A sophisticated, large-scale cyberattack has leveraged expertly crafted “code of conduct” phishing lures to compromise over 35,000 users across 26 countries, bypassing Multi-Factor Authentication (MFA) with alarming success. Microsoft recently exposed the intricate details of this credential theft campaign, highlighting a significant escalation in attacker sophistication. This incident, alongside Microsoft’s comprehensive Q1 2026 threat landscape report, underscores a critical shift towards advanced social engineering, legitimate service abuse, and cutting-edge Adversary-in-the-Middle (AiTM) tactics. Organizations worldwide must urgently re-evaluate their defenses against these evolving threats.
Unpacking the “Code of Conduct” Phishing Campaign
Between April 14 and 16, 2026, a meticulously orchestrated credential theft operation targeted more than 35,000 users across over 13,000 organizations. With a staggering 92% of targets located in the U.S., the campaign specifically hit critical sectors. Healthcare and life sciences bore the brunt (19%), followed closely by financial services (18%). Professional services and technology/software sectors each saw 11% of attacks.
The threat actors designed their lures with exceptional precision. Emails mimicked official enterprise communications, featuring polished HTML templates and structured layouts. Display names like “Internal Regulatory COC” and subject lines such as “Internal case log issued under conduct policy” were used to create a facade of legitimacy. These messages were strategically infused with accusations and time-bound action prompts, generating a powerful sense of urgency and pressure. Attackers even included “preemptive authenticity statements” – notices claiming the message originated from an “authorized internal channel” with “reviewed and approved” links and attachments. This level of detail made distinguishing these phishing attempts from genuine internal communications incredibly difficult.
The Deceptive Multi-Stage Attack Flow
The campaign’s complexity extended beyond initial email lures. Attackers employed legitimate email delivery services, often leveraging cloud-hosted Windows virtual machines and multiple attacker-controlled domains. This made it harder for traditional email filters to flag the messages as suspicious. Each phishing email included a PDF attachment, such as “Awareness Case Log File,” which provided additional context and a “Review Case Materials” link.
Clicking this link initiated a multi-stage process designed to reinforce legitimacy and thwart automated defenses:
Initial Landing Page: Users were redirected to an attacker-controlled domain (e.g., acceptable-use-policy-calendly[.]de), which immediately presented a Cloudflare CAPTCHA challenge. This “human verification” step aimed to bypass security tools.
Intermediate Staging Page: After solving the CAPTCHA, victims landed on a page suggesting the requested documentation was encrypted and required account authentication.
Authentication Prompts: Users were then prompted for their email address, followed by a second CAPTCHA challenge involving image selection.
Verification Confirmation: A message confirmed “Verification completed successfully,” indicating the “case” was being prepared.
Final AiTM Stage: Users were ultimately redirected to a third site, adapting its content based on whether the access was from a mobile or desktop device. This page prompted users to “Sign in with Microsoft” to view their “securely logged” and “time-stamped” code of conduct review materials.
Crucially, this “Sign in with Microsoft” prompt initiated an Adversary-in-the-Middle (AiTM) session hijacking flow. This sophisticated technique allowed attackers to proxy the authentication session in real-time, capturing legitimate Microsoft credentials and authentication tokens. By stealing these tokens, threat actors could gain immediate, direct access to compromised accounts, effectively bypassing even robust MFA implementations.
Broader Q1 2026 Threat Landscape: Key Insights
Microsoft’s analysis of the email threat landscape between January and March 2026 painted a sobering picture. The tech giant detected an astonishing 8.3 billion email-based phishing threats during this period. Nearly 80% of these were link-based, with large HTML and ZIP files forming a significant portion of malicious payloads. The overwhelming objective remained credential harvesting, while malware delivery declined to a mere 5-6%.
Several concerning trends emerged:
The Surge of QR Code Phishing
QR code phishing rapidly ascended as the fastest-growing attack vector. Attack volumes skyrocketed by 146%, jumping from 7.6 million in January to 18.7 million in March. A notable development observed late in Q1 2026 was the embedding of QR codes directly within email bodies, adding a new layer of deception. Palo Alto Networks Unit 42 highlighted how threat actors are abusing QR codes as URL shorteners to mask malicious destinations, for in-app deep links to steal credentials, and to bypass app store security.
