AiTM Phishing Campaign: Microsoft Warns of Global Code of Conduct Scams

On May 4, 2026, Microsoft Security researchers issued a critical alert regarding a massive, highly sophisticated AiTM Phishing Campaign that has successfully infiltrated over 13,000 organizations worldwide. This campaign, which targeted upwards of 35,000 individual users in a matter of days, marks a pivotal moment in the evolution of cybercrime. By weaponizing corporate “Code of Conduct” updates and “Policy Acknowledgments,” threat actors have found a psychological and technical backdoor into some of the world’s most secure digital environments.

The scale of the attack is staggering, but its technical execution is even more concerning. Unlike traditional phishing, which relies on simple credential harvesting, this campaign utilizes Adversary-in-the-Middle (AiTM) tactics to circumvent Multi-Factor Authentication (MFA). By the time a user realizes they have been compromised, the attacker has already intercepted a live session token, effectively granting them “the keys to the kingdom” without the need for a secondary password or a one-time code.

The Anatomy of the Deception: Why the AiTM Phishing Campaign Succeeds

The success of this AiTM Phishing Campaign is rooted in its masterful use of social engineering. Most employees are conditioned to respond immediately to HR-related or legal notifications, especially those involving mandatory policy updates or disciplinary “case logs.” The attackers exploited this professional urgency by distributing lures that appeared to be internal corporate communications regarding updated conduct policies for 2026.

To ensure high deliverability, the threat actors did not use typical “burner” domains. Instead, they leveraged legitimate email marketing services and cloud-hosted virtual machines. By sending through reputable infrastructure, the malicious emails were able to bypass standard security protocols such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). For the end-user, the email looked perfectly authentic, originating from a “verified” sender and landing directly in the primary inbox rather than the junk folder.

Multi-Stage Attack Chain and CAPTCHA Intermediaries

The technical sophistication extends beyond the initial email. Microsoft’s analysis revealed a multi-stage delivery process designed to exhaust automated security scanners and “sandboxing” technologies. The flow typically follows this sequence:

• The PDF Lure: The email contains a PDF attachment with titles such as “Awareness Case Log File – Tuesday 14th, April 2026.pdf.” These files use high-fidelity corporate branding.
• The Redirect Hook: Inside the PDF, a “Review Case Materials” button directs the user to a staging site.
• The CAPTCHA Wall: Before reaching the final login page, users are forced to solve complex CAPTCHAs. This serves two purposes: it makes the site appear more “secure” and legitimate to the victim, and it prevents automated security bots from crawling and flagging the malicious backend.
• The Proxied Login: Only after the CAPTCHA is solved is the user presented with what appears to be a standard Microsoft Entra ID (formerly Azure AD) sign-in page.

Technical Deep Dive: The Adversary-in-the-Middle (AiTM) Mechanism

The core of this threat is the AiTM Phishing Campaign‘s use of a reverse proxy. Traditional phishing involves a “fake” website that saves the username and password to a database. In an AiTM attack, the attacker does not simply host a fake page; they host a malicious proxy server that sits between the victim and the actual, legitimate Microsoft login portal.

When the victim enters their credentials, the proxy forwards them to Microsoft in real-time. When Microsoft asks for an MFA challenge (such as a push notification or an SMS code), the proxy forwards that challenge to the user. The user completes the MFA, believing they are logging in securely. However, because the proxy is relaying the entire session, it intercepts the session cookie (the token) issued by Microsoft once the authentication is successful.

The Power of Stolen Session Tokens

In modern cloud environments, once you log in with MFA, the system gives your browser a “session token” so you don’t have to re-authenticate every time you click a link. This token is what the AiTM Phishing Campaign seeks to steal. With a stolen session token, an attacker can:

1. Bypass MFA Entirely: The attacker “injects” the stolen cookie into their own browser. Since the token represents an already-authenticated session, Microsoft’s servers believe the attacker is the legitimate, MFA-verified user.
2. Establish Persistence: By capturing “refresh tokens,” attackers can maintain access even if the user changes their password, as long as the session itself is not explicitly revoked.
3. Perform Lateral Movement: Once inside the SaaS environment, the attacker can move from Outlook to SharePoint, OneDrive, and even sensitive Financial or HR databases without triggering further security alerts.

