Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries

Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The multi-stage campaign, observed between April 1

# Microsoft Warns of Massive 35,000-User Phishing Campaign Exploiting Code of Conduct Lures

Microsoft has disclosed a significant credential theft campaign that targeted over 35,000 users across more than 13,000 organizations in 26 countries between April 14 and 16, 2026. The multi-stage phishing attack combined social engineering tactics with legitimate email services to harvest authentication tokens, posing a substantial risk to enterprise security worldwide.

## The Threat

The campaign represents a sophisticated blend of social engineering and technical exploitation. Attackers leveraged a "code of conduct" themed lure—a deceptive premise designed to trigger organizational compliance concerns—to redirect users to attacker-controlled domains. Once on these malicious sites, victims unknowingly provided their authentication credentials and authorized access to their accounts, granting attackers valid authentication tokens that could bypass standard security controls.

The three-day window of observed activity (April 14-16, 2026) suggests either a concentrated, time-sensitive operation or the initial phase of a broader campaign. The targeting of 13,000+ organizations across 26 countries indicates this was not a narrowly focused attack but rather a mass-scale operation designed to cast a wide net for maximum credential harvesting.

## Background and Context

Phishing campaigns remain one of the most effective initial access vectors for cybercriminals and state-sponsored threat actors. According to security industry reports, email-based attacks continue to represent the highest-risk attack surface for most organizations, with employees representing both the strongest and weakest link in the security chain depending on their training and awareness.

Why this attack was effective:

Social engineering leverage: Code of conduct notifications trigger organizational urgency and compliance concerns

Legitimate infrastructure abuse: Using authentic email services lowers suspicion and bypasses some email filters

Token theft vs. password theft: Stolen authentication tokens can bypass multi-factor authentication (MFA) if not properly configured

Mass targeting: The sheer scale makes it statistically likely to succeed with at least some portion of recipients

The campaign's timing—mid-April—may have been strategically chosen to coincide with compliance deadlines or organizational restructuring periods when users are more likely to act quickly on policy-related communications without scrutiny.

## Technical Details

The attack chain involved multiple stages designed to maximize success rates while remaining difficult to detect:

Stage 1: Initial Lure

Attackers sent phishing emails using legitimate email services (likely compromised accounts or spoofed addresses) with subject lines and content referencing organizational code of conduct requirements. These emails appeared authentic because they leveraged trusted infrastructure and pressed on familiar workplace themes.

Stage 2: Malicious Redirect

Embedded links directed users to attacker-controlled domains designed to mimic legitimate organizational or Microsoft login portals. The sophistication of these pages has evolved significantly; modern phishing sites often include legitimate branding, correct SSL certificates, and near-perfect replicas of authentic login interfaces.

Stage 3: Credential Harvesting

Users entering their credentials on these fake sites unknowingly transmitted their usernames and passwords directly to attackers. More importantly, many organizations now use single sign-on (SSO) systems where this authentication grant could immediately provide access to multiple connected services.

Stage 4: Token Theft

The campaign specifically targeted authentication tokens—the cryptographic proofs that remain valid after initial login. These tokens are particularly valuable because they can grant account access even if the user's password has been changed or MFA has been enabled on the account.

## Campaign Scope and Impact

| Metric | Value |

|--------|-------|

| Targeted Users | 35,000+ |

| Affected Organizations | 13,000+ |

| Geographic Scope | 26 countries |

| Campaign Duration | 3 days (April 14-16, 2026) |

| Primary Vector | Email phishing with code of conduct lure |

The geographic distribution across 26 countries suggests either:

A non-discriminate mass campaign using bulk email services

Targeting of multinational organizations with global workforces

Multiple operational groups sharing the same phishing infrastructure

The concentration in just three days is noteworthy—either indicating a rapid, coordinated operation or the fact that Microsoft detected and disclosed the campaign before attackers could extend it further.

## Implications for Organizations

Immediate Risks:

Account compromise: Users who fell for the phishing may have had their accounts fully compromised

Lateral movement: Stolen tokens could provide attackers with initial access for further penetration

Data exfiltration: Compromised accounts could enable theft of sensitive business information

Persistent access: Attackers may have established backup access methods before credentials were changed

Downstream Threats:

Supply chain risk: Compromised accounts at partner organizations could extend the attack surface

Ransomware delivery: Initial access from phishing often precedes ransomware deployment

Espionage: State-sponsored actors frequently use phishing for reconnaissance and data collection

Organizations cannot determine whether their employees fell victim to this campaign without specific indicators or user self-reporting, making defensive action critical.

## Recommendations and Mitigation

Immediate Actions:

1. Password reset — Force password changes across the organization, prioritizing high-risk users (executives, IT staff, those with administrative access)

2. Token revocation — Revoke existing sessions and tokens; require re-authentication

3. Review authentication logs — Examine login patterns for anomalous access from unfamiliar locations or times

4. Monitor for lateral movement — Check for unusual file access, permission escalations, or data downloads post-compromise

Email Security Hardening:

Implement DMARC, SPF, and DKIM to prevent spoofing of legitimate domains

Deploy advanced email filtering with machine learning to detect phishing attempts

Disable automatic email forwarding rules that could redirect communications

Quarantine emails with suspicious link destinations

User Education:

Conduct security awareness training emphasizing code of conduct verification through official channels

Teach users to hover over links before clicking (without actually clicking) to verify the destination

Establish a clear reporting process for suspected phishing with no penalties for users who report (not click)

Use phishing simulation exercises to identify vulnerable employee populations

Technical Controls:

Enable conditional access policies that detect impossible travel and anomalous login attempts

Require MFA for all users, with particular emphasis on modern MFA methods (Windows Hello, FIDO2 keys)

Implement token-signing certificates to prevent stolen tokens from being reused

Deploy endpoint detection and response (EDR) solutions to catch post-compromise activity

Verification and Validation:

Organizations should verify through official channels (not by replying to the suspicious email) before responding to any urgent compliance communications. Legitimate code of conduct updates will come through established internal communication channels, not unexpected emails with external links.

## Conclusion

This campaign demonstrates the continued effectiveness of well-executed phishing attacks at scale. The combination of social engineering (code of conduct theme), legitimate infrastructure abuse, and token theft represents a mature threat that most organizations are not adequately prepared to defend against. The silver lining: Microsoft's rapid disclosure provides organizations with a critical window to implement defensive measures before attackers can fully exploit compromised credentials.

Organizations should treat this disclosure as a wake-up call to strengthen email security, enhance user education, and implement zero-trust access controls that don't rely solely on initial authentication.