- Microsoft says a large phishing wave targeted over 35,000 users across 13,000 companies, mostly in the US
- Polished enterprise‑style emails with urgent prompts were used to bypass security checks
- Victims were funneled through PDFs and CAPTCHAs to harvest Microsoft credentials in real time
Microsoft has warned about a large-scale phishing email campaign against primarily US-based organizations.
In a new in-depth report Microsoft said it observed a new campaign between April 14 and 16 2026 targeting more than 35,000 users in 13,000 companies. While the campaign affected 26 countries, more than nine in ten emails (92%) went to US-based organizations.
Firms in the healthcare and life sciences vertical were most affected (19%), followed by financial services (18%), professional services (11%), and technology and software (11%).
PDFs and tokens
"The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications," Microsoft explained in the advisory.
"Because the messages contained accusations and repeated time-bound action prompts, the campaign created a sense of urgency and pressure to act."
In these emails, the threat actors assumed different identities, such as “Internal Regulatory COC”, “Workforce Communications”, or “Team Conduct Report”. The emails themselves were themed around “internal case logs”, different reminders, and warnings about non-compliance.
"At the top of each message, a notice stated that the message had been 'issued through an authorized internal channel' and that links and attachments had been 'reviewed and approved for secure access,' reinforcing the email's purported legitimacy," Microsoft further added.
The crooks were apparently sending these emails from legitimate services, bypassing traditional protections such as SPF, DKIM, and DMARC. They were also distributing PDF attachments through which they were redirecting victims to malicious landing pages.
People who would open the PDF files and click on the links inside would first be redirected through multiple CAPTCHAs, to create a false sense of legitimacy, and to filter out any bots or otherwise automated scanning activities.
The final step is to harvest Microsoft credentials and tokens in real-time and thus work around multi-factor authentication (MFA).
