Attack Overview
Microsoft has revealed a coordinated phishing campaign that targeted over 35,000 users across more than 13,000 organizations in 26 countries. The operation ran between April 14 and April 16, 2026, with 92% of victims located in the United States. Attackers used polished, corporate style HTML email templates impersonating internal regulatory bodies to trick recipients into handing over authentication tokens.
The emails claimed the recipient had a non compliance case logged against them under company conduct policy. Messages carried display names such as “Internal Regulatory COC” and “Team Conduct Report” to appear official. Each email included a PDF attachment that urged the target to click a link for more details, beginning the credential harvesting chain.
Impact and Scope
Sector analysis shows the phishing wave hit healthcare and life sciences organizations hardest, accounting for 19% of targets. Financial services followed at 18%, with professional services and technology/software each at 11%. Microsoft assessed that the emails originated from a legitimate email delivery service, making them harder to filter.
The attack included multiple CAPTCHA checkpoints to slow automated analysis and maintain the illusion of a legitimate internal portal. Researchers noted the lures exploited common workplace fears by creating urgency around an alleged conduct violation. The campaign successfully demonstrates how social engineering combined with trusted delivery infrastructure can bypass traditional defenses.
Source: The Hacker News
