'Phishing campaigns continue to improve sophistication and refinement': Microsoft flags major 'sophisticated' phishing campaign targeting 35,000 users across 26 countries

News
By published

Most of the victims are in the US, Microsoft warns

A zoomed-in picture of a computer screen displaying a login window with a password typed in
(Image credit: Future)
  • Microsoft says a large phishing wave targeted over 35,000 users across 13,000 companies, mostly in the US
  • Polished enterprise‑style emails with urgent prompts were used to bypass security checks
  • Victims were funneled through PDFs and CAPTCHAs to harvest Microsoft credentials in real time

Microsoft has warned about a large-scale phishing email campaign against primarily US-based organizations.

In a new in-depth report Microsoft said it observed a new campaign between April 14 and 16 2026 targeting more than 35,000 users in 13,000 companies. While the campaign affected 26 countries, more than nine in ten emails (92%) went to US-based organizations.

Firms in the healthcare and life sciences vertical were most affected (19%), followed by financial services (18%), professional services (11%), and technology and software (11%).

Article continues below

PDFs and tokens

"The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications," Microsoft explained in the advisory.

"Because the messages contained accusations and repeated time-bound action prompts, the campaign created a sense of urgency and pressure to act."

In these emails, the threat actors assumed different identities, such as “Internal Regulatory COC”, “Workforce Communications”, or “Team Conduct Report”. The emails themselves were themed around “internal case logs”, different reminders, and warnings about non-compliance.

"At the top of each message, a notice stated that the message had been 'issued through an authorized internal channel' and that links and attachments had been 'reviewed and approved for secure access,' reinforcing the email's purported legitimacy," Microsoft further added.

The crooks were apparently sending these emails from legitimate services, bypassing traditional protections such as SPF, DKIM, and DMARC. They were also distributing PDF attachments through which they were redirecting victims to malicious landing pages.

People who would open the PDF files and click on the links inside would first be redirected through multiple CAPTCHAs, to create a false sense of legitimacy, and to filter out any bots or otherwise automated scanning activities.

The final step is to harvest Microsoft credentials and tokens in real-time and thus work around multi-factor authentication (MFA).

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.