Credential Theft: Microsoft Details Phishing Campaign Targeting 35k Users

Microsoft recently disclosed details regarding a massive Phishing operation that targeted approximately 35,000 users across 13,000 organizations. This multi-stage campaign, which took place between April 14 and 16, 2026, spanned 26 countries and utilized sophisticated TTP to harvest credentials and authentication tokens.

Mechanics of the Microsoft 365 Credential Theft Campaign

The attackers leveraged “Code of Conduct” themed lures, a psychological tactic designed to exploit corporate compliance requirements. By masquerading as internal HR or legal departments, the threat actors induced a sense of urgency and obligation in the recipients. According to The Hacker News, the emails directed users to attacker-controlled domains through a series of redirects involving legitimate email services.

Using legitimate infrastructure is a common method used to circumvent traditional email security gateways. These services often have high reputation scores, making it difficult for automated filters to flag the initial message as malicious. Once the victim clicks the link, they are taken through a multi-stage infection chain. This chain typically involves a landing page that mimics a standard Microsoft 365 login interface. The attackers likely used a C2 infrastructure to manage the harvested tokens and facilitate ongoing access.

How to Detect Token Theft Phishing

A primary objective of this campaign was the theft of authentication tokens rather than just plaintext passwords. This technique, often associated with Adversary-in-the-Middle (AiTM) attacks, allows an APT or opportunistic actor to bypass multi-factor authentication (MFA). By capturing the session token, the attacker can impersonate the user’s authenticated session without needing to provide the second factor.

To identify such activity, a SOC should monitor for “impossible travel” alerts or logins from anomalous IP addresses that do not match the user’s historical profile. Additionally, organizations should inspect their SIEM logs for sign-ins where the User Agent string is inconsistent with the device typically used by the employee. Detecting the use of specialized proxy tools or headless browsers during the login process is also a vital component of a strategy on how to detect token theft phishing.

Impact and Scale

The scale of this operation highlights the industrialization of modern credential harvesting. With 13,000 organizations affected, the potential for downstream impact—including Lateral Movement and Ransomware deployment—is significant. The campaign did not appear to favor a single vertical, instead casting a wide net across 26 countries to maximize the volume of compromised accounts.

Once an attacker gains access to an account via token theft, they can perform internal reconnaissance, harvest sensitive data, or launch further internal Phishing attacks against other employees. This creates a Supply Chain Attack risk if the compromised organization provides services to other entities.

Strategy to Mitigate Session Token Hijacking

To defend against these sophisticated campaigns, organizations must move beyond basic password hygiene. The most effective way to mitigate session token hijacking is the implementation of Zero Trust principles, specifically through phishing-resistant MFA, such as FIDO2-based security keys.

Defenders should also prioritize the following actions:

• Token Lifetime Management: Reduce the duration for which session tokens remain valid. Shorter lifetimes force more frequent re-authentication, narrowing the window of opportunity for an attacker to use a stolen token.
• Conditional Access Policies: Implement strict policies that require devices to be compliant or managed before a session token is issued.
• Credential Guard: Enable hardware-backed protection for credentials to prevent local extraction of secrets.
• User Training: Educate employees on the specific nature of this Microsoft 365 credential theft campaign, emphasizing that legitimate corporate requests for “Code of Conduct” reviews will rarely originate from external domains or redirect through multiple third-party services.

By focusing on these technical controls, security teams can significantly reduce their attack surface and protect their users from large-scale credential theft operations.