Fake Compliance Emails Used to Gain Trust

Microsoft is warning about a sophisticated phishing campaign that targeted over 35,000 users across more than 13,000 organizations in 26 countries, with 92% of the attacks aimed at organizations in the United States.

According to a May 4 announcement from Microsoft, the phishing attempts occurred between April 14 and 16. While multiple industries were affected, healthcare and life sciences organizations accounted for 19% of the attacks, alongside targets in the financial services, professional services, and technology sectors.

The phishing campaign used “code of conduct review” and compliance-themed emails to create a sense of urgency and legitimacy.

Attackers sent messages using display names such as:
⋅ “Internal Regulatory COC”
⋅ “Team Conduct Report”
⋅ “Workforce Communications”

Subject lines included phrases like:
⋅ “Internal case log issued under conduct policy”
⋅ “Reminder: employer opened a non-compliance case log”

The emails instructed recipients to review attached PDF files labeled “Awareness Case Log File” or “Disciplinary Action.” The PDFs then directed users to malicious websites designed to steal Microsoft account credentials and authentication tokens.

Multi-Stage Phishing Attack Designed to Evade Detection

Microsoft said the attack chain was highly sophisticated and included multiple stages intended to appear legitimate and bypass automated defenses. Victims who clicked the link were first taken to a Cloudflare CAPTCHA page, which Microsoft believes helped shield the phishing infrastructure from automated analysis. Users were then directed through additional verification steps before ultimately being prompted to sign in to their Microsoft accounts.

The final stage used adversary-in-the-middle (AiTM) phishing techniques to intercept authentication traffic in real time. “Unlike traditional credential harvesting, AiTM attacks intercept authentication traffic in real time, bypassing non-phishing-resistant multifactor authentication (MFA),” Microsoft noted. This means attackers may gain immediate access to accounts even when MFA is enabled if organizations are not using phishing-resistant authentication methods.

Microsoft Identifies Sophisticated Attack Infrastructure

Microsoft’s analysis found that the phishing emails were sent through a legitimate email delivery service, likely originating from a cloud-hosted Windows virtual machine. The campaign also used multiple attacker-controlled domains to distribute messages.

The use of trusted infrastructure makes these attacks more difficult for organizations and users to identify.

Steps Organizations Should Take to Reduce Phishing Risk

Microsoft urged organizations to strengthen defenses against phishing and AiTM attacks by:

• Providing regular phishing awareness training
• Conducting phishing simulations
• Removing suspicious emails tied to known malicious URLs or subject lines
• Enabling passwordless authentication where possible
• Implementing phishing-resistant MFA solutions
• Monitoring for suspicious authentication activity and token misuse

It’s also important for organizations to “have a process in place for end users to report suspicious emails and to ensure end users are fully aware of how to report them,” said Jo Bradley, PrivaPlan Cybersecurity Coordinator and Senior Analyst.

She added that employees should pay attention to whether an email includes a banner indicating it originated outside the organization. External email banners are security warnings added by IT administrators to messages coming from servers outside the organization and serve as a cautionary alert to help users recognize potential phishing or impersonation attempts.

Bradley also emphasized the importance of ongoing employee awareness training: “Never download attachments, click links, or respond to any email sent to you that you do not know or were not expecting. If you use MFA but did not request it, do not authenticate.”

Why Advanced Phishing Attacks Continue to Grow

The scale and sophistication of this campaign underscore how phishing continues to evolve beyond simple credential theft. Attackers are increasingly combining social engineering, legitimate cloud infrastructure, CAPTCHA verification, and real-time session interception to evade traditional security controls.

For organizations heavily reliant on Microsoft 365 environments, the campaign serves as another reminder that employee awareness and modern authentication protections remain critical components of cybersecurity defenses.