Microsoft reported a large phishing campaign that targeted over 35,000 users across 13,000 companies between April 14 and April 16, 2026. The campaign affected users in 26 countries, with 92% of the phishing emails directed at organizations in the United States.
The sectors most impacted included healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%). Microsoft outlined the tactics used in this campaign, noting that threat actors employed polished enterprise-style HTML templates designed to appear legitimate.
In the phishing emails, attackers impersonated identities such as “Internal Regulatory COC,” “Workforce Communications,” and “Team Conduct Report.” These emails were themed around “internal case logs” and included warnings about non-compliance, which created a sense of urgency for recipients to act.
Each email featured a notice indicating that it was issued through an authorized internal channel, asserting that the links and attachments had been reviewed for secure access. This helped reinforce the emails’ credibility.
The phishing efforts successfully bypassed traditional email protections including SPF, DKIM, and DMARC, as attackers sent emails using legitimate services. Malicious PDF attachments were included, redirecting victims to phishing landing pages.
Victims who opened the PDFs were funneled through multiple CAPTCHAs, aiming to create a false sense of legitimacy and filter out any automated scanning. The ultimate goal was to harvest Microsoft credentials and tokens in real-time, allowing the attackers to circumvent multi-factor authentication (MFA).
