Microsoft Warns of Large-Scale Phishing Campaign Targeting Thousands Globally

Hackers are weaponizing employee fear around HR emails about policy violations on a massive scale. Microsoft uncovered a similar campaign that lasted three days, fooling thousands of users across the globe.

The attackers used legitimate email services and code of conduct-themed tricks to lure users into giving away authentication tokens at website domains they controlled. Here’s the details.

How the Attackers Pulled off the Phishing Campaign 

Microsoft noted that this campaign ran from April 14 to April 16. And it hit a surprisingly large number of victims, more than 35,000 users across over 13,000 organizations in 26 different countries. Interestingly,  92 percent of the targets were from the US.

The hackers focused on specific industries. Healthcare and life sciences took the biggest hit at 19%. Financial services followed closely at 18 percent. Professional services and tech sectors each saw about 11 percent of the attacks.

So how did they make it work? The emails looked incredibly professional. They used polished HTML templates with structured layouts. The messages included fake authenticity statements claiming internal approval.

One notice at the top said the email came through an “authorized internal channel.” It even claimed that links and attachments were “reviewed and approved for secure access.”

The senders used display names like Workforce Communications and Internal Regulatory COC. Subject lines either warned about “Internal case log issued under conduct policy” or a reminder that an employer opened a case log that violates company policy. The goal was clear: scare people into acting fast without thinking.

How the Attack Actually Stole Logins

Here is where it gets clever and dangerous. The emails came from a legitimate email delivery service. That means standard security checks didn’t flag them as suspicious. Each message included a PDF attachment with more details about the fake conduct review.

When victims opened the PDF, they saw a link. Clicking that link started the real trouble. The hackers directed people through multiple CAPTCHA pages. Those puzzles made the site feel trustworthy. They also blocked automated security tools from detecting the scam.

The final step was brutal. Victims landed on a fake Microsoft sign-in page. But this wasn’t a simple fake form. In order to accomplish this objective, the attackers used adversary-in-the-middle (AitM) techniques whereby they collected both the username and password combination and an authentication token as the user entered them on the fake sign-in page. By doing so, they were able to completely bypass multi-factor authentication. Even users with MFA enabled got compromised.

Ironically, while hackers impersonate Microsoft to steal from users, the real Microsoft is facing its own backlash over user trust. Mozilla recently slammed the company for forcing Copilot on Windows users without consent.

Microsoft noted the final destination changed based on your device. Mobile users saw something different than desktop users. The hackers optimized the scam for every situation.

Phishing Is Changing Faster Than Ever

This phishing campaign is just one event out of a bigger trend worldwide. Microsoft examined the email threat landscape between January and March. The results are eye-opening. The company detected approximately 8.3 billion email-based phishing threats.

Nearly 80 percent of those were link-based attacks. Large HTML and ZIP files carried most of the malicious payloads. Credential harvesting dominated the attackers’ goals. Malware delivery dropped to just 5-6% by the end of the quarter. Hackers want your passwords, not just to break your computer.

QR Code Phishing is Becoming a Very Popular Method of Phishing 

In January, QR code phishing was approximately 7.6 million, but in March, the total number of QR code phishing attacks had risen to approximately 18.7 million, a 146% increase.

In late March, Microsoft saw QR codes embedded directly inside email bodies. No more fake links to spot. Just a harmless-looking code to scan with your phone.

Business Email Compromise Scams Also Surged

Microsoft recorded 10.7 million BEC attacks in the first quarter alone. March saw more than 4 million of those.

One large campaign that happened between February 23 and 25 sent out more than 1.2 million messages. 53,000 organizations in 23 countries took the hit. The scammers used talks about 401(k) plans, payments, and invoices to lure employees. An SVG attachment directed victims to a CAPTCHA check. Then came a fake sign-in page.

Another campaign on March 17 delivered 1.5 million malicious messages. It hit 179,000 organizations in 43 countries. That single day accounted for 7% of all malicious HTML attachments that month. Microsoft tied most of the final phishing pages to Tycoon 2FA, with some linked to Kratos and EvilTokens infrastructure.

Here is the scary part. Attackers are now abusing Amazon Simple Email Service (SES) to bypass security checks. They grab AWS access keys from leaks and use them to send phishing emails right from Amazon’s own servers.

These emails slide through SPF, DKIM, and DMARC checks without any trouble and show up from clean IPs. The phishing links even look completely legit. Your email system trusts them because Amazon sent them.