35,000 users hacked? Microsoft reveals massive global phishing attack

According to the company, the attacks were observed between April 14 and April 16 and affected a wide range of industries, including healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%). The phishing emails were distributed in multiple waves during this period.

The attackers crafted emails to appear as internal compliance or regulatory communications, using display names such as “Internal Regulatory COC,” “Workforce Communications,” and “Team Conduct Report.” Subject lines included phrases like “Internal case log issued under conduct policy” and “Reminder: employer opened a non-compliance case log.”

The messages falsely claimed that a “code of conduct review” had been initiated and often included organisation-specific details to enhance credibility. Recipients were instructed to open a “personalised attachment” to review case materials. To reinforce legitimacy, the emails stated they were issued through an “authorised internal channel” and that links and attachments had been reviewed for secure access. Some messages also featured a banner indicating encryption via Paubox, a legitimate service associated with HIPAA-compliant communications.

Analysis revealed that the emails were sent using a legitimate email delivery service, likely from a cloud-hosted Windows virtual machine, and originated from multiple attacker-controlled domains. Each email included a PDF attachment with filenames such as “Awareness Case Log File – Tuesday 14th, April 2026.pdf” and “Disciplinary Action – Employee Device Handling Case.pdf.”

These attachments provided additional details about the supposed conduct review and directed users to click a “Review Case Materials” link. This link initiated a credential-harvesting process.

Users were first redirected to attacker-controlled domains, such as “acceptable-use-policy-calendly[.]de” or “compliance-protectionoutlook[.]de,” where they encountered a CAPTCHA challenge presented as a security check. This step likely served to evade automated detection systems.

After completing the CAPTCHA, users were taken to an intermediate page stating that the documents were encrypted and required authentication. They were then prompted to click a “Review & Sign” button, leading to a fake sign-in page requesting their email credentials, followed by another CAPTCHA verification.

Once completed, users were shown a message indicating successful verification and were redirected to a final site. The destination varied depending on whether the user accessed the link via mobile or desktop.

On the final page, victims were told that their case materials had been securely logged and maintained within a centralised compliance system. They were then prompted to schedule a discussion, which again required signing in—effectively capturing their login credentials.

Microsoft noted that while some elements resembled device code phishing, the confirmed attack chain primarily involved adversary-in-the-middle (AITM) techniques to harvest user credentials.