Microsoft is sounding the alarm on a highly polished phishing operation that weaponizes fake “code of conduct” investigations to steal user tokens and bypass multifactor authentication (MFA). The campaign blends believable HR-style messaging, CAPTCHA checkpoints, and adversary‑in‑the‑middle (AiTM) tactics to compromise Microsoft accounts at scale. Security teams running Microsoft 365 need to understand this attack chain quickly, because it targets both user psychology and modern email defenses.
In a new post titled “Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise,” the Microsoft Defender Security Research Team and Microsoft Threat Intelligence lay out exactly how the attacks work. Between April 14 and 16, 2026, they observed coordinated phishing waves hitting more than 35,000 users across over 13,000 organizations in 26 countries, with the United States accounting for 92 percent of targets.
The campaign cut across industries, with healthcare and life sciences (19 percent), financial services (18 percent), professional services (11 percent), and technology and software (11 percent) among the most frequently hit sectors.
How the ‘code of conduct’ phishing lure works
The operation starts in the inbox with emails that look like internal compliance or HR notifications rather than traditional spam. Messages use display names such as “Internal Regulatory COC”, “Workforce Communications”, and “Team Conduct Report,” paired with subject lines like “Internal case log issued under conduct policy” or “Reminder: employer opened a non-compliance case log.” The body text claims that a “code of conduct review” has been opened, references the recipient’s organization by name, and urges them to open a “personalized attachment” to review case materials, adding time-bound prompts to ratchet up urgency.
To tamp down suspicion, the emails include a notice that the message was “issued through an authorized internal channel” and that links and attachments have already been “reviewed and approved for secure access.” At the bottom, a green banner claims the contents were encrypted using Paubox, a legitimate HIPAA‑aligned email encryption service, further lending the message a veneer of regulated-industry credibility. Behind the scenes, analysis of sending infrastructure shows the attackers relied on a legitimate email delivery platform and likely a cloud‑hosted Windows virtual machine, sending from multiple attacker-controlled domains and addresses to improve deliverability and evade simple blocklists.
Multi-step attack chain: CAPTCHAs, redirects, and AiTM
Each phishing email includes a PDF attachment with names such as “Awareness Case Log File – Tuesday 14th, April 2026.pdf” or “Disciplinary Action – Employee Device Handling Case.pdf.” These PDFs present more pseudo-compliance context and direct users to click a “Review Case Materials” link, which kicks off the actual credential theft flow.
When clicked, victims are first sent to attacker-controlled domains like acceptable-use-policy-calendly[.]de or compliance-protectionoutlook[.]de, where they see a Cloudflare-style CAPTCHA claiming to “validate that the user is coming from a valid session.”
This initial CAPTCHA gate is more than window dressing: it helps filter out automated analysis tools and sandbox environments that might otherwise flag or detonate the link. After passing this step, users are forwarded to an intermediate page that explains the supposed documentation is encrypted and requires account authentication, priming them for the next stage.
Users then click a “Review & Sign” button, enter their email address on a prompt, and complete a second image-based CAPTCHA, after which a message declares that “verification completed successfully” and that the compliance case is being prepared.
From there, traffic is redirected again to a third site that tailors the final page depending on whether the victim is on mobile or desktop. On this final page, users are told the case materials are “securely logged,” time-stamped, and stored in the organization’s compliance tracking system, and asked to schedule a time to discuss the matter by signing in.
When users pick “Sign in with Microsoft,” the workflow launches an adversary‑in‑the‑middle session that proxies the legitimate Microsoft sign-in experience, allowing attackers to capture authentication tokens in real time and effectively bypass non–phishing-resistant MFA.
Why AiTM token theft matters more than passwords
Unlike older phishing that simply grabs usernames and passwords from fake login pages, AiTM attacks insert a malicious proxy between the user and the real sign-in endpoint. When the victim signs in—including providing MFA codes—the attacker’s infrastructure relays the traffic upstream and harvests the resulting session tokens, giving them immediate, legitimate-looking access to Microsoft 365 resources. With valid tokens in hand, threat actors can sign in as the user, access email, and move laterally while looking like normal traffic, even if passwords are never changed or MFA remains technically enabled.
