Update: Microsoft patched new Word preview-pane RCE issues in 2026; see Gridinsoft coverage of CVE-2026-40361 and CVE-2026-40364 Outlook/Word preview risk for current patch and triage guidance.
Microsoft says a multi-stage code-of-conduct phishing campaign targeted more than 35,000 users at over 13,000 organizations in 26 countries between April 14 and April 16, 2026. The campaign matters because it did not stop at stealing passwords: it pushed victims into an adversary-in-the-middle sign-in flow that could capture Microsoft session tokens and bypass non-phishing-resistant MFA [1].
The lure was built around workplace pressure. Messages posed as internal compliance or regulatory notices from names such as “Internal Regulatory COC,” “Workforce Communications,” and “Team Conduct Report.” The attached PDFs used case-log and disciplinary-action themes, then sent recipients through attacker-controlled pages, CAPTCHA checks, and a final Microsoft sign-in prompt [1]. For a reader, the tell is the whole workflow: a stressful HR-style accusation, a PDF that becomes a portal, a CAPTCHA that pretends to add trust, and a sign-in request that appears after several staged pages.
Why this phishing worked
The campaign abused signals that many people have been trained to trust. The emails were sent through legitimate delivery services, the PDF gave a plausible business reason for clicking, and CAPTCHA pages filtered automated scanners while making the session look more official. Microsoft also noted that the campaign used domains such as acceptable-use-policy-calendly[.]de and compliance-protectionoutlook[.]de, which are close enough to business vocabulary to pass a hurried glance but not close enough to belong to a real internal compliance system [1].
The useful response is to treat this as token theft, not only credential theft. If a user opened a similar PDF and signed in, changing the password is not the finish line. Admins should revoke active sessions and refresh tokens, then reset credentials, because Microsoft notes that a stolen session token can remain useful until access is explicitly revoked or the session expires [3]. After that, review Entra sign-in logs for unfamiliar sign-in properties, impossible travel, anomalous tokens, and suspicious URL-click events, then purge matching messages by sender, subject, attachment name, or URL. Mail teams should also look for nearby variants instead of only exact indicators, because the campaign used multiple sender addresses and staged domains.
For organizations already dealing with Microsoft 365 phishing kits, this campaign is a reminder that AiTM is now a repeatable tradecraft pattern, not an edge case. Gridinsoft previously covered the W3LL Microsoft 365 phishing kit, and the same defensive lesson applies here: ordinary MFA can still fail when the attacker proxies the login in real time. For more background on why token/session compromise changes the response, see Gridinsoft’s OAuth2 session hijack coverage. High-risk users need phishing-resistant MFA such as FIDO2 keys, Windows Hello for Business, or certificate-based controls, while mail defenders should enable Safe Links, Safe Attachments, Zero-hour auto purge, and endpoint network protection where available.
Microsoft’s broader Q1 email-threat review gives the campaign more context: link-based delivery represented most email threats, QR-code phishing grew sharply, and CAPTCHA-gated phishing more than doubled in March 2026 [2]. That trend explains why a fake compliance PDF followed by CAPTCHA checks is not a random gimmick. It is a practical way to move the risky part of the attack off the email body, delay sandbox analysis, and make the victim complete the attacker’s workflow step by step.
Another Microsoft identity-theft pattern to watch is device code phishing, where the victim enters a code on a legitimate Microsoft page and the attacker receives token-based access rather than a password.
References
- Microsoft Security Blog, “Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise,” May 4, 2026. Report.
- Microsoft Security Blog, “Email threat landscape: Q1 2026 trends and insights,” April 30, 2026. Report.
- Microsoft Learn, “Revoke user access in an emergency in Microsoft Entra ID,” updated April 2026. Guidance.
Related SSO risk: after visible platform incidents, attackers often send believable “re-authenticate” or “verify access” messages. The 2026 Canvas breach and login-page defacement shows why schools need clear verified login paths before phishing follows the news.
Newer operations such as HookedWing show how legitimate-looking hosted pages and compromised servers can hide the phishing chain before the final credential page.