Evolving CAPTCHA-Gated Phishing
CAPTCHA-gated phishing also saw rapid evolution across various payload types. These challenges, seemingly innocent, serve a dual purpose for attackers: validating a “human” user while deterring automated security analysis.
Phishing-as-a-Service (PhaaS) Platforms Adapt
The operators behind the Tycoon 2FA PhaaS platform were observed shifting hosting providers and domain registration patterns. This move followed a coordinated disruption operation in March 2026, indicating the attackers’ resilience and continuous efforts to evade detection. Microsoft noted Tycoon 2FA moving away from Cloudflare, scattering its domains across alternative platforms to maintain anti-analysis protections. Other PhaaS platforms like Kratos (formerly Sneaky 2FA) and EvilTokens also played roles in major Q1 campaigns.
The Persistent Threat of Business Email Compromise (BEC)
BEC scams remained a significant concern, exhibiting fluctuating yet high attack volumes. March 2026 saw over 4 million BEC attacks, contributing to a total of 10.7 million recorded attacks in Q1. These attacks often exploit human trust and organizational hierarchies, targeting financial transactions or sensitive data.
Emerging Tactics: Abusing Trusted Services & Obfuscation
The recent threat landscape reveals a clear trend: attackers are increasingly leveraging legitimate, trusted infrastructure to bypass security controls.
Amazon SES Abuse for Credential Theft
A particularly insidious tactic involves the abuse of Amazon Simple Email Service (SES) as a delivery vector for phishing and BEC campaigns. Attackers gain access to Amazon SES, often via leaked AWS access keys, to send thousands of phishing emails. These messages then bypass critical SPF, DKIM, and DMARC checks because they originate from a legitimate, trusted service. Kaspersky emphasized that this approach allows attackers to avoid building dubious domains from scratch, instead weaponizing trusted infrastructure to deliver credential theft lures via phony sign-in pages.
Advanced Obfuscation Techniques
Beyond service abuse, attackers are employing advanced obfuscation. Cybersecurity researchers at Seton Hall University highlighted campaigns targeting Microsoft 365 users with deceptive voicemail or Teams notification lures. These attacks use trusted link shortening services like Bitly, then pass malicious links through legitimate email security tools like Proofpoint or Intermedia. This multi-layered redirection effectively conceals the malicious destination and bypasses conventional filters. Furthermore, the use of Scalable Vector Graphics (SVG) files, which can embed hidden links or scripts within what appears to be a harmless image, adds another layer of sophisticated disguise.
Another example of sophisticated attacks is the RedKitten APT group, an Iran-linked cyber-espionage actor active since late 2025. While targeting human rights NGOs with AI-generated malicious macros and different C2 techniques, their use of highly contextual, emotionally charged lures distributed via spear-phishing and leveraging legitimate cloud services (GitHub, Google Drive, Telegram) for command and control demonstrates a broader trend of advanced social engineering and resilient infrastructure across the threat landscape.
Protecting Your Organization: Actionable Steps
Defending against these evolving and sophisticated phishing tactics requires a multi-layered approach combining technical controls, user education, and proactive threat intelligence.
Fortifying Technical Defenses
Proactive Email Protection: Configure Exchange Online Protection and Microsoft Defender for Office 365. Implement Zero-hour auto purge (ZAP) to remove malicious emails post-delivery, and enable Safe Links for click-time URL verification, along with Safe Attachments for scanning.
Endpoint & Network Security: Enable network protection in Microsoft Defender for Endpoint. Encourage the use of secure browsers like Microsoft Edge, which support Microsoft Defender SmartScreen to block malicious sites.
Authentication Hardening: Move beyond traditional passwords. Implement password-less authentication methods (e.g., Windows Hello, FIDO2 security keys, Microsoft Authenticator). For MFA, always use phishing-resistant methods with authenticator apps, not SMS, which can be vulnerable to SIM swapping or interception.
