Microsoft has identified a sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations, utilizing deceptive code of conduct lures to bypass multi-factor authentication via phishing.

Key Points

• The campaign occurred between April 14 and 16, 2026, primarily impacting the U.S. healthcare, financial, and professional services sectors.
• Attackers used polished HTML templates and PDF attachments to mimic legitimate internal corporate communications regarding non-compliance case logs.
• The attack chain employed CAPTCHA-gated pages and adversary-in-the-middle (AiTM) tactics to harvest authentication tokens in real-time.
• Microsoft reported a 146% surge in QR code phishing during early 2026, alongside the continued evolution of PhaaS platforms like Tycoon 2FA.
• Threat actors are increasingly abusing trusted infrastructure, such as Amazon Simple Email Service, to bypass standard email authentication protocols like SPF and DKIM.

Why it Matters

This campaign highlights a significant shift toward using highly credible, enterprise-themed lures that exploit employee trust in internal regulatory processes. By successfully bypassing multi-factor authentication, these attacks pose a severe risk to organizational security and demonstrate the growing sophistication of phishing-as-a-service operations.