Massive Phishing Campaign Targets 35,000 Users Across 26 Countries
In a recent disclosure, Microsoft has detailed a sophisticated credential theft campaign that targeted over 35,000 users across more than 13,000 organizations in 26 countries between April 14 and 16, 2026. A staggering 92% of these targets were located in the United States. The primary sectors affected included healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%).
The attackers employed polished, enterprise-style HTML templates in their phishing emails, using display names such as Internal Regulatory COC, Workforce Communications, and Team Conduct Report. Subject lines like Internal case log issued under conduct policy and Reminder: employer opened a non-compliance case log were designed to create a sense of urgency and authenticity. These emails often contained PDF attachments that, when opened, directed recipients through multiple CAPTCHA challenges and intermediate pages, ultimately leading to adversary-in-the-middle (AiTM) phishing sites. This method allowed attackers to harvest Microsoft credentials and authentication tokens in real-time, effectively bypassing multi-factor authentication (MFA).
Microsoft’s analysis of the email threat landscape from January to March 2026 revealed a significant rise in QR code phishing, marking it as the fastest-growing attack vector. CAPTCHA-gated phishing also evolved rapidly, with the tech giant detecting approximately 8.3 billion email-based phishing threats during this period. Notably, nearly 80% of these threats were link-based, with large HTML and ZIP files constituting a significant portion of the malicious payloads. The primary objective of most attacks was credential harvesting, while malware delivery declined to about 5-6% by the end of the quarter.
In response to a coordinated disruption operation in March 2026, operators of the Tycoon 2FA phishing-as-a-service (PhaaS) platform attempted to shift hosting providers and domain registration patterns. Microsoft observed that Tycoon 2FA moved away from Cloudflare as a hosting service, now utilizing a variety of alternative platforms, suggesting an effort to find replacement services offering comparable anti-analysis protections.
These findings coincide with the emergence of phishing and business email compromise (BEC) campaigns that abuse Amazon Simple Email Service (SES) as a delivery vector. By leveraging infrastructure that users and security systems trust, attackers can bypass SPF, DKIM, and DMARC checks, facilitating credential theft through fraudulent sign-in pages. Kaspersky noted that the insidious nature of these attacks lies in the use of trusted services, allowing attackers to send thousands of phishing emails that pass email authentication and originate from IP addresses unlikely to be blocklisted.
