Microsoft reported a phishing campaign targeting over 35,000 users across 13,000 companies, primarily in the United States, between April 14 and 16, 2026. This campaign impacted organizations in 26 countries, with 92% of the emails sent to entities based in the U.S.
The healthcare and life sciences sectors were the most affected, accounting for 19% of the victims. Other impacted sectors included financial services at 18%, professional services at 11%, and technology and software, also at 11%.
According to the advisory from Microsoft, the phishing emails utilized polished, enterprise-style HTML templates that included urgent action prompts. These designs were intended to create a sense of authenticity and urgency, making the emails appear credible as legitimate internal communications.
The attackers impersonated various identities including “Internal Regulatory COC,” “Workforce Communications,” and “Team Conduct Report.” The emails featured claims of being issued through an “authorized internal channel,” stating that links and attachments were “reviewed and approved for secure access.”
The campaign employed tactics to bypass traditional email security measures such as SPF, DKIM, and DMARC by sending emails from legitimate services. Victims were directed through malicious PDF attachments, which led to harmful landing pages.
The process included multiple CAPTCHA redirections intended to generate a false sense of legitimacy and to filter out automated defenses. The ultimate objective was to harvest Microsoft credentials and tokens in real-time, effectively bypassing multi-factor authentication (MFA).
