U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Microsoft warns of global campaign stealing auth tokens from 35K users

Microsoft revealed a phishing campaign hitting 35,000 users in 26 countries, stealing login tokens via fake code-of-conduct emails and legit services. Microsoft disclosed a major phishing campaign that targeted over 35,000 users across 26 countries in mid-April 2026. Attackers used fake “code of conduct” emails sent through legitimate platforms to trick recipients into visiting bogus […]

phishing

Microsoft revealed a phishing campaign hitting 35,000 users in 26 countries, stealing login tokens via fake code-of-conduct emails and legit services.

Microsoft disclosed a major phishing campaign that targeted over 35,000 users across 26 countries in mid-April 2026.

Attackers used fake “code of conduct” emails sent through legitimate platforms to trick recipients into visiting bogus sites that stole authentication tokens.

“The campaign targeted tens of thousands of users, primarily in the United States, and directed them through several stages of CAPTCHA and intermediate staging pages designed to reinforce legitimacy while filtering out automated defenses.” reads the report published by Microsoft. “The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications. “

Most victims (92%) were in the U.S., mainly in healthcare and finance.

Attackers used alarming, time-sensitive messages to pressure victims into action, leading them to a fake but legitimate-looking sign-in page. This adversary‑in‑the‑middle (AiTM) phishing flow let attackers intercept authentication tokens in real time, bypassing weak MFA. Microsoft urges training, anti-phishing tools, secure browsers, and SmartScreen protections to defend against such threats.

The phishing campaign impersonated internal compliance and regulatory departments, using subject lines like “Internal case log issued under conduct policy” to create urgency and legitimacy. Attackers distributed emails via a legitimate email delivery service, embedding links in PDF attachments that led to attacker-controlled domains such as acceptable-use-policy-calendly[.]de.

After completing fake Cloudflare CAPTCHAs, victims were asked to “Review & Sign” documents and then redirected to a deceptive Microsoft sign-in page. This final step launched an adversary‑in‑the‑middle (AiTM) attack chain that proxied authentication and captured tokens, giving immediate access to user accounts despite multifactor authentication.

“Following these steps, users were redirected to a third site hosting the final stage of the attack. Analysis of the underlying code indicates that the final destination varied depending on whether the user accessed the workflow from a mobile device or a desktop system.” continues the report.

The campaign’s structure mimicked legitimate workflow and compliance verification processes, making detection difficult. Microsoft described it as “one of the most sophisticated code-of-conduct‑themed credential theft operations observed to date,” confirming that the attackers’ methods reflected a high degree of operational planning and technical adaptability.

Microsoft recommends a layered approach to reduce risk. Organizations should review Exchange Online Protection and Defender for Office 365 settings, enable features like Zero-hour Auto Purge, Safe Links, and Safe Attachments, and use network protection and SmartScreen-enabled browsers.

User awareness training and phishing simulations are key, along with manual monitoring and removal of suspicious emails. Strong authentication is essential, including MFA or passwordless methods, plus conditional access for privileged accounts.

Finally, enabling automated attack disruption in Defender XDR can help detect and contain threats quickly, limiting their impact.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)