Code of Conduct Phishing Targets 35,000 Users in AiTM Attack
Key Takeaways A sophisticated phishing operation, dubbed “Code of Conduct” phishing, targeted over 35,000 users across 13,000 organizations in 26 countries. The attack employed an...
Key Takeaways
- A sophisticated phishing operation, dubbed “Code of Conduct” phishing, targeted over 35,000 users across 13,000 organizations in 26 countries.
- The attack employed an Adversary-in-the-Middle (AiTM) technique to bypass standard multi-factor authentication (MFA) by hijacking active authentication sessions.
- The campaign leveraged highly convincing email templates and multi-stage landing pages, masquerading as internal compliance notices.
- The primary targets were organizations in the U.S., particularly within healthcare, financial services, and technology sectors.
“Code of Conduct” Phishing Campaign Leverages AiTM to Bypass MFA for 35,000 Users
A widespread and cunning phishing campaign recently compromised an estimated 35,000 users across more than 13,000 organizations in 26 countries. The attackers utilized fake “code of conduct” emails to lure employees into revealing their credentials, subsequently employing an advanced Adversary-in-the-Middle (AiTM) technique to hijack active authentication sessions, rendering traditional multi-factor authentication (MFA) largely ineffective.
Table Of Content
The campaign unfolded between April 14 and April 16, 2026, with the United States bearing the brunt of the assault, accounting for 92% of all affected individuals. Key industries impacted included healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%).
Anatomy of a Sophisticated Phishing Lure
The malicious emails were disseminated in several distinct waves, commencing at 06:51 UTC on April 14 and concluding at 03:54 UTC on April 16. These messages were meticulously crafted to imitate official internal compliance or regulatory communications. Display names such as “Internal Regulatory COC,” “Workforce Communications,” and “Team Conduct Report” were used to enhance credibility.
Subject lines, including “Internal case log issued under conduct policy,” were designed to create a sense of urgency and concern, warning recipients that a code of conduct review had been initiated against them. Each email instructed users to open an attached personalized PDF to review their supposed case materials. A green banner at the bottom of the emails falsely claimed that the content was encrypted using Paubox, a legitimate HIPAA-compliant service, further lending an air of professionalism and trustworthiness to the scheme.
Analysts at Microsoft Defender Research meticulously tracked this campaign across numerous organizations. They observed that the emails were distributed via a legitimate email delivery service and likely originated from a cloud-hosted Windows virtual machine. The research team identified attacker-controlled sending domains, such as [email protected] and [email protected]. Researchers also highlighted the use of polished, enterprise-style HTML layouts with pre-emptive authenticity statements, making these phishing attempts remarkably more convincing than typical malicious messages.
Upon opening the attached PDF, which bore filenames like “Awareness Case Log File – Tuesday 14th, April 2026.pdf” and “Disciplinary Action – Employee Device Handling Case.pdf,” recipients were directed to click a “Review Case Materials” link. This link led to attacker-controlled landing pages, hosted on domains such as compliance-protectionoutlook[.]de, where a Cloudflare CAPTCHA was presented. This initial CAPTCHA served to filter out automated security tools and sandboxes, allowing only human users to proceed.
Inside the Multi-Stage Attack Chain
After successfully navigating the first CAPTCHA, users were redirected to an intermediary page. This page falsely claimed that the requested documentation was encrypted and required account verification. Users were prompted to click a “Review and Sign” button, then enter their email address, followed by a second image-selection CAPTCHA. Once these steps were completed, a confirmation message assured users that their “case” was being prepared.
The final stage of the attack varied slightly depending on whether the user was accessing the site from a mobile device or a desktop. In both scenarios, users were informed that their case materials had been “securely logged” and “time-stamped,” and they were asked to sign in to schedule a discussion. Clicking “Sign in with Microsoft” launched a genuine Microsoft authentication page; however, the crucial element of the attack was that the entire session was being proxied in real-time by the attacker.
This real-time proxying is the essence of an AiTM attack. The attacker positions themselves between the user and the legitimate service, intercepting and capturing authentication tokens the very moment they are issued. These stolen tokens grant direct account access without requiring the user’s password again, effectively bypassing standard MFA mechanisms entirely.
What You Should Do
- Enhance Email Protection: Review and optimize settings for Exchange Online Protection and enable Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine malicious messages post-delivery.
- Implement Advanced Threat Protection: Turn on Safe Links and Safe Attachments to add an extra layer of detection for phishing links embedded in PDFs.
- Strengthen Endpoint Security: Enable network protection in Microsoft Defender for Endpoint and encourage the use of browsers that support SmartScreen to block access to attacker-controlled domains.
- Adopt Phishing-Resistant MFA: Migrate to phishing-resistant MFA methods such as FIDO keys, Windows Hello, or the Microsoft Authenticator app. Apply Conditional Access policies to fortify privileged accounts.
- Conduct User Awareness Training: Regularly run user awareness training and phishing simulation exercises to educate staff on recognizing social engineering tactics like those seen in this campaign.
- Automate Attack Disruption: Configure automatic attack disruption in Microsoft Defender XDR to limit the impact of active intrusions while security teams work to contain the threat.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.