In mid‑April 2026, a multi‑stage phishing campaign was identified that targeted more than 35,000 users across 13,000 organizations. It used convincing emails about code of conduct violations, legitimate email delivery services, and an adversary‑in‑the‑middle (AiTM) scheme to steal Microsoft credentials and tokens, allowing attackers to bypass multi‑factor authentication. The highest risk falls on organizations in the United States in healthcare, financial services, professional services, and technology, which need to reassess their email protection, access policies, and MFA approach.
Technical details of the campaign and the email threat landscape
The campaign was observed between April 14 and 16, 2026, and was aimed predominantly at users in the United States (92% of targets). The primary vector was corporate‑style notification phishing over email, which aligns with the phishing technique under MITRE ATT&CK T1566.
“Code of conduct” lure and pressure‑based social engineering
The messages are formatted as internal notifications about investigations into code of conduct violations. They use display names such as “Internal Regulatory COC”, “Workforce Communications”, “Team Conduct Report” and subjects like “Internal case log issued under conduct policy” or “Reminder: employer opened a non-compliance case log”.
Key elements that increase the effectiveness of the attack include:
- polished HTML templates with corporate‑style layout and “authenticity statements” at the top of the email (“message issued via an authorized internal channel”, “links and attachments verified”);
- an accusatory tone (a supposed policy violation incident) and repeated “urgent” calls to action with a time limit;
- the presence of a PDF attachment that promises details of the investigation and nudges the user to click a link inside the document.
This combination exploits not only trust in “internal” channels, but also fear of disciplinary consequences, lowering the user’s critical thinking.
Attack chain: from CAPTCHA to AiTM and token theft
Technically, the chain is built to both increase plausibility and complicate automatic detection:
- Sending emails via a legitimate mail delivery service. This allows the emails to successfully pass SPF/DKIM/DMARC checks and avoid raising suspicion in reputation‑based filters.
- Clicking the link in the PDF. The redirect goes through several intermediate pages and a CAPTCHA, giving the victim the impression of a “protected” resource and filtering out some automated scanners.
- The final stage is an AiTM login page. The final resource imitates the Microsoft login page but implements an adversary‑in‑the‑middle scheme, as described in MITRE ATT&CK T1557: the attacker acts as a “proxy” between the user and the real login page.
As a result, the attackers intercept in real time not only the username and password, but also session tokens, which enables them to:
- bypass even correctly configured MFA, since the token confirms that verification has already taken place; and
- hijack active sessions without entering a password or passing MFA again.
At the same time, the final page adapts to the device (mobile or desktop), further reducing the chance that the user will suspect a fake.
Microsoft email threat data for Q1 2026
In its extended analysis for January–March 2026, Microsoft reports:
- around 8.3 billion phishing email threats in the quarter;
- nearly 80% of attacks are link‑based, with large HTML and ZIP files dominating as carriers of malicious downloads or phishing forms;
- the main objective of attacks is credential theft; the share of malware delivery drops to 5–6% by the end of the quarter;
- a strong increase in QR phishing: from 7.6 million attacks in January to 18.7 million in March (a 146% increase), including QR codes embedded directly in the email body;
- fluctuations but consistently high overall volume of business email compromise (BEC) attacks — 10.7 million campaigns in the quarter, peaking at over 4 million in March 2026.
This shift in priorities from malware to credential theft once again underscores that the primary asset for attackers is now identity and tokens, not infected workstations.
Threat context: PhaaS platforms and flying under the radar
PhaaS and Tycoon 2FA infrastructure changes
Microsoft notes that the infrastructure of the final phishing pages in this campaign overlaps with several “phishing as a service” (PhaaS) platforms at once: Tycoon 2FA, Kratos (formerly Sneaky 2FA) and EvilTokens. This aligns with the MITRE ATT&CK T1583 Acquire Infrastructure technique, where renting and reusing infrastructure minimizes attackers’ costs.
