Microsoft has disclosed particulars of a large-scale credential theft marketing campaign that has leveraged a mixture of code of conduct-themed lures and bonafide e-mail providers to direct customers to attacker-controlled domains and steal authentication tokens.
The multi-stage marketing campaign, noticed between April 14 and 16, 2026, focused greater than 35,000 customers throughout over 13,000 organizations in 26 nations, with 92% of the targets situated within the U.S. The vast majority of phishing emails had been directed towards healthcare and life sciences (19%), monetary providers (18%), skilled providers (11%), and know-how and software program (11%) sectors.
“The lures on this marketing campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them seem extra credible than typical phishing emails and rising their plausibility as official inner communications,” the Microsoft Defender Safety Analysis Group and Microsoft Menace Intelligence stated.
“As a result of the messages contained accusations and repeated time-bound motion prompts, the marketing campaign created a way of urgency and stress to behave.”
The e-mail messages used within the marketing campaign make use of lures associated to code of conduct evaluations, utilizing show names like “Inside Regulatory COC,” “Workforce Communications,” and “Group Conduct Report.” Topic traces related to these emails embrace “Inside case log issued underneath conduct coverage” and “Reminder: employer opened a non-compliance case log.”
“On the prime of every message, a discover acknowledged that the message had been ‘issued via a licensed inner channel’ and that hyperlinks and attachments had been ‘reviewed and accredited for safe entry,’ reinforcing the e-mail’s purported legitimacy,” Microsoft defined.
It is assessed that the emails are despatched from a official e-mail supply service. The messages additionally include a PDF attachment that purportedly offers extra details about the conduct overview, luring victims to click on on a hyperlink inside the doc to provoke the credential harvesting stream.
The assault chain has been discovered directing victims via a number of rounds of CAPTCHA and intermediate pages which can be designed to lend the scheme a veneer of legitimacy, on the similar time conserving out automated defenses.
In the end, it ends with a sign-in expertise that leverages adversary‑in‑the‑center (AiTM) phishing techniques to reap Microsoft credentials and tokens in real-time, successfully permitting the menace actors to bypass multi-factor authentication (MFA). The ultimate vacation spot, per Microsoft, depends upon whether or not the malicious stream was triggered from a cellular gadget or a desktop system.
Phishing Tendencies in 2026
The disclosure comes as Microsoft’s evaluation of the e-mail menace panorama between January and March 2026 revealed that QR code phishing emerged because the fastest-growing assault vector, whereas CAPTCHA-gated phishing developed “quickly” throughout payload sorts. In all, the tech big stated it detected about 8.3 billion email-based phishing threats.
Of those, almost 80% had been link-based, the place giant HTML and ZIP information accounted for an enormous chunk of the malicious payloads distributed by way of phishing emails. The tip objective of a overwhelming majority of those assaults was credential harvesting, with malware supply declining to a mere 5-6% by the top of the quarter.
Microsoft additionally stated the operators of the Tycoon 2FA phishing-as-a-service (PhaaS) platform have tried to shift internet hosting suppliers and area registration patterns following a coordinated disruption operation in March 2026.
“Towards the top of March, we noticed Tycoon 2FA shifting away from Cloudflare as a internet hosting service and now hosts most of its domains throughout a wide range of various platforms, suggesting the group is looking for alternative providers that provide comparable anti-analysis protections,” it added.
In a report revealed again in February, Palo Alto Networks Unit 42 highlighted how menace actors are abusing QR codes as URL shorteners to disguise malicious locations, in-app deep hyperlinks to steal account credentials, and bypass app retailer security by linking to direct downloads of malicious apps.
Data from Microsoft reveals an enormous surge in QR code phishing throughout the three-month time interval, as assault volumes jumped from 7.6 million in January to 18.7 million in March, representing a 146% improve. One notable improvement noticed in late March was the usage of QR codes embedded straight in e-mail our bodies.
Enterprise e-mail compromise (BEC) scams, alternatively, exhibited extra fluctuations, crossing greater than 4 million in assault quantity in March 2026, up from over 3.5 million in January and greater than 3 million in February. Collectively, 10.7 million BEC assaults had been recorded.
Two noteworthy campaigns noticed throughout Q1 2026 are beneath –
- A big, sustained marketing campaign between February 23 and February 25, 2026, that despatched greater than 1.2 million messages to customers at greater than 53,000 organizations in 23 nations, utilizing 401(ok)-, payment-, and invoice-themed lures to serve an SVG attachment. Opening the file directed the victims to a CAPTCHA test, efficiently finishing which, they had been proven a faux sign-in web page to compromise their accounts.
- A large marketing campaign on March 17, 2026, that concerned greater than 1.5 million confirmed malicious messages despatched to over 179,000 organizations throughout 43 nations. The exercise accounted for 7% of all malicious HTML attachments noticed within the month. When opened, the HTML file redirected victims to an preliminary phishing web page that screened the customer earlier than routing them to the ultimate vacation spot: a phishing web page that offered a CAPTCHA problem earlier than serving a fraudulent signal‑in web page.
“Apparently, though messages on this marketing campaign shared widespread tooling, construction, and supply traits, the infrastructure internet hosting the ultimate phishing payload was linked to a number of completely different PhaaS suppliers,” Microsoft stated. “Most noticed phishing endpoints had been related to Tycoon 2FA, whereas extra exercise was linked to Kratos (previously Sneaky 2FA) and EvilTokens infrastructure.”
The findings coincide with the emergence of phishing and BEC campaigns that abuse Amazon Easy E-mail Service (SES) as a supply vector to bypass SPF, DKIM, and DMARC checks, and facilitate credential theft by way of phony sign-in pages. These assaults typically work by getting access to Amazon SES via leaked AWS entry keys.
“The insidious nature of Amazon SES assaults lies in the truth that attackers aren’t utilizing suspicious or harmful domains; as a substitute, they’re leveraging infrastructure that each customers and security techniques have grown to belief,” Kaspersky stated.
“By weaponizing this service, attackers keep away from the trouble of constructing doubtful domains and mail infrastructure from scratch. As a substitute, they hijack current entry keys to achieve the flexibility to blast out 1000’s of phishing emails. These messages cross e-mail authentication, originate from IP addresses which can be unlikely to be blocklisted, and comprise hyperlinks to phishing types that look fully official.”
