Microsoft has issued a warning to American organizations about a complex phishing scheme that employs a ‘code of conduct review’ angle to trick users into visiting a fraudulent website.
Widespread Targeting of US Organizations
Between April 14 and 16, Microsoft detected more than 35,000 phishing attempts. These malicious emails were aimed at users in approximately 13,000 organizations across 26 countries, with 92% of the targets located in the United States.
The healthcare, life sciences, financial services, professional services, and technology sectors were among the most affected. The phishing emails appeared to be internal communications, employing display names such as ‘Team Conduct Report’ and ‘Workforce Communications’. Subject lines included phrases like ‘Reminder: employer opened a non-compliance case log’.
Technical Breakdown of the Attack
Microsoft’s analysis revealed that the phishing emails were dispatched using a legitimate email delivery service, possibly from a cloud-hosted Windows virtual machine. The emails originated from multiple addresses linked to domains likely controlled by the attackers.
Recipients were instructed to open attachments labeled ‘Awareness Case Log File’ or ‘Disciplinary Action’. These documents contained a link titled ‘Review Case Materials’, which redirected users to a Cloudflare CAPTCHA page to evade automated security analysis.
Phishing Mechanism and Security Implications
After passing the CAPTCHA, victims were directed to a page requesting email address entry, followed by another CAPTCHA challenge. The final stage instructed users to sign into their Microsoft account, where adversary-in-the-middle (AitM) phishing techniques were employed.
This method intercepts authentication tokens in real-time, bypassing even multifactor authentication (MFA) systems that are not resistant to phishing. Microsoft has provided enterprises with mitigation strategies and threat-hunting resources to combat such attacks.
As phishing tactics grow more sophisticated, organizations must remain vigilant and employ robust security measures to protect against these evolving threats.
