Microsoft Corporation disclosed on May 5, 2026, the details of a large-scale phishing campaign that targeted approximately 35,000 users across more than 13,000 organizations. According to a report published by Microsoft Threat Intelligence, the operation spanned 26 countries, with the majority of targets located within the United States. The campaign utilized sophisticated Adversary-in-the-Middle techniques designed to circumvent multi-factor authentication protocols by stealing session tokens rather than just passwords.
The attackers employed lures themed around corporate Code of Conduct updates to deceive employees. These fraudulent emails often appeared to originate from internal human resources or legal departments, prompting recipients to review and sign updated policy documents. To increase the perceived legitimacy of the messages and bypass traditional email security filters, the threat actors leveraged legitimate third-party email marketing services and cloud infrastructure to distribute the malicious links.
Once a user clicked the link provided in the phishing email, they were directed to a proxy server that mirrored the legitimate Microsoft 365 login page. As the user entered their credentials and completed the multi-factor authentication challenge, the attacker’s server intercepted the resulting authentication token. This token allowed the unauthorized party to gain full access to the user’s mailbox and other corporate resources without needing to re-authenticate or possess the physical authentication device.
Microsoft’s investigation revealed that the campaign was highly automated, allowing the threat actors to target a vast number of organizations simultaneously. While the report did not attribute the activity to a specific named group, researchers noted that the infrastructure used in this campaign shared characteristics with previously documented clusters of cyber-criminal activity. The 13,000 affected organizations represent a broad spectrum of industries, including finance, healthcare, and government services.
In response to the discovery, Microsoft confirmed it has taken several remediation steps. The company has revoked the compromised session tokens for all identified victims and issued direct notifications to the administrators of the impacted organizations. Furthermore, Microsoft updated its security products, including Microsoft Defender for Office 365, to better detect and block the specific domains and communication patterns associated with this campaign.
The disclosure highlights a continuing trend in the cybersecurity landscape where attackers prioritize session hijacking over simple credential harvesting. Microsoft’s report emphasized that while multi-factor authentication remains a critical defense, organizations should consider implementing phishing-resistant authentication methods, such as FIDO2-based security keys, to mitigate the risks posed by these attacks. The company stated it continues to monitor the threat actor's infrastructure for signs of re-emergence.