Microsoft has sent out an urgent warning after finding a very advanced, large-scale phishing campaign that affected more than 13,000 businesses in 26 countries in the middle of April 2026. The Microsoft Defender Security Research Team called the operation one of the most well-planned credential theft schemes to date. It used “code of conduct” and “regulatory compliance” lures to get around normal security filters. Attackers sent thousands of emails, most of which were aimed at U.S.-based businesses. They used enterprise-style HTML templates and real email delivery services. The subject lines of the messages were often scary, like “Internal case log issued under conduct policy,” which made employees feel like they had to open PDF attachments to look at “disciplinary actions” or “policy non-compliance” cases.
The threat, which was at its worst between April 14 and 16, had a bigger effect on important areas like healthcare (19%), financial services (18%), and technology (11%). Once a victim clicked the link in the bad PDF, they were taken through a multi-step attack chain that included Cloudflare CAPTCHAs and intermediate landing pages that were meant to keep automated security scanners from getting through. The last step used a complex Adversary-in-the-Middle (AiTM) method that let hackers proxy authentication sessions in real time. This let them get not only passwords but also authentication tokens, which let them get around multi-factor authentication (MFA) that isn’t resistant to phishing. Microsoft’s revelation shows that in 2026, attackers are increasingly using real corporate workflows and “compliance urgency” to break into high-value accounts. To lower these risks, the tech giant suggests that businesses move toward passwordless authentication methods like FIDO keys and use AI-powered phishing triage agents to find and stop these “hyper-realistic” internal impersonations before they get to the inbox.