Global Impact and Industry Targeting

Microsoft’s telemetry indicates a heavy concentration of these attacks in the United States, which accounted for 92% of the total volume. The campaign was not opportunistic; it was a highly targeted operation aimed at sectors with high-value data and strict regulatory requirements.

Healthcare and Life Sciences (19%)

The healthcare sector remains a primary target due to the 2026 updates to the HIPAA Security Rule, which mandates stricter MFA and access controls. Attackers know that healthcare employees are under extreme pressure to comply with these new regulations, making “Policy Acknowledgment” lures highly effective. A compromise here allows for the exfiltration of electronic Protected Health Information (ePHI), which commands a premium on the dark web.

Financial Services (18%)

For financial institutions, the risk is twofold: direct financial fraud and regulatory non-compliance under PCI DSS 4.0 and the Digital Operational Resilience Act (DORA). In this AiTM Phishing Campaign, attackers utilized compromised accounts to perform Business Email Compromise (BEC), sending fraudulent wire transfer requests that appeared to come from high-level executives whose sessions had been hijacked.

Evolving Defense: Moving Toward Phishing-Resistant MFA

The primary takeaway from the May 2026 Microsoft alert is that standard MFA is no longer enough. Traditional methods like SMS codes, voice calls, and even standard mobile app push notifications are vulnerable to proxy-based interception. To counter the AiTM Phishing Campaign, organizations must shift their defensive posture toward “phishing-resistant” technologies.

The Role of FIDO2 and Passkeys

Phishing-resistant MFA, specifically FIDO2 (Fast Identity Online) and WebAuthn-based passkeys, prevents AiTM attacks by design. These methods use origin-bound cryptographic keys. During the authentication process, the security key (like a YubiKey) or the device’s TPM (Trusted Platform Module) verifies the URL of the website. If the user is on a malicious proxy site, the cryptographic handshake will fail because the “origin” does not match the legitimate service. Even if a user is tricked into tapping their key on a phishing site, no usable secret or token is transmitted to the attacker.

Implementing Session-Based Conditional Access

Security teams are also encouraged to implement Conditional Access (CA) policies that look beyond the initial login. Microsoft suggests the following “Zero Trust” configurations:

• Token Protection (Token Binding): This feature binds the session token to the specific device from which the user logged in. If an attacker tries to use a stolen token from a different machine or IP address, the token becomes invalid.
• Continuous Access Evaluation (CAE): This allows identity providers to revoke sessions in real-time if a “critical event” occurs, such as a change in the user’s location or a detected sign-in risk.
• Device Compliance: Enforcing a policy where only “Managed” or “Compliant” devices can access corporate data significantly reduces the risk of token replay from attacker-controlled infrastructure.

The Future of Digital Extortion and Identity Security

As we move further into 2026, the AiTM Phishing Campaign highlights a “new normal” in the threat landscape. Digital extortion has moved past the era of loud, destructive ransomware. Today’s sophisticated threat actors prefer the silent, persistent access afforded by token theft. By staying “in the middle,” they can exfiltrate data over months, monitor executive communications, and wait for the most lucrative moment to strike.

Organizations must realize that identity is the new perimeter. When the perimeter is no longer a firewall but a user’s session, the security of that session becomes the most critical asset in the enterprise. Education remains important, but as this campaign shows, even the most diligent employee can be fooled by a perfectly proxied, legitimate-looking interface. The solution is architectural: retiring legacy MFA, embracing FIDO2, and monitoring authentication tokens with the same rigor once reserved for network traffic.

Microsoft continues to monitor the infrastructure associated with this AiTM Phishing Campaign, and updates to Defender for Office 365 and Microsoft Entra are being rolled out to provide automated disruption of these proxy sessions. For now, the message to CISOs is clear: audit your MFA methods today, or risk being the next “case log” in an attacker’s database.