- Microsoft says a major phishing wave targeted over 35,000 users across 13,000 companies, mostly in the US
- Polished corporate-style emails with urgent messages were used to bypass security checks
- Victims were led through PDFs and CAPTCHAs to harvest Microsoft credentials in real time
Microsoft has warned of a large-scale phishing email campaign targeting primarily US-based organizations.
In a new in-depth report, Microsoft said it observed a new campaign between April 14 and 16, 2026, targeting more than 35,000 users across 13,000 companies. While the campaign touched 26 countries, more than nine out of ten emails (92%) went to US-based organizations.
Healthcare and life sciences companies were most affected (19%), followed by financial services (18%), professional services (11%) and technology and software (11%).
The article continues below
PDFs and tokens
“The emails in this campaign used polished corporate-style HTML templates with structured layouts and preemptive authentication statements, which made them appear more credible than typical phishing emails and increased their plausibility as legitimate internal communications,” Microsoft explained in the announcement.
“Because the messages contained accusations and repeated time-bound requests for action, the campaign created a sense of urgency and pressure to act.”
In these emails, the threat actors assumed various identities, such as “Internal Regulatory COC”, “Workforce Communications” or “Team Conduct Report”. The emails themselves were themed around “internal case logs”, various reminders and warnings about non-compliance.
“At the top of each message, a notice stated that the message was ‘issued through an authorized internal channel’ and that links and attachments had been ‘reviewed and approved for secure access,’ reinforcing the email’s alleged legitimacy,” Microsoft added.
The scammers apparently sent these emails from legitimate services, bypassing traditional protections like SPF, DKIM and DMARC. They also distributed PDF attachments through which they redirected victims to malicious landing pages.
People who would open the PDF files and click on the links within would first be redirected through multiple CAPTCHAs to create a false sense of legitimacy and to filter out any bots or otherwise automated scanning activity.
The final step is to harvest Microsoft credentials and tokens in real-time, thus bypassing multi-factor authentication (MFA).
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
