# Microsoft Warns of Sophisticated Phishing Campaign Leveraging Conduct Report Lures and Adversary-in-the-Middle Attacks


Microsoft has issued a critical alert regarding a sophisticated phishing campaign actively targeting organizations across the United States. The attack employs multiple layers of deception—including fake conduct reports and fraudulent login portals—combined with advanced adversary-in-the-middle (AitM) techniques to bypass security controls and compromise user credentials at scale.


The campaign represents a concerning evolution in phishing tactics, moving beyond simple credential harvesting to deploy legitimate-looking infrastructure that can intercept authentication tokens in real time. Security teams are advised to treat this threat with urgency, as the attackers demonstrate operational sophistication and access to resources typically associated with nation-state or well-funded cybercriminal groups.


## The Threat: Anatomy of the Campaign


The phishing emails at the center of this campaign are crafted to appear as internal business correspondence, specifically impersonating conduct reports or disciplinary documentation. This social engineering angle exploits a fundamental human response: employees are more likely to act quickly when they believe they face potential professional consequences.


Key characteristics of the attack:


  • Subject line urgency: Emails reference conduct reviews, performance evaluations, or policy violation notifications—all designed to trigger immediate action
  • Fake Microsoft login portals: When victims click the embedded link, they're directed to a convincing replica of a Microsoft login page
  • Credential interception: The phishing infrastructure captures both username and password in real time
  • Token theft: Attackers leverage AitM techniques to intercept and hijack session tokens, gaining access even if multi-factor authentication (MFA) is enabled

    • The sophistication of the attack suggests the threat actors may have conducted reconnaissance on target organizations, potentially customizing emails with legitimate-sounding internal references to increase credibility.


    ## Background and Context: Why This Matters


    Phishing remains the leading initial access vector for data breaches and ransomware attacks. According to recent threat intelligence reports, over 90% of breaches begin with a phishing email. While awareness of basic phishing tactics has improved across many organizations, attackers continuously refine their methods.


    What makes this campaign notable:


  • AitM integration: Traditional phishing compromises credentials. This campaign goes further by actively intercepting authentication sessions, making it effective even against users who have MFA enabled
  • Scale and targeting: The campaign spans multiple US organizations across industries, indicating a broad targeting strategy rather than a focused operation
  • Impersonation fidelity: The use of conduct reports as a lure is a calculated choice—it combines urgency with legitimacy, as these documents are expected within organizational workflows

    • The targeting of US organizations, combined with the operational sophistication, has prompted Microsoft to engage with both law enforcement and other industry partners to coordinate response efforts.


    ## Technical Details: How AitM Attacks Work


    To understand the severity of this threat, it's essential to grasp how adversary-in-the-middle attacks function, especially in the context of modern authentication frameworks.


    ### The AitM Attack Flow


    | Phase | Actor | Action |

    |-------|-------|--------|

    | 1. Initial Compromise | Attacker | Phishing email delivered with fake login link |

    | 2. Credential Capture | Victim | User enters credentials on fraudulent portal |

    | 3. Real-Time Interception | Attacker | Captured credentials relayed to legitimate service |

    | 4. Session Hijacking | Attacker | MFA challenge intercepted and bypassed |

    | 5. Access Granted | Attacker | Authentication token obtained; legitimate session established |


    How this defeats MFA:


    When a user enters their credentials on the fake portal, the attacker's infrastructure simultaneously submits those credentials to the legitimate Microsoft login service. When Microsoft's system prompts for MFA (typically a code from an authenticator app or SMS), the victim enters it on the fake portal—where the attacker captures it in real time. The attacker then immediately submits the MFA code to Microsoft's system, completing the authentication process before the legitimate user even realizes they've been compromised.


    The result: The attacker obtains a valid session token that grants full access to the user's account, email, and any integrated services. Standard MFA protections are rendered ineffective because they're bypassed at the point of initial authentication.


    ## Implications for Organizations


    The risks posed by this campaign extend beyond individual compromised accounts. An attacker who gains access to an employee's Microsoft 365 account—especially if the employee has administrative privileges—can:


  • Pivot laterally throughout the organization's network
  • Steal sensitive data including emails, shared files, and collaboration documents
  • Establish persistence by creating additional administrative accounts
  • Launch secondary attacks using the compromised account to send internally-credible phishing emails to other employees
  • Deploy ransomware if coordinating with a broader attack group

    • Organizations with inadequate logging and monitoring may not detect compromise for days or weeks, allowing attackers an extended window to expand their foothold.


    ## Recommendations: Defense Strategies


    Organizations should implement a layered defense approach, recognizing that no single control will stop a determined attacker:


    Immediate Actions:


  • Audit recent logins: Review authentication logs for unusual access patterns, especially from unexpected geographic locations or devices
  • Force password resets: Instruct users to change Microsoft 365 passwords immediately, preferably from a secure device that hasn't been used with the original credentials
  • Review MFA logs: Check for successful MFA challenges that don't correspond to user activity
  • Search for forwarding rules: Compromised accounts are often used to create mail forwarding rules; audit mailbox settings for unauthorized changes

    • Short-Term Mitigations:


  • Implement conditional access policies: Deploy Azure AD Conditional Access to restrict logins to expected geographic regions and device types
  • Enable passwordless sign-in: Migrate to Windows Hello, FIDO2 keys, or other hardware-based authentication that cannot be phished
  • Deploy email authentication standards: Implement DMARC, SPF, and DKIM to reduce the effectiveness of email spoofing
  • Enhance email filtering: Use advanced threat protection that analyzes links in real time and sandboxes suspicious content

    • Long-Term Strategies:


  • Zero-trust architecture: Assume breach and verify every access request, regardless of source
  • Security awareness training: Conduct targeted training emphasizing the dangers of phishing and the urgency of verifying unexpected requests through secondary channels
  • Threat hunting: Proactively search for indicators of compromise, including unusual authentication patterns, anomalous data access, and unexpected account creations
  • Incident response planning: Develop and test a comprehensive response plan for credential compromise scenarios

    • ## Conclusion


    This phishing campaign represents a meaningful escalation in attack sophistication. By combining credible social engineering lures with advanced technical capabilities—specifically the integration of AitM attacks—the threat actors have created a potent attack platform capable of bypassing many contemporary security controls.


    Organizations should treat this alert as a catalyst for immediate security improvements. While Microsoft and industry partners work to disrupt the campaign's infrastructure, individual organizations must assume that employees within their networks may already be receiving these emails.


    The organizations that respond most effectively will be those that move beyond relying solely on MFA as a security boundary and instead implement a defense-in-depth strategy that protects at multiple layers: email security, endpoint protection, user behavior analytics, and privileged access management.