After a coordinated operation to disrupt Tycoon 2FA in March 2026, the service operators stopped using Cloudflare and spread their domains across other hosting platforms, selecting alternatives with comparable anti‑analysis mechanisms and protection against blocking. This indicates that:
- PhaaS operators have mature infrastructure management and are ready to migrate quickly under defender pressure;
- a single phishing campaign can rely on multiple PhaaS platforms at the same time, increasing resilience and complicating blocking based on domain and hosting indicators.
Abuse of Amazon SES as a trusted transport
In parallel, Microsoft and Kaspersky are seeing an increase in phishing and BEC campaigns that use Amazon Simple Email Service (SES) for delivery. The key enabler is the compromise or leak of AWS access keys used to access SES.
When an attacker obtains such a key, they can:
- send mass phishing campaigns from domains and IP addresses already trusted by users and filters;
- pass SPF, DKIM, and DMARC as a “legitimate” sender;
- avoid the cost of creating and “warming up” their own email infrastructure.
According to Kaspersky, the “insidiousness” of such attacks lies precisely in the fact that externally they do not differ from legitimate traffic: domains and IPs do not look suspicious, and the links lead to convincing login pages that steal credentials.
Impact assessment
The campaign under review primarily impacted organizations in the following sectors:
- healthcare and life sciences (19% of targets);
- financial services (18%);
- professional services (11%);
- technology and software (11%).
The key risk characteristic is token theft and MFA bypass. This creates a number of consequences:
- Compromise of business correspondence and payment chains. With access to email and internal systems, attackers can initiate or escalate BEC schemes, rewriting payment details, substituting documents, and communicating on behalf of executives.
- Privilege escalation via cloud services. If an account with administrative rights is compromised, attackers may change security configurations, create new accounts, and establish persistent footholds.
- Risks to confidential data. Access to email, document repositories, and accounting systems in healthcare and financial sectors can lead to leaks of sensitive, heavily regulated data.
- Undermining trust in MFA. When AiTM attacks succeed, businesses may mistakenly conclude that “MFA doesn’t work,” whereas the real issue is the use of methods vulnerable to token interception and the absence of additional session context checks.
Practical protection recommendations
1. Strengthening authentication and token protection
- Move to phishing‑resistant MFA methods (FIDO2 keys, hardware tokens, passwordless solutions), limiting the use of one‑time codes and push approvals wherever possible.
- Implement strict conditional access policies: block legacy protocols, require managed devices and policy compliance for access to critical applications.
- Shorten session token lifetimes for high‑risk applications and enable token revocation mechanisms in response to suspicious activity.
2. Email protection and handling of message content
- Configure high‑severity rules for emails:
- with subjects related to code of conduct, disciplinary actions, or “internal case log”,
- purporting to come from HR/Compliance departments but sent via external delivery services.
- Block or restrict automatic opening of attached PDFs that contain external links; enable proactive scanning of such documents.
- Use link rewriting and target page analysis features, paying special attention to chains with multiple redirects and CAPTCHA pages.
- For QR codes in emails, implement pre‑analysis of the target URL before redirecting the user.
3. Monitoring and searching for signs of compromise
- Monitor login anomalies:
- logins from new countries or regions shortly after “disciplinary” emails are received,
- unusual device patterns (for example, an unexplained switch from mobile to desktop or vice versa).
- Configure alerts for mass MFA failures or numerous login attempts for a single account.
- Regularly conduct threat hunting for indicators of AiTM phishing pages (non‑standard domains, recurring HTML login templates, characteristic response headers), relying on known TTPs from the description of the AiTM technique.
4. Controlling access to Amazon SES and other email services
- Inventory and rotate AWS access keys used for Amazon SES; enable monitoring of anomalous sending activity.
- Minimize key permissions (principle of least privilege) and use separate keys for different applications.
- Feed signals about mailings sent via Amazon SES into event correlation systems (SIEM) to distinguish routine mailings from unexpected mass activity.
The main takeaway for organizations is to treat AiTM phishing campaigns and token theft as an identity threat, not just “malicious spam”, and in the near term to revise authentication policies, email filtering, and activity monitoring so that the combination of phishing‑resistant MFA methods, conditional access, and session token control becomes a standard layer of protection rather than an optional add‑on.
