Over 35k users, 13k organisations hit in global phishing attack: Microsoft

Microsoft said the phishing campaign targeted over 35,000 users across 13,000 organisations using fake compliance emails and adversary-in-the-middle attacks to steal account access

Microsoft has disclosed a large-scale phishing campaign that it said targeted more than 35,000 users across over 13,000 organisations globally, with most victims based in the United States. According to the company, the attack, observed between April 14 and 16, used highly convincing code-of-conduct themed emails to trick users into handing over access to their accounts.

 

The campaign stands out for combining social engineering with advanced techniques such as adversary-in-the-middle (AiTM) attacks, allowing attackers to bypass even multi-factor authentication in some cases.

How the phishing attack worked

Microsoft said the attackers sent emails posing as internal compliance or HR communications, using names such as “Internal Regulatory COC” and “Workforce Communications”.

 

 

These messages warned users about a supposed code-of-conduct review and pushed them to open a PDF attachment to review case details. The emails were designed to appear legitimate, featuring polished layouts, formal language, and claims that the message had been sent through an authorised internal channel. In some cases, they also referenced encryption services to build trust further.

Once the attachment was opened, users were directed to click a link to review case materials, triggering a multi-step attack chain.

Multi-step flow designed to bypass security

Instead of redirecting users directly to a fake login page, the attackers used multiple stages to make the process appear authentic and avoid detection.

 

Users first encountered CAPTCHA verification pages, which likely acted as a filter to block automated security tools. They were then taken to intermediate pages claiming the content was encrypted and required authentication.

 

The flow included several steps, including entering an email address and completing another CAPTCHA challenge, before finally reaching a sign-in page.

What is AiTM and why it is risky

At the final stage, users were redirected to a Microsoft sign-in page that formed part of an AiTM phishing setup.

 

Microsoft explained that in such attacks, the attacker positions itself between the user and the legitimate service, intercepting authentication data in real time.

 

This allows attackers to capture session tokens, which can provide direct access to accounts without requiring passwords later. Unlike traditional phishing attacks, this method can bypass some multi-factor authentication protections, making it significantly more dangerous.

Who was targeted

The campaign did not focus on a single industry and affected a broad range of sectors.

Microsoft said healthcare and life sciences accounted for 19 per cent of targets, followed by financial services at 18 per cent. Professional services and technology sectors each accounted for 11 per cent.

 

The attack spanned 26 countries, although around 92 per cent of targets were located in the United States.

Why this matters for users

Microsoft noted that phishing attacks are becoming more sophisticated, moving beyond basic fake emails to multi-layered campaigns that combine convincing messaging with technical evasion tactics.

 

For users, this means even emails that appear legitimate and include multiple verification steps may still be malicious. The use of urgency, internal language, and familiar formats makes such attacks harder to detect.

What Microsoft recommends

To reduce risks, Microsoft advised organisations to strengthen email security settings, enable protections such as Safe Links and Safe Attachments, and adopt phishing-resistant authentication methods.

 

The company also highlighted the importance of user awareness and recommended using browsers and security tools capable of detecting and blocking malicious websites.

 

According to Microsoft, the campaign highlights how attackers are evolving their methods by combining social engineering with real-time interception techniques to compromise accounts more effectively.

CERT-In warns of AI-led cyber threats

In April, India’s national nodal agency under India's Ministry of Electronics and Information Technology, CERT-In (Indian Computer Emergency Response Team), issued an advisory with regard to a risk associated with new class of frontier AI systems. The agency noted that agentic AI models can independently plan and execute multi-step tasks, going beyond traditional AI tools that rely on step-by-step prompts. Systems such as GPT-5.5 and Mythos were cited as examples of this shift, highlighting how AI is evolving from a passive assistant into an active operator in complex environments.

 

CERT-In noted that the same AI systems helping organisations detect vulnerabilities could also be used by attackers to automate reconnaissance, craft convincing phishing campaigns, and execute multi-stage intrusions with minimal human effort.

 

In the context of Microsoft’s findings, this signals a broader shift where phishing attacks are increasingly becoming part of intelligent, AI-assisted threat chains that are harder to detect and faster to execute.