Conditional Access Policies: Apply conditional access policies, especially for privileged accounts, requiring phishing-resistant MFA and restricting access based on device health, location, or risk level.
Automated Attack Disruption: Configure automatic attack disruption features within Microsoft Defender XDR to automatically contain active threats.
Empowering Your Users
Continuous Security Awareness Training: Invest in robust and regular user awareness training. Conduct realistic phishing simulations (e.g., Microsoft Defender for Office 365 Attack simulation training) to educate employees on recognizing and reporting suspicious emails.
Verify, Don’t Click: Teach users to be wary of unexpected messages asking for urgent action, especially those with suspicious or shortened links. Emphasize hovering over links (without clicking) to reveal true destinations. If anything seems suspicious, verify directly with the sender through a separate, known communication channel.
Report Suspicious Activity: Ensure employees know how to report suspicious emails promptly, ideally via a “Report Phishing” button in Outlook or a dedicated IT security email address.
Incident Response and Proactive Monitoring
Monitor for Anomalous Activity: Utilize Microsoft Defender detections for initial access (phishing emails, malicious URL clicks) and persistence (anomalous tokens, unfamiliar sign-in properties, impossible travel activity detected by Microsoft Entra ID Protection and Defender for Cloud Apps).
Keep Software Updated: Regularly update all devices, operating systems, and applications with the latest security patches to protect against known vulnerabilities.
Leverage AI-Powered Tools: Tools like Microsoft Security Copilot can assist security teams with AI-powered incident summarization, analysis, and guided responses, enhancing threat intelligence and hunting capabilities.
Frequently Asked Questions
What is the “code of conduct” phishing campaign and how did it bypass MFA?
The “code of conduct” phishing campaign, observed in April 2026, was a sophisticated attack using highly convincing email lures that mimicked internal corporate communications. These emails contained PDF attachments with malicious links. When clicked, victims were led through multiple deceptive stages, including CAPTCHA challenges, before encountering a fake Microsoft sign-in page. This final stage employed Adversary-in-the-Middle (AiTM) techniques, allowing attackers to proxy the authentication process in real-time, steal authentication tokens, and effectively bypass Multi-Factor Authentication (MFA) to gain direct access to user accounts.
Which sectors were primarily targeted by recent Microsoft phishing campaigns, and where can organizations find mitigation guidance?
The April 2026 “code of conduct” campaign predominantly targeted healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%) sectors. Organizations can find comprehensive mitigation guidance from Microsoft’s security blogs and official documentation. Key recommendations include configuring Microsoft Defender for Office 365, implementing phishing-resistant MFA, deploying conditional access policies, providing robust user security awareness training, and enabling endpoint and network protection through Microsoft Defender for Endpoint and SmartScreen.
How can organizations effectively defend against advanced phishing tactics like AiTM and legitimate service abuse?
Effective defense against advanced phishing requires a multi-layered strategy. Technically, organizations should enforce strong, phishing-resistant MFA (e.g., authenticator apps over SMS), deploy Zero-hour auto purge (ZAP) and Safe Links in email security solutions, and leverage network protection with Microsoft Defender for Endpoint. Strategically, it’s crucial to implement conditional access policies, proactively monitor for anomalous token usage or sign-in patterns, and invest heavily in continuous security awareness training to educate users about AiTM, QR code phishing, and the abuse of legitimate services like Amazon SES, teaching them to verify before clicking.
Conclusion
The recent “code of conduct” phishing campaign, with its AiTM capabilities and legitimate service abuse, serves as a stark reminder of the escalating sophistication of cyber threats. Combined with the broader trends identified in Microsoft’s Q1 2026 report—from surging QR code phishing to resilient PhaaS platforms—it’s clear that traditional security approaches are no longer sufficient. Organizations must embrace a proactive, adaptive defense strategy, prioritizing advanced technical controls, robust user education, and continuous vigilance to protect against the next wave of highly deceptive cyberattacks.
Word Count Check: 1910
