Microsoft disclosed details of a large-scale adversary-in-the-middle phishing campaign that harvested credentials and session tokens from more than 35,000 users across 13,000 organizations in 26 countries during a concentrated three-day window between April 14 and April 16, 2026. The campaign bypassed multi-factor authentication by intercepting authenticated sessions rather than cracking credentials directly — a technique that renders conventional MFA defenses ineffective without additional safeguards.
How the Code-of-Conduct AiTM Campaign Bypassed MFA Across Healthcare and Finance
The attack chain began with phishing emails delivered through legitimate email relay services, carrying “code of conduct” themed lures designed to simulate internal HR and compliance communications. Subject lines included references to “Internal Regulatory COC” and “Workforce Communications,” framing the messages as policy violation notices to create urgency and prompt recipients to open the attached PDFs without questioning the sender.
The PDF attachments routed victims through a CAPTCHA challenge before presenting an adversary-in-the-middle phishing page mimicking a Microsoft authentication portal. In an AiTM attack, the phishing page acts as a real-time proxy between the victim and the legitimate Microsoft sign-in infrastructure, allowing attackers to capture not just passwords but authenticated session tokens — the credentials that browsers use to maintain logged-in sessions. Session token theft bypasses MFA because the token is issued after authentication is complete.
Delivery Through Legitimate Email Services as a Defense Evasion Technique
The decision to route phishing messages through legitimate email relay services represents a deliberate attempt to bypass email security gateways that rely on sender reputation, SPF/DKIM validation, or domain blocklists. Messages originating from trusted email infrastructure are significantly less likely to be flagged as spam or blocked by enterprise email filtering, particularly when the sending domain has not previously been associated with malicious activity.
The use of CAPTCHA challenges in the attack chain adds another evasion layer: automated URL scanning tools used by email security platforms often cannot complete CAPTCHA challenges and may fail to follow the full redirect chain to the final phishing page, resulting in the malicious URL being marked clean.
Geographic and Sector Concentration: 92% of Targets in the United States
Ninety-two percent of the more than 35,000 targeted users were located in the United States, despite the campaign spanning 26 countries. The top targeted sectors were healthcare and life sciences at 19 percent of targets, financial services at 18 percent, professional services at 11 percent, and technology at 11 percent, according to Microsoft’s analysis. The concentration on healthcare and financial services is consistent with the high value of credentials in those sectors — both for direct financial fraud and for access to sensitive records with downstream extortion or resale value.
The campaign reached more than 13,000 distinct organizations over three days, a scale that indicates automated infrastructure rather than manually targeted spear-phishing.
What Microsoft’s AiTM Disclosure Reveals About Session Token Theft at Enterprise Scale
Microsoft’s decision to publicly detail the campaign represents an unusual level of transparency about an active threat technique affecting its own authentication infrastructure. The disclosure provides sector-level targeting data and specifics about the delivery chain that allow organizations to assess their exposure.
AiTM phishing is not new, but its application at the scale Microsoft described — 35,000 users across 13,000 organizations in 72 hours — demonstrates that the technique has matured from a targeted tool used against specific high-value accounts to a mass-exploitation capability. The operational infrastructure required to proxy authentication for tens of thousands of users simultaneously represents significant attacker investment.
Why Token Theft Survives MFA and What Organizations Are Dealing With
When an attacker captures a valid authenticated session token through AiTM, they gain access equivalent to a fully authenticated user session — including any MFA verification that was completed during the sign-in process. The stolen token can be used from a different device and location without triggering re-authentication prompts, depending on the session policy configured by the victim organization.
Microsoft has published guidance on conditional access policies, token binding, and continuous access evaluation as defensive measures that can limit the utility of stolen session tokens. No threat actor was named in Microsoft’s disclosure, and no attribution was provided. The campaign’s infrastructure and delivery techniques had not been publicly tied to a previously identified criminal or nation-state group as of the reporting date.
