Phishing campaigns have steadily evolved from crude, easily detectable scams into highly sophisticated, multi-layered operations. The campaign recently analyzed by Microsoft Defender Research demonstrates this transformation vividly. By combining polished social engineering lures, legitimate email infrastructure, and adversary-in-the-middle (AiTM) techniques, attackers orchestrated a large-scale credential theft operation that bypassed traditional defenses and exploited human trust. This case highlights the growing challenge organizations face in protecting users against increasingly convincing phishing attempts.
Anatomy of the Campaign
Between April 14–16, 2026, researchers observed phishing waves targeting over 35,000 users across 13,000 organizations in 26 countries, with 92% of victims located in the United States. The campaign spanned multiple industries, including healthcare, financial services, professional services, and technology.
Attackers distributed emails masquerading as internal compliance communications, using display names such as “Internal Regulatory COC” and subject lines like “Reminder: employer opened a non-compliance case log.” These messages were carefully crafted with enterprise-style HTML templates, authenticity banners, and encryption notices referencing legitimate services like Paubox. The goal was clear: establish credibility and urgency to compel users into action.
Multi-Step Social Engineering Flow
The attack chain was deliberately complex, designed to filter automated defenses and reinforce legitimacy:
- Initial Email & PDF Attachment Victims received PDFs titled “Awareness Case Log File” or “Disciplinary Action – Employee Device Handling Case.” These documents contained links to attacker-controlled domains.
- CAPTCHA Challenges Landing pages presented Cloudflare CAPTCHA gates, deterring automated analysis and convincing users of authenticity.
- Intermediate Staging Pages Users were informed that documents were encrypted and required authentication, mimicking compliance workflows.
- AiTM Authentication Hijack Final pages redirected victims to a proxied Microsoft sign-in page. Here, attackers intercepted authentication tokens in real time, bypassing non-resistant MFA and gaining immediate account access.
This layered approach exemplifies how attackers blend technical obfuscation with psychological manipulation to maximize success.
Infrastructure and Delivery
Analysis revealed that attackers leveraged legitimate email delivery services and likely operated from cloud-hosted Windows VMs. Multiple sender domains were used, all attacker-controlled, to distribute authenticated messages. This infrastructure choice allowed the campaign to bypass basic reputation-based filtering and ensured high delivery rates.
Mitigation and Defense Strategies
Microsoft recommends a multi-pronged defense strategy:
- Technical Controls:
- Enable Exchange Online Protection and Defender for Office 365.
- Turn on Safe Links, Safe Attachments, and Zero-hour Auto Purge (ZAP).
- Configure automatic attack disruption in Microsoft Defender XDR.
- User Awareness:
- Conduct phishing simulations and training.
- Encourage use of browsers with SmartScreen protection.
- Authentication Hardening:
- Adopt password-less authentication (Windows Hello, FIDO keys).
- Enforce phishing-resistant MFA for privileged accounts.
These measures collectively reduce exposure and improve resilience against evolving phishing threats.
Our Opinion
This campaign underscores a critical reality: phishing is no longer a game of spotting broken grammar or suspicious links. Attackers are now operating with the polish and precision of legitimate enterprises, leveraging trusted infrastructure and psychological triggers to bypass both technical and human defenses. The use of AiTM flows represents a paradigm shift, as it directly undermines the perceived safety of multifactor authentication—a cornerstone of modern identity security. Organizations must recognize that traditional awareness training alone is insufficient. While user education remains vital, the sophistication of these campaigns demands layered defenses that combine technical enforcement, behavioral monitoring, and proactive disruption. Security teams should prioritize phishing-resistant authentication methods and deploy automated containment mechanisms that neutralize attacks in progress.
Equally important is the cultural shift required within enterprises. Employees must be empowered to question even the most polished communications, and leadership must invest in continuous testing of defenses through simulated campaigns. The lesson here is stark: attackers are industrializing phishing at scale, and defenders must respond with equal rigor. The future of email security lies not in reactive detection but in anticipatory defense strategies that assume compromise and minimize its impact.
Indicators of compromise
| Indicator | Type | Description | First seen | Last seen |
| compliance-protectionoutlook[.]de | Domain | Domain hosting malicious campaign content | 2026-04-14 | 2026-04-16 |
| acceptable-use-policy-calendly[.]de | Domain | Domain hosting malicious campaign content | 2026-04-14 | 2026-04-16 |
| cocinternal[.]com | Domain | Domain hosting sender email address | 2026-04-14 | 2026-04-16 |
| Gadellinet[.]com | Domain | Domain hosting sender email address | 2026-04-14 | 2026-04-16 |
| Harteprn[.]com | Domain | Domain hosting sender email address | 2026-04-14 | 2026-04-16 |
| Cocpostmaster[@]cocinternal.com | Email address | Email address used to send campaign emails | 2026-04-14 | 2026-04-16 |
| Nationaladmin[@]gadellinet.com | Email address | Email address used to send campaign emails | 2026-04-14 | 2026-04-16 |
| Nationalintegrity[@]harteprn.com | Email address | Email address used to send campaign emails | 2026-04-14 | 2026-04-16 |
| M365premiumcommunications[@]cocinternal.com | Email address | Email address used to send campaign emails | 2026-04-14 | 2026-04-16 |
| Documentviewer[@]na.businesshellosign.de | Email address | Email address used to send campaign emails | 2026-04-14 | 2026-04-16 |
| Awareness Case Log File – Monday 13th, April 2026.pdf | Filename | Name of PDF attachment containing phishing link | 2026-04-14 | 2026-04-14 |
| Awareness Case Log File – Tuesday 14th, April 2026.pdf | Filename | Name of PDF attachment containing phishing link | 2026-04-15 | 2026-04-15 |
| Awareness Case Log File – Wednesday 15th, April 2026.pdf | Filename | Name of PDF attachment containing phishing link | 2026-04-16 | 2026-04-16 |
| 5DB1ECBBB2C90C51D81BDA138D4300B90EA5EB2885CCE1BD921D692214AECBC6 | SHA-256 | File hash of campaign PDF attachment | 2026-04-14 | 2026-04-16 |
| B5A3346082AC566B4494E6175F1CD9873B64ABE6C902DB49BD4E8088876C9EAD | SHA-256 | File hash of campaign PDF attachment | 2026-04-14 | 2026-04-16 |
| 11420D6D693BF8B19195E6B98FEDD03B9BCBC770B6988BC64CB788BFABE1A49D | SHA-256 | File hash of campaign PDF attachment | 2026-04-14 | 2026-04-16 |
