AiTM Phishing Campaign Targets Microsoft 365 Users

Introduction

Microsoft has uncovered a sophisticated phishing campaign that targeted more than 35,000 users across over 13,000 organizations in 26 countries. For Microsoft 365 and security administrators, this matters because the attack used an adversary-in-the-middle (AiTM) technique to capture authentication tokens, which can bypass non-phishing-resistant MFA and give attackers immediate account access.

What’s new

Between April 14 and 16, 2026, Microsoft observed a multi-stage phishing operation using code of conduct and internal compliance lures. The messages were designed to look like legitimate internal communications and were sent in authenticated emails from attacker-controlled domains via a legitimate email delivery service.

Key characteristics of the campaign included:

• Polished compliance-themed emails with urgent subject lines about employee misconduct or non-compliance cases
• PDF attachments that instructed recipients to review case materials
• Multiple staged pages including CAPTCHA checks and intermediary “verification” steps
• A final Microsoft sign-in prompt embedded in an AiTM flow to intercept session tokens
• Broad impact across industries, especially Healthcare, Financial Services, Professional Services, and Technology

Microsoft said most victims were in the United States, but the campaign affected organizations globally.

Why this attack is significant

Unlike basic credential phishing, AiTM attacks proxy the authentication session in real time. That means even when users complete MFA, attackers may still capture tokens and reuse them to access accounts.

This campaign also shows how phishing tactics are evolving:

• Attackers used enterprise-style HTML templates to improve credibility
• They leveraged time pressure and HR-style accusations to push fast action
• CAPTCHA and staging pages helped filter automated security analysis
• The final sign-in flow looked legitimate enough to reduce user suspicion

Impact on IT administrators

Security teams should treat this as a reminder that user awareness alone is not enough. Organizations need layered defenses across email, identity, endpoint, and web protection.

Administrators should review:

• Exchange Online Protection and Microsoft Defender for Office 365 configurations
• Anti-phishing policies and impersonation protections
• SmartScreen support in managed browsers
• Network protection in Windows to block malicious web destinations
• Detection and response coverage for suspicious sign-in activity and token abuse

Recommended next steps

IT teams should take the following actions:

1. Educate users about HR, compliance, and regulatory phishing lures
2. Run phishing simulations with Microsoft Defender for Office 365 attack simulation training
3. Harden email security settings and review policy recommendations in the Microsoft security portal
4. Prioritize phishing-resistant authentication where possible
5. Hunt for indicators of compromise and investigate unusual session behavior tied to sign-in events

This campaign reinforces a key security lesson: modern phishing is no longer just about passwords. Defending against token theft requires stronger identity protections, better email security, and continuous user education.