 campaign

Microsoft disclosed a credential‑theft campaign observed between April 14 and 16, 2026, that targeted more than 35,000 users across over 13,000 organizations in 26 countries. Ninety‑two percent of the targets were located in the United States. The bulk of the phishing emails were directed at healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%) sectors.

Tactics: code‑of‑conduct lures, PDFs, CAPTCHA and AiTM sign‑in flows

The messages used enterprise‑style social engineering framed as code-of-conduct reviews. Display names included "Internal Regulatory COC," "Workforce Communications," and "Team Conduct Report," with subjects such as "Internal case log issued under conduct policy" and "Reminder: employer opened a non-compliance case log." At the top of each message, a notice stated the message had been "issued through an authorized internal channel" and that links and attachments had been "reviewed and approved for secure access," language Microsoft says reinforced the emails' purported legitimacy.

Emails carried PDF attachments that purported to provide additional information about the conduct review and contained links that launched the credential‑harvesting flow. Victims were routed through multiple rounds of CAPTCHA and intermediate pages designed both to add credibility and to keep automated defenses at bay. The chain ended in a sign‑in experience that leveraged adversary‑in‑the‑middle (AiTM) phishing tactics to harvest Microsoft credentials and tokens in real time, a flow Microsoft says can effectively bypass multi‑factor authentication. The final destination varied depending on whether the interaction began on a mobile device or a desktop.

Delivery and infrastructure: legitimate email services, Amazon SES, and PhaaS actors

Microsoft assessed that the campaign's emails were sent from a legitimate email delivery service. The company also flagged broader activity that abuses Amazon Simple Email Service (SES) to bypass SPF, DKIM, and DMARC checks by using leaked AWS access keys — a technique that allows attackers to send mail from infrastructure that users and email security systems trust.

On the phishing platform front, Microsoft linked many observed phishing endpoints to Tycoon 2FA, with additional activity tied to Kratos (formerly Sneaky 2FA) and EvilTokens infrastructure. Following a coordinated disruption operation in March 2026, operators associated with Tycoon 2FA have shifted away from Cloudflare and now host most of their domains across a variety of alternative platforms, Microsoft said, suggesting the group is seeking replacement services that offer comparable anti‑analysis protections.

Phishing trends in Q1 2026

Microsoft's analysis for January–March 2026 found roughly 8.3 billion email‑based phishing threats. Nearly 80% of those were link‑based attacks; large HTML and ZIP files accounted for a substantial share of malicious payloads. Credential harvesting remained the dominant objective, while malware delivery declined to roughly 5–6% by the end of the quarter.

QR code phishing surged: Microsoft recorded a jump from 7.6 million QR‑based phishing events in January to 18.7 million in March — a 146% increase — and noted the late‑March emergence of QR codes embedded directly in email bodies. Business email compromise (BEC) volumes also fluctuated, crossing more than 4 million attack instances in March, up from over 3.5 million in January and more than 3 million in February, for a three‑month total of 10.7 million BEC attacks.

Microsoft highlighted two large Q1 campaigns as examples: a Feb. 23–25 campaign that sent more than 1.2 million messages to users at more than 53,000 organizations in 23 countries using 401(k)‑, payment‑ and invoice‑themed lures and an SVG attachment; and a March 17 operation that delivered more than 1.5 million confirmed malicious messages to over 179,000 organizations across 43 countries. Both campaigns used CAPTCHA gating and fake sign‑in pages as part of the compromise chain.

What this means for healthcare, financial services, and technology and software

  • Healthcare and life sciences: Organizations in this sector — which accounted for 19% of targets in the April campaign — should note the use of internal‑communications style lures tied to regulatory or conduct matters that could plausibly reach clinicians and administrators.
  • Financial services: With 18% of the April campaign's targets and with prior campaigns using 401(k)‑ and payment‑themed lures, financial institutions and payroll teams face ongoing phishing pressure that combines social urgency with sophisticated delivery.
  • Technology and software: As both targets and providers of email infrastructure, technology organizations must track abuse of delivery services and PhaaS tooling — Microsoft observed Tycoon 2FA, Kratos, and EvilTokens in the broader Q1 activity and a migration off Cloudflare by some operators after disruptions in March.

The April campaign underscores two discomforting trends Microsoft flagged across Q1: attackers increasingly use trusted delivery services and multi‑stage, CAPTCHA‑gated flows to evade detection, and phishing tools and platforms are adapting their hosting patterns after disruption. How defenders and service providers will respond to the combination of trusted infrastructure abuse and real‑time AiTM credential theft remains the central operational question.

Original story