"Code of Conduct" Phishing Hit 35,000 Users Across 13,000 Organizations in 48 Hours

Between April 14 and April 16, 2026, a coordinated phishing campaign hit 35,000 users across 13,000 organizations. Microsoft's threat intelligence team identified and disrupted the infrastructure within 48 hours, but by that point the attackers had already captured credentials from thousands of targets. The attack is notable not just for its scale but for the combination of techniques used: AI-generated email content, a CAPTCHA legitimacy screen, and an adversary-in-the-middle relay that bypassed MFA entirely.

The Lure: Code of Conduct Violations

The entry point was an email notifying the recipient of a code of conduct violation in their organization. The content was specific enough to appear credible: it referenced the recipient's company name, their role, and the nature of the alleged violation. Microsoft's analysis confirmed the content was AI-generated and tailored per-organization, not a generic template blasted to all targets.

The email contained a PDF attachment. Opening the PDF revealed a brief message directing the recipient to review the violation documentation, with a button linking to an external URL. That URL was the first deception layer.

Why PDF Attachments Work

Email security gateways scan links in email bodies but often do not fully render or analyze PDF content. Embedding a malicious URL inside a PDF bypasses many URL reputation filters. The PDF itself is not malicious in the traditional sense, so it passes antivirus scanning. The payload is the link inside, not the file itself.

The Infrastructure: CAPTCHA as a Trust Signal

Clicking the PDF link landed victims on a Cloudflare Turnstile CAPTCHA page. This is deliberate: CAPTCHA challenges signal to users that the site is legitimate and to automated analysis tools that this is a normal web page. Security crawlers often stop at CAPTCHA gates. Victims who completed the CAPTCHA were directed to a credential harvesting page styled to match Microsoft 365 login.

The harvesting page did not just collect passwords. It operated as an AiTM (adversary-in-the-middle) relay. The victim's browser communicated with a proxy server controlled by the attacker, which in turn authenticated to the real Microsoft 365 in real time. Microsoft returned a legitimate session token. The proxy captured that token before forwarding it to the victim.

Code of Conduct AiTM Attack Chain

AI-Generated Phishing Email

Per-organization tailored content, code of conduct violation pretext, PDF attachment with embedded URL

PDF Delivery Bypasses Gateway

Malicious URL embedded in PDF body; email gateways inspect email links, not rendered PDF content

Cloudflare Turnstile CAPTCHA

Adds perceived legitimacy; blocks automated security crawlers from reaching harvest page

AiTM Credential Relay

Victim authenticates through attacker proxy to real Microsoft 365; MFA prompt completed against real Microsoft; session token captured

Session Token Replay

Attacker uses captured token to access mailbox, Teams, SharePoint, and OneDrive without needing password or MFA

Why MFA Did Not Help

Standard MFA protects against stolen passwords. The attacker uses your password to attempt login, triggers an MFA challenge, and is stopped because they do not have your device. AiTM attacks sidestep this entirely because the victim is the one who completes the MFA challenge. From Microsoft's perspective, the authentication flow is legitimate: correct username, correct password, correct MFA response. The session token is issued to the attacker's relay, not the victim's browser.

The token Microsoft returns after a successful authentication session is what the attacker captures. That token grants access to connected Microsoft 365 services for however long the session is valid, typically hours to days. Changing the password after the fact does not invalidate existing session tokens.

Token Invalidation Required

If an AiTM compromise is suspected, password reset is not sufficient. Security teams must revoke all active sessions via the Revoke-AzureADUserAllRefreshToken cmdlet or equivalent Entra ID portal action. Active tokens remain valid until explicitly invalidated or they expire naturally.

Detection and Defense

Traditional email security controls failed to stop this campaign. Defense requires multiple layers:

FIDO2 hardware keys or passkeys: These are the only MFA methods that resist AiTM. The cryptographic challenge is origin-bound: a hardware key will not respond to authentication requests from a proxied domain, even if the page looks identical to the real login.
Conditional Access with compliant device requirements: Session tokens stolen via AiTM arrive from attacker infrastructure. Device compliance policies can block token replay from unmanaged or non-compliant machines.
Sign-in log monitoring for impossible travel and unfamiliar IP ranges: AiTM token replay will appear in Microsoft Entra sign-in logs from an IP the user has never authenticated from. Automated alerting on this pattern catches post-compromise access.
PDF URL scanning: Some advanced email security platforms now render and analyze links inside PDF attachments. If yours does not, that is a gap worth addressing.

The 92% US concentration of targets suggests this campaign was specifically targeting US enterprise Microsoft 365 deployments. The AI-generated, per-organization customization raises the bar considerably compared to generic phishing. Security awareness training that shows employees a generic fake email no longer maps to what they will encounter.

AiTM Attacks Bypass Standard MFA. Are You Protected?

RedEye Security assesses your Microsoft 365 configuration, Conditional Access policies, and phishing controls against AiTM and modern credential theft techniques.

Request an Assessment

← Back to Threat Intelligence