Microsoft has detailed a large-scale phishing campaign that used multi-stage techniques to compromise user sessions and bypass multi-factor authentication, highlighting a growing shift toward token-based attacks.
According to Microsoft’s threat intelligence team, the campaign targeted more than 35,000 users across over 13,000 organizations in 26 countries within a short window between April 14 and April 16, 2026. The majority of targets were located in the United States, with sectors such as healthcare, finance, and technology heavily affected.
The attack relied on a “code of conduct” lure, where victims received phishing emails prompting them to review or acknowledge workplace-related policies. These messages were designed to appear legitimate and were distributed in multiple waves to increase effectiveness.
Once a target engaged, the operation unfolded in several stages. Victims were redirected through a chain of malicious infrastructure before ultimately landing on a phishing page designed to capture credentials. However, the campaign did not stop at password theft. Instead, attackers used adversary-in-the-middle techniques to intercept authentication data in real time.
This method allowed threat actors to obtain session tokens, enabling account access without needing credentials again. Such token theft is particularly significant because it can bypass multi-factor authentication protections, which are typically designed to prevent unauthorized logins.
Microsoft noted that the campaign leveraged reverse proxy infrastructure to sit between users and legitimate login services. This setup allowed attackers to capture authentication cookies and maintain persistent access even after initial compromise.
The multi-stage design also included evasion tactics. Attack infrastructure dynamically adapted to user interactions and environmental checks, reducing the likelihood of detection by security tools. In some cases, phishing content was selectively displayed based on targeting conditions, limiting exposure to researchers and automated defenses.
Researchers emphasized that the campaign did not focus on a single industry, instead targeting a wide range of organizations. This broad approach reflects a shift toward scalable phishing operations that prioritize volume and automation over highly targeted attacks.
The findings highlight a broader trend in cyber threats. Attackers are increasingly moving beyond credential theft toward session hijacking and identity-based attacks. In these scenarios, traditional defenses such as password resets may not be sufficient, as stolen tokens can continue to provide access if not revoked.
Microsoft advises organizations to strengthen identity protection measures, including monitoring for suspicious session activity, implementing conditional access policies, and ensuring rapid token revocation in response to potential compromise.
The campaign demonstrates how phishing operations continue to evolve, combining social engineering with advanced infrastructure to bypass established security controls and maintain long-term access to compromised accounts.