Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries

Microsoft has disclosed a large-scale phishing campaign that targeted over 35,000 users across 13,000 organizations in 26 countries between April 14 and 16, 2026. The attackers used code of conduct-themed lures combined with legitimate email services to direct victims to attacker-controlled domains and harvest authentication tokens.

The campaign's multi-stage approach exploited a common social engineering tactic. Attackers crafted emails referencing company code of conduct policies, a topic most employees expect to receive from legitimate sources. These messages contained links redirecting users through legitimate email service providers, masking the attacker infrastructure and increasing click-through rates. Once users reached the attacker-controlled pages, they were prompted to enter their credentials, allowing threat actors to capture authentication tokens for account takeover.

The geographic breadth and scale of this campaign underscores the effectiveness of pretexting attacks against enterprise environments. By leveraging policy-related content, attackers exploited organizational trust and employee compliance instincts. Code of conduct emails typically carry authority and appear routine, making them effective vectors for initial compromise.

Organizations targeted span multiple sectors and continents, suggesting either a broad financially-motivated campaign or initial reconnaissance for targeted attacks. The use of legitimate email services as intermediaries complicates detection and increases deliverability rates past email security filters. Threat actors benefit from the reputation score of legitimate providers, reducing spam folder placement.

The harvesting of authentication tokens creates direct pathways to account compromise without requiring password resets. Victims may remain unaware of breach while attackers access cloud storage, email accounts, and integrated business applications. Token theft bypasses many multi-factor authentication implementations if attackers obtain session cookies rather than just credentials.

Organizations should implement email authentication controls including DMARC, SPF, and DKIM to prevent spoofing and redirect abuse. User awareness training addressing policy