A recent disclosure by Microsoft has revealed the scale and sophistication of a global phishing campaign that targeted over 35,000 users across 13,000 organisations. The attack, which took place between April 14 and 16, relied on deceptive compliance-themed emails and advanced adversary-in-the-middle (AiTM) techniques to gain unauthorised access to user accounts.
According to the company, most victims were based in the United States, although the campaign extended across 26 countries and impacted multiple industries. Unlike traditional phishing attempts, this operation combined polished social engineering tactics with layered technical methods, making it particularly difficult to detect.
How the attack unfolded
The attackers impersonated internal communications, sending emails disguised as official HR or compliance notices. Subject lines such as “Internal Regulatory COC” and “Workforce Communications” were used to create a sense of urgency and legitimacy. These emails encouraged recipients to open a PDF attachment that supposedly contained details about a code-of-conduct review.
Once opened, the attachment prompted users to click a link to access further information, setting off a carefully designed multi-step attack chain. Instead of leading directly to a fake login page, users encountered several intermediate steps intended to mimic legitimate processes.
Victims were first directed to CAPTCHA verification screens, likely designed to block automated security systems. They were then shown pages claiming the content was encrypted and required authentication. The process involved entering email credentials and completing additional verification steps before reaching the final login page.
Why AiTM attacks are especially dangerous
At the final stage, users were redirected to what appeared to be a legitimate Microsoft sign-in page. However, this was part of an AiTM phishing setup. In such attacks, cybercriminals position themselves between the user and the actual service, intercepting authentication data in real time.
Microsoft explained that this technique allows attackers to capture session tokens, enabling them to access accounts without needing passwords later. This makes AiTM attacks significantly more dangerous than conventional phishing methods, as they can bypass some multi-factor authentication protections.
Who was affected
The campaign cast a wide net rather than targeting a single sector. Healthcare and life sciences organisations accounted for 19 per cent of targets, followed by financial services at 18 per cent. Professional services and technology sectors each made up 11 per cent of those affected.
Growing complexity of phishing threats
Microsoft noted that phishing campaigns are evolving rapidly, moving beyond simple fraudulent emails to complex, multi-layered operations. The use of familiar corporate language, realistic formatting, and multiple verification steps increases the likelihood of users trusting these messages.
Recommended safeguards
To mitigate such risks, Microsoft advised organisations to enhance email security configurations and deploy tools like Safe Links and Safe Attachments. It also stressed the importance of adopting phishing-resistant authentication methods and raising user awareness about evolving cyber threats.
AI’s role in emerging cyber risks
The warning aligns with a recent advisory from India’s CERT-In, which highlighted the growing role of advanced AI systems in cyberattacks. As AI tools become capable of executing multi-step operations, they can also be used to automate phishing campaigns and reconnaissance efforts.
Together, these developments signal a shift toward more intelligent and adaptive cyber threats, where attackers combine psychological manipulation with advanced technologies to breach digital defenses more effectively.
