“legitimacy, at the same time keeping out automated defenses. ultimately, it ends with a sign - in experience that leverages adversary ‑ in ‑ the ‑ middle ( aitm ) phishing tactics to harvest microsoft credentials and tokens in real - time, effectively allowing the threat actors t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
99%
“a mere 5 - 6 % by the end of the quarter. microsoft also said the operators of the tycoon 2fa phishing - as - a - service ( phaas ) platform have attempted to shift hosting providers and domain registration patterns following a coordinated disruption operation in march 2026. " to…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
98%
“for 7 % of all malicious html attachments observed in the month. when opened, the html file redirected victims to an initial phishing page that screened the visitor before routing them to the final destination : a phishing page that presented a captcha challenge before serving a …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
96%
“, the campaign created a sense of urgency and pressure to act. " the email messages used in the campaign employ lures related to code of conduct reviews, using display names like " internal regulatory coc, " " workforce communications, " and " team conduct report. " subject lines…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
94%
“microsoft details phishing campaign targeting 35, 000 users across 26 countries microsoft has disclosed details of a large - scale credential theft campaign that has leveraged a combination of code of conduct - themed lures and legitimate email services to direct users to attacke…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.001Spearphishing Attachment
83%
“one notable development observed in late march was the use of qr codes embedded directly in email bodies. business email compromise ( bec ) scams, on the other hand, exhibited more fluctuations, crossing more than 4 million in attack volume in march 2026, up from over 3. 5 millio…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
78%
“one notable development observed in late march was the use of qr codes embedded directly in email bodies. business email compromise ( bec ) scams, on the other hand, exhibited more fluctuations, crossing more than 4 million in attack volume in march 2026, up from over 3. 5 millio…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
63%
“amazon ses attacks lies in the fact that attackers aren ' t using suspicious or dangerous domains ; instead, they are leveraging infrastructure that both users and security systems have grown to trust, " kaspersky said. " by weaponizing this service, attackers avoid the effort of…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1598Phishing for Information
50%
“microsoft details phishing campaign targeting 35, 000 users across 26 countries microsoft has disclosed details of a large - scale credential theft campaign that has leveraged a combination of code of conduct - themed lures and legitimate email services to direct users to attacke…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566Phishing
45%
“for 7 % of all malicious html attachments observed in the month. when opened, the html file redirected victims to an initial phishing page that screened the visitor before routing them to the final destination : a phishing page that presented a captcha challenge before serving a …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1584.001Domains
38%
“amazon ses attacks lies in the fact that attackers aren ' t using suspicious or dangerous domains ; instead, they are leveraging infrastructure that both users and security systems have grown to trust, " kaspersky said. " by weaponizing this service, attackers avoid the effort of…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens.
The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries,