Microsoft has disclosed details of a large-scale phishing campaign that used fake Code of Conduct emails to target users across multiple sectors. According to revelations made on May 4, 2026, the Microsoft Defender Research Team identified a series of sophisticated phishing campaigns between 14 and 16 April 2026, targeting over 35,000 users.
The campaign affected organizations in at least 26 countries and used multi-stage tactics to steal login credentials. The messages typically looked like authenticated approaches, but from attacker-controlled domains. The campaign acted as a multi-step social engineering initiative that caused credential theft of a broader audience.
How Did the Code of Conduct Phishing Campaign Work?
According to Microsoft, attackers sent emails that appeared to come from trusted organizations. The messages claimed users had violated the company’s Code of Conduct and needed to review a document.
Users were redirected several times, once they clicked the link. Every stage was designed to avoid detection and appear legitimate. At the end, victims landed on a fake login page that mimicked Microsoft services.
Findings also show that the phishing pages were designed to capture usernames, passwords, and session tokens. Such an approach allowed attackers to access accounts even if basic protections were in place.
Tactics Used by Attackers to Execute the Phishing Campaign:
The phishing campaign used layered techniques to evade security filters. Attackers hosted links on legitimate cloud platforms and compromised websites. They also used URL shorteners and redirect chains to hide the final site they were redirected to.
Another tactic involved time-based delivery. The phishing pages were only active for limited periods, which made detection harder. Some links also checked the user’s location before showing the fake login page.
These methods helped the attackers avoid automated scanning tools and extend the campaign’s reach.
Who Did the Phishing Campaign Target?
The Code of Conduct phishing campaign targeted over 35,000 users across 13,000 companies in 26 nations. Major industries included finance, healthcare, and education. While the healthcare and life sciences sector observed 19% impact, the financial services domain went through 18%. Notably, the USA experienced the highest impact at 92%.
Timeline of campaign messages sent by hour (Source: Microsoft)
Campaign recipients by country and industry (Source: Microsoft)
The distribution of phishing messages peaked between 6:51 UTC on April 14 and 3:54 UTC on April 16. As per the findings, the major impact was observed across organizations with large user bases. Microsoft stated that the attack was not limited to a single region. Instead, it spread globally, increasing its impact and complexity.
Shockingly, multi-stage phishing is becoming more sophisticated. Traditional email filters often detect simple phishing attempts. However, layered attacks like this one are harder to stop.
Under such circumstances, Microsoft advised organizations to adopt stronger security measures. These include multi-factor authentication, phishing-resistant login systems, and user awareness training. The company also recommended monitoring unusual login activity and limiting access based on risk signals. Users are suggested to verify unexpected emails and avoid clicking unknown links.
Stay aligned with the leading cybersecurity headlines and insights, only with SecureITWorld!
Recommended For You:
Phishing Attempts via Email: The Need to Detect and Avoid Them for Online Security
Protect Yourself from Fraud! Report Phishing Attempts Across Email, Phone, and Web
