Microsoft Details Phishing Campaign Targeting 35,000 Users in 26 Countries

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitymicrosoftidentityphishing
Microsoft Details Phishing Campaign Targeting 35,000 Users in 26 Countries

Microsoft has revealed details of a substantial credential theft operation, observed between April 14 and 16, 2026. This multi-stage campaign, as reported by The Hacker News, leveraged β€œcode of conduct” themed lures and legitimate email services to trick users. The objective was to direct victims to attacker-controlled domains and subsequently steal authentication tokens.

This sophisticated attack impacted over 35,000 users across more than 13,000 organizations in 26 different countries. The broad scope indicates a well-resourced actor, aiming for maximum reach and credential harvesting. The use of legitimate email services also makes these phishing attempts harder to detect with traditional email security gateways.

Attackers are consistently refining their social engineering tactics. This campaign highlights their shift towards abusing trusted platforms and employing contextually relevant lures to bypass defenses and gain initial access. The focus on authentication tokens, not just passwords, points to a more advanced post-compromise strategy, aiming for persistent access and session hijacking.

What This Means For You

  • If your organization's users were active between April 14-16, 2026, you need to audit email logs for inbound messages with "code of conduct" themes, especially those originating from legitimate-looking but ultimately malicious domains. Prioritize MFA enforcement and review session token validity. Attackers are going for tokens precisely because MFA can be bypassed once a valid session token is captured. Educate users on the evolving nature of phishing beyond simple password prompts.

Related ATT&CK Techniques

T1566.002 Phishing: Spearphishing Attachment Initial Access T1078.004 Cloud Accounts Initial Access T1539 Steal Web Session Cookie Credential Access

Indicators of Compromise

IDTypeIndicator
Microsoft-Phishing-2026-04 Phishing Credential theft campaign observed between April 14 and 16, 2026
Microsoft-Phishing-2026-04 Phishing Lures themed as 'code of conduct'
Microsoft-Phishing-2026-04 Phishing Leveraging legitimate email services for delivery
Microsoft-Phishing-2026-04 Phishing Directing users to attacker-controlled domains
Microsoft-Phishing-2026-04 Phishing Stealing authentication tokens

Written by SCW Vulnerability Desk

Take action on this incident
πŸ“‘ Monitor microsoft.com Free Β· 1 watchlist slot Β· instant alerts on new breaches πŸ” Threat intel on Microsoft All breaches, IOCs & vendor exposure

Related coverage on Microsoft

WhatsApp Patches File Spoofing and URL Scheme Vulnerabilities

SecurityWeek reports that WhatsApp has addressed critical vulnerabilities related to file spoofing and arbitrary URL schemes. These issues were responsibly disclosed to Meta via their...

threat-intelvulnerabilitytools
/SCW Vulnerability Desk /MEDIUM /⚑ 2 IOCs /⚙ 2 Sigma

Vimeo Breach: ShinyHunters Leaks User Data via Third-Party Vendor Anodot

Have I Been Pwned reports that Vimeo was listed on the ShinyHunters extortion portal in April 2026 as part of a "pay or leak" campaign....

data-breachidentitythreat-intel
/SCW Research /MEDIUM /⚙ 3 Sigma

Weaver E-cology Critical Bug Exploited in Attacks Since March

BleepingComputer reports that a critical vulnerability, CVE-2026-22679, in Weaver E-cology office automation software has been under active exploitation since mid-March. Attackers are leveraging this flaw...

threat-inteldata-breachmalwarevulnerabilitymicrosoft
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs /⚙ 3 Sigma