Washington | Microsoft has disclosed details of a highly sophisticated phishing campaign that targeted more than 35,000 users across 26 countries. The cyber operation, detected in mid-April 2026, impacted over 13,000 organizations, with the United States reporting the highest concentration of victims.
According to Microsoft’s Security Research Team, the attackers used professionally designed phishing emails that closely resembled internal corporate communications. These messages included polished HTML templates, formal business language, and strong urgency-based prompts designed to pressure recipients into immediate action.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
The emails carried subject lines such as “Internal case log issued under conduct policy” and “Reminder: employer opened a non-compliance case log.” Display names like “Internal Regulatory COC” and “Workforce Communications” were used to make the messages appear as legitimate internal compliance notices.
Microsoft reported that the campaign primarily targeted high-value sectors, including healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology (11%). Security experts noted that these industries were likely chosen due to their access to sensitive data and critical enterprise systems.
Each phishing email contained a PDF attachment presenting a fake internal investigation or compliance procedure. Once opened, users were prompted to click embedded links that initiated a multi-stage redirection chain. This process included CAPTCHA verification pages and intermediate gateways designed to evade automated security detection tools.
After passing through these layers, victims were redirected to a counterfeit Microsoft login page where credentials and authentication tokens were captured in real time. The attackers employed an “Adversary-in-the-Middle (AiTM)” technique, enabling interception of session tokens and effectively bypassing multi-factor authentication (MFA) protections.
Microsoft warned that this method is particularly dangerous because attackers can maintain access to accounts even after password changes, as long as active session tokens remain valid.
The company stated that the phishing infrastructure was distributed across multiple domains and leveraged legitimate email delivery services, making detection significantly more difficult. CAPTCHA-based filtering and multi-layer redirection further helped the attackers evade traditional security defenses.
Microsoft’s broader threat intelligence report for early 2026 revealed that approximately 8.3 billion phishing attempts were recorded globally in the first quarter alone. Nearly 80% of these attacks were link-based, while malicious HTML and ZIP attachments remained widely used delivery methods.
A major emerging trend identified was QR code phishing, which increased by 146% between January and March 2026, rising from 7.6 million to 18.7 million incidents. These QR codes were often embedded directly into email bodies, redirecting users to fraudulent login pages.
Business Email Compromise (BEC) scams also saw significant growth, with more than 10.7 million incidents reported during the same period. These scams commonly involved fake invoices, fraudulent payment requests, and payroll deception schemes targeting corporate employees.
Cybersecurity analysts noted that phishing campaigns in 2026 have evolved beyond large-scale spam attacks into highly coordinated, multi-layered operations combining social engineering, cloud infrastructure abuse, and real-time credential interception techniques.
Microsoft has advised organizations to adopt phishing-resistant authentication methods, closely monitor login anomalies, and strengthen endpoint security systems. The company emphasized that user awareness alone is no longer sufficient against these advanced threats.
Investigations into the infrastructure behind the campaign are ongoing, with cybersecurity teams tracking domain networks, hosting providers, and associated communication channels linked to the operation.
