Mass phishing campaign exploits enterprise lures to steal credentials from 35k users across 26 countries
Microsoft disclosed a large-scale credential-stealing phishing campaign that targeted more than 35,000 users across 26 countries (92% in the U.S.), with victims in healthcare, financial services, and other sectors. Attackers used polished, enterprise-style emails about code-of-conduct reviews, sent via legitimate email services, and embedded PDFs that led to an AiTM (adversary-in-the-middle) phishing flow to harvest Microsoft credentials and tokens and bypass MFA. Victims encounter CAPTCHA checks and multiple intermediate pages before a final sign-in page, with the destination differing by device. The report also highlights rising QR-code phishing, ongoing BEC activity, and Tycoon 2FA PhaaS infrastructure shifting hosting to evade defenses, alongside two notable Q1 campaigns and a broader surge in phishing threats (about 8.3 billion from Jan–Mar 2026).
