Microsoft has warned of a large-scale credential theft operation that used fake workplace compliance emails to target more than 35,000 users across over 13,000 organisations in 26 countries, underscoring how cybercriminals are refining corporate-style social engineering to bypass both human caution and automated defences.
The campaign, observed between April 14 and 16, 2026, relied on emails that appeared to come from internal human resources, regulatory or conduct departments. The messages claimed that a code-of-conduct review or non-compliance case had been opened against the recipient, prompting them to review attached case materials. The attack was concentrated in the United States, which accounted for about 92 per cent of the targets, while healthcare and life sciences, financial services, professional services, and technology and software companies were among the most heavily exposed sectors.
The scale and construction of the operation point to a shift in phishing from crude credential-harvesting attempts to polished, multi-stage deception. The emails used display names such as “Internal Regulatory COC”, “Workforce Communications” and “Team Conduct Report”, with subject lines suggesting disciplinary or compliance action. The wording was designed to create anxiety, urgency and fear of workplace consequences, making employees more likely to open the attachment and follow the instructions.
Each email carried a PDF attachment presented as a confidential case file. Filenames referenced awareness case logs, disciplinary action or device-handling reviews, giving the communication the appearance of a formal workplace process. The body of the message included claims that the notice had been issued through an authorised internal channel and that links and attachments had been reviewed for secure access. Some emails also used a green banner falsely suggesting that the contents had been encrypted through a legitimate secure-communications service associated with healthcare privacy compliance.
The phishing route began when a recipient clicked a “Review Case Materials” link inside the PDF. That action sent the user through attacker-controlled domains, where a Cloudflare CAPTCHA page appeared to validate the session. Security analysts assess that the CAPTCHA step was not merely cosmetic: it helped block automated scanning tools and sandbox systems used by corporate security teams to inspect suspicious links before they reach employees.
After completing the first CAPTCHA, users were taken to an intermediate page that said encrypted case documents required account authentication. A further “Review & Sign” prompt led to an email-entry page, followed by another image-based CAPTCHA. The process then moved to a final page claiming that the compliance materials had been securely logged, time-stamped and stored in the organisation’s central tracking system. The victim was urged to sign in with a Microsoft account within a short time window, reinforcing the pressure to act quickly.
The most serious element of the campaign was its use of adversary-in-the-middle phishing. Instead of merely collecting usernames and passwords through a fake page, the attack proxied the user’s authentication session in real time. That allowed the attackers to intercept session tokens after the victim completed sign-in, including code-based multifactor authentication. With those tokens, attackers could gain access to an account without needing the password or the second authentication factor again.
This technique exposes a weakness in common multifactor authentication deployments. While MFA remains important, methods that can be phished through real-time proxying are less resilient than passwordless and phishing-resistant options such as hardware security keys, passkeys, Windows Hello or properly configured authenticator-based protections. For large organisations, stolen session tokens can lead to mailbox access, internal reconnaissance, data theft, lateral movement and follow-on business email compromise.
The campaign also showed technical tailoring beyond standard phishing kits. The final destination varied depending on whether the user accessed the flow from a mobile device or desktop system. Emails were sent through a legitimate email delivery service from multiple addresses tied to attacker-controlled domains, increasing the chance that messages would pass initial checks. Indicators linked to the campaign included domains created to resemble compliance, calendar and Microsoft-related services, along with sender addresses designed to reinforce the internal-policy theme.
The operation fits into a wider surge in email-based attacks during 2026. Microsoft’s threat telemetry for the first quarter identified billions of email phishing threats, with strong growth in QR-code phishing, CAPTCHA-gated credential theft and campaigns using legitimate infrastructure to appear trustworthy. Business email compromise patterns also shifted during the tax period, with payroll-update and finance-themed lures gaining prominence as attackers adjusted their tactics to seasonal workplace pressures.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