Previous Microsoft research on AI-enabled and device code phishing has shown that once tokens are obtained, attackers commonly pivot into email exfiltration and persistence, for example by creating inbox rules that hide or forward sensitive communications. They may also use Microsoft Graph APIs to map users, groups, and permissions, setting the stage for deeper reconnaissance, data theft, or business email compromise (BEC) while tokens remain valid. That combination—highly believable lures plus token-focused AiTM flows—makes this campaign particularly dangerous for organizations that still treat credential theft as the primary phishing outcome.
Microsoft’s recommended mitigations and Defender coverage
Microsoft’s guidance, based on this campaign, emphasizes that defenders must combine user education with advanced email and identity protections. Organizations are urged to review recommended settings for Exchange Online Protection and Microsoft Defender for Office 365, enable Zero-hour auto purge (ZAP) to retroactively quarantine malicious messages, and turn on Safe Links and Safe Attachments to inspect URLs and files at time of click. Microsoft also recommends enabling network protection in Defender for Endpoint and encouraging the use of browsers that support Microsoft Defender SmartScreen to block known malicious sites and redirects.
On the identity side, Microsoft continues to push passwordless authentication options like Windows Hello, FIDO2 security keys, and Microsoft Authenticator, along with phishing-resistant MFA for high-value and privileged accounts via conditional access policies. For organizations with Microsoft Defender XDR, Microsoft highlights automatic attack disruption to contain active intrusions and a set of advanced hunting queries that can identify campaign-related emails by sender, URLs, or attachment names like “Awareness Case Log File – Monday 13th, April 2026.pdf.” Defender detections span the full kill chain, from malicious URL clicks and suspicious email volumes in Defender for Office 365 to anomalous token usage and impossible travel alerts in Entra ID Protection and Defender for Cloud Apps.
Using Microsoft Security Copilot and threat intelligence
Microsoft is also positioning Security Copilot as a key tool for handling complex phishing incidents like this at scale. Embedded in Microsoft Defender, Security Copilot can summarize incidents, analyze files and scripts, generate hunting queries, and produce device and identity summaries so analysts can move from detection to containment faster. Specialized AI agents such as the Phishing Triage agent, Threat Hunting agent, and Dynamic Threat Detection agent are designed to offload repetitive or time‑consuming workflows from security teams.
For strategic context, Microsoft Defender XDR customers can tap dedicated threat analytics reports on adversary-in-the-middle credential phishing and evolving phishing threats, which bundle attacker TTPs, protection guidance, and recommended remediation actions. Security Copilot’s integration with Microsoft Defender Threat Intelligence also lets customers ask natural-language questions about this campaign, investigate related indicators like domains (compliance-protectionoutlook[.]de, cocinternal[.]com) or sender addresses (cocpostmaster@cocinternal.com, nationaladmin@gadellinet.com), and pivot directly into hunting.
For Microsoft 365 shops, this latest “code of conduct” phishing AiTM campaign is a reminder that sophisticated phishing is no longer just about catching users off guard—it’s about outmaneuvering modern defenses and exploiting trust in internal processes, making layered email, identity, and AI-assisted response capabilities increasingly critical.
Recent Posts You Might Like
- Microsoft 365 Copilot Secures GPT-5.5 Instant for Faster AI Responses
- Microsoft Store Slashes $99 Fee for Companies, Supercharges App Publishing Process
- Xbox Free Play Days: Play Catan and Deadside Free This Weekend (May 7–10)
- Quite A Spectacular Next Week on Xbox (May 11–15): Subnautica 2, Directive 8020, Pawbay, and More New Releases
Discover more from Microsoft News Now
Subscribe to get the latest posts sent to your email.
