Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Uncovers Large-Scale Phishing Campaign Using Fake Compliance Emails

Brightly-lit office desk near a window with a computer screen or email inbox in the foreground.

More than 35,000 users across 13,000 organizations were targeted in a coordinated phishing campaign Microsoft’s Defender Research team identified between April 15 and 16, 2026.

Scale, timing and geographic footprint

Microsoft reported the campaign ran across a concentrated 48-hour window, primarily targeting U.S. firms but showing presence in organizations across 26 countries in total. The security team attributed the discovery to Microsoft Defender Research and described the operation as a large-scale credential theft effort that reached tens of thousands of accounts and thousands of distinct organizations.

The urgent compliance phishing lure

Attackers used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements to make messages look like legitimate internal communications, a tactic Microsoft said increased their plausibility. The messages contained concerning accusations and repeated time-bound action prompts that created urgency and pressure on recipients to act.

Subject lines included “Internal case log issued under conduct policy,” and the messages claimed a “code of conduct review” had been initiated, embedding organization-specific names inside the text. Recipients were instructed to “open the personalized attachment” to review case materials. The attached PDF encouraged users to click a “Review Case Materials” link, which initiated the credential-harvesting flow.

To reinforce credibility, many messages claimed they originated from an authorized internal channel and said all links and attachments had been securely reviewed. Microsoft noted a green banner in the messages claiming the content had been encrypted using Paubox, a legitimate service associated with HIPAA-compliant communications.

Attack chain: CAPTCHAs, staged pages and an AiTM endpoint

Microsoft described a multi-stage attack chain. Clicking the link in the PDF redirected victims to a landing page that displayed a Cloudflare CAPTCHA presented as a mechanism to validate that the user was coming “from a valid session.” Microsoft said the CAPTCHA was likely intended to deter automated analysis and sandboxes.

After passing the CAPTCHA, victims were redirected to another site that claimed documents were encrypted and required account authentication to proceed. Microsoft observed multiple staged pages with email entry fields, CAPTCHAs and reassuring status messages. Redirects then sent users, based on device type, to a final phishing site where they were prompted to sign in with Microsoft under the guise of a compliance review.

Microsoft observed an attack chain resembling device code phishing but confirmed only the adversary-in-the-middle (AiTM) component. The final sign-in prompt triggered an AiTM session hijack to steal authentication tokens and compromise accounts, according to Microsoft’s findings.

Microsoft’s protection guidance

To reduce the impact of this threat, Microsoft recommended several mitigations, including, but not limited to:

  • Review the recommended settings for Exchange Online Protection and Microsoft Defender for Office 365 to ensure your organization has established essential defenses and knows how to monitor and respond to threat activity
  • Run realistic attack scenarios during awareness training so employees are prepared to spot such phishing attempts
  • Enable password-less authentication methods for accounts that support password-less. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for multifactor authentication (MFA)
  • Turn on Safe Links and Sade Attachments in Microsoft Defender for Office 365
  • Configure automatic attack disruption in Microsoft Defender XDR

What this means for technologists, affected enterprises, and end users

Technologists and security teams: Microsoft’s advisory points to configuration and detection actions — review Exchange Online Protection and Defender for Office 365 settings and consider enabling Microsoft Defender XDR’s automatic attack disruption as recommended.

Affected enterprises and procurement leaders: organizations should run the suggested realistic attack scenarios during awareness training and evaluate authentication posture, prioritizing password-less methods where supported and authenticators for MFA on remaining accounts.

End users and general staff: the campaign demonstrates how internal-sounding compliance messages, embedded organization names, and credible visual cues like Paubox banners can be used to increase plausibility; employees should be trained to treat unsolicited, time-pressured internal-case prompts as potentially malicious and follow organizational verification playbooks.

Microsoft’s reporting provides a detailed snapshot of a compact but extensive campaign, and it confirmed only the AiTM component of a chain that otherwise resembled device code phishing. The facts leave a clear operational task for defenders: apply the configuration and training mitigations Microsoft listed, then monitor whether this AiTM technique is reused or expanded in follow-on campaigns.

Source: Infosecurity Magazine — Microsoft Flags Mass Phishing Campaign Using Fake Compliance Emails