The Compliance Trap: How a 13,000-Org Phishing Wave Bypasses MFA via AiTM Proxying
Ddos 
Microsoft’s Defender Security Research and Threat Intelligence teams have sounded the alarm on a massive, highly sophisticated credential theft campaign that successfully bypassed traditional security controls to target tens of thousands of users worldwide. Between April 14 and 16, 2026, the attackers launched a multi-wave assault, hitting over 13,000 organizations in 26 countries.
The attackers utilized “code of conduct-themed lures” to strike at the heart of corporate compliance. Using authoritative display names like “Internal Regulatory COC” and “Workforce Communications,” the emails claimed a “code of conduct review” had been initiated against the recipient.
To bypass the user’s natural skepticism, the messages were meticulously crafted with:
- Preemptive Authenticity: Notices at the top stated the message was “issued through an authorized internal channel”.
- Urgency and Pressure: Subject lines like “Reminder: employer opened a non-compliance case log” created immediate anxiety.
- Brand Hijacking: The emails included a green banner claiming encryption by Paubox, a legitimate HIPAA-compliant service, to reinforce the sensitive nature of the “disciplinary action”.
This was not a simple “click-and-steal” operation. The campaign utilized a multi-step attack chain designed to filter out automated security scanners while grooming the victim for the final theft.
- The PDF Payload: Emails contained a PDF attachment, such as “Disciplinary Action – Employee Device Handling Case.pdf,” which directed users to a “Review Case Materials” link.
- The CAPTCHA Gate: Clicking the link led to attacker-controlled domains (e.g., compliance-protectionoutlook[.]de) featuring a Cloudflare CAPTCHA. This “served as a gating mechanism to impede automated analysis and sandbox detonation”.
- The Intermediate Grooming: After the CAPTCHA, a staging page informed the user that the documentation was encrypted and required authentication to “Review & Sign”.
The attack culminated in a sophisticated Adversary-in-the-Middle (AiTM) flow. Unlike traditional phishing that merely copies a password, AiTM attacks intercept the live authentication traffic between the user and the real Microsoft sign-in service.
As Microsoft researchers explain, “AiTM attacks intercept authentication traffic in real time, bypassing non-phishing-resistant multifactor authentication (MFA)”.
By proxying the session, the attackers were able to “capture authentication tokens that could provide immediate account access,” effectively rendering standard MFA useless.
While the campaign was global, it was heavily concentrated, with 92% of targets located in the United States. The attackers showed a clear preference for high-stakes industries:
- Healthcare & Life Sciences: 19%
- Financial Services: 18%
- Professional Services: 11%
- Technology & Software: 11%
Microsoft recommends a layered defense to combat these authenticated threats:
- Advanced Anti-Phishing: Deploy solutions like Microsoft Defender for Office 365 to catch multi-stage chains.
- Browser Protection: Use browsers that support SmartScreen and enable network protection to use it as a host-based web proxy.
- Phishing-Resistant MFA: Move toward FIDO-based security keys or Windows Hello, which are inherently resistant to AiTM proxying.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
