Phishing campaign targets 35,000 users to steal authentication tokens
Updated
Updated · Microsoft · May 5
Phishing campaign targets 35,000 users to steal authentication tokens
9 articles · Updated · Microsoft · May 5
Microsoft Defender Research said the April 14-16 operation hit more than 13,000 organisations in 26 countries, with 92% of targets in the United States.
Attackers sent code-of-conduct emails with PDF links through legitimate delivery services, then used CAPTCHAs, staging pages and a fake Microsoft sign-in to run an adversary-in-the-middle flow.
The broad campaign especially affected healthcare, financial services, professional services, and technology, showing how AiTM phishing can bypass non-phishing-resistant MFA and give attackers immediate account access.
Beyond blocking attacks, how can the profitable Phishing-as-a-Service economy be effectively dismantled?
As AI-driven phishing surges, can defensive technologies win the escalating cybersecurity arms race?
With multi-factor authentication now bypassable, how must companies fundamentally rethink their core security strategies?
April 2026 Credential Theft Campaign: Over 35,000 Users Targeted with MFA-Bypassing AiTM Phishing
Overview
Between April 14 and 16, 2026, a large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, mainly in the U.S., focusing on critical sectors like Healthcare and Financial Services. Attackers used sophisticated phishing emails disguised as internal communications, embedding PDFs that led victims through CAPTCHA-protected pages to Adversary-in-the-Middle phishing sites. These sites intercepted login credentials and multi-factor authentication tokens in real-time, bypassing security measures and maintaining persistent access. The campaign exploited legitimate email services and shifting domains to evade filters, while advanced Phishing-as-a-Service platforms enabled scalable attacks. This breach exposed weaknesses in traditional defenses and highlighted the urgent need for layered security and user vigilance.