Phishing Emails Exploit Code of Conduct in AiTM Attack

A sophisticated phishing operation has been discovered, leveraging counterfeit “code of conduct” emails to deceive employees into surrendering their login information. This scheme not only captures passwords but also commandeers active session tokens using an adversary-in-the-middle (AiTM) strategy, rendering conventional multi-factor authentication (MFA) defenses largely ineffective.

Widespread Impact of the Phishing Campaign

The campaign unfolded over a brief period from April 14 to 16, 2026, impacting over 35,000 individuals across more than 13,000 enterprises in 26 nations. The United States bore the brunt, representing 92% of the affected users. Key sectors, including healthcare (19%), financial services (18%), professional services (11%), and technology (11%), were notably compromised.

The deceptive emails, dispatched in several waves beginning at 06:51 UTC on April 14 and concluding at 03:54 UTC on April 16, mimicked internal compliance notifications. Pseudonyms such as “Internal Regulatory COC” and “Workforce Communications” were employed, with subject lines like “Internal case log issued under conduct policy” prompting the recipient to examine their supposed case details.

Deceptive Tactics to Bypass Security

Recipients were urged to access a personalized PDF attachment to review case materials, with a misleading green banner suggesting encryption via Paubox, a legitimate HIPAA-compliant service, to enhance credibility. Microsoft Defender Research tracked this operation, revealing that the emails were dispersed via a legitimate email delivery platform, likely originating from a cloud-based Windows virtual machine.

Attackers utilized domains such as [email protected] to dispatch these emails, employing polished HTML templates that preemptively asserted authenticity, surpassing the usual phishing message quality. Once the PDF was opened, users were directed to a link leading to attacker-run sites like compliance-protectionoutlook[.]de, where Cloudflare CAPTCHA filtered out automated defenses.

Inside the Multi-Stage Attack

After the initial CAPTCHA, users encountered a page claiming that the requested documents were encrypted, necessitating account verification. This page prompted users to input their email and complete a second image-based CAPTCHA, ultimately leading to a confirmation that their “case” was being prepared.

The final stage varied by device type; on both mobile and desktop, users were informed that their materials were “securely logged” and were asked to sign in to schedule a discussion. The “Sign in with Microsoft” link opened a legitimate Microsoft authentication page, but the session was intercepted by attackers, capturing authentication tokens to access accounts without additional passwords, bypassing MFA.

Mitigating the Threat

To mitigate risks from such attacks, organizations should enhance email security settings, like enabling Zero-hour auto purge (ZAP) in Defender for Office 365, to quarantine malicious emails. Activating Safe Links and Safe Attachments, along with network protection in Microsoft Defender for Endpoint, can help block access to malicious domains.

Promoting phishing-resistant MFA methods and implementing Conditional Access policies can further protect sensitive accounts. Conducting user training and phishing simulations can increase awareness of social engineering tactics. Deploying automatic attack disruption in Microsoft Defender XDR can also contain active threats while security teams respond.