Top Highlights
- Microsoft detected a large credential theft campaign targeting over 35,000 users worldwide, using sophisticated, enterprise-like phishing emails to lure victims.
- The campaign employed legitimate email services, convincing HTML templates, and urgency tactics to bypass defenses and harvest Microsoft credentials through real-time AiTM phishing.
- Phishing tactics evolved in 2026 with a rapid rise in QR code scams (+146%) and CAPTCHA-based attacks, primarily aiming for credential theft, with malware delivery significantly declining.
- Threat actors increasingly abuse trusted services like Amazon SES and alternative hosting providers, making phishing and BEC attacks more persistent and harder to detect.
Microsoft Uncovers a Large-Scale Phishing Attack Across Multiple Countries
Recently, Microsoft revealed details about a widespread phishing campaign targeting over 35,000 users in 26 countries. The attack lasted from April 14 to 16, 2026, and primarily affected organizations in healthcare, finance, professional services, and technology sectors. Attackers used sophisticated emails designed to look like official internal messages. These emails contained convincing HTML templates and false authenticity claims, which increased their credibility. Additionally, they used urgency tactics, such as accusations and time-sensitive prompts, to pressure recipients into clicking malicious links. The emails often featured titles like “Internal case log issued under conduct policy” and appeared to be issued through legitimate internal channels. Once clicked, victims were directed through multiple steps, including CAPTCHA tests and intermediate pages, making it harder for automated defenses to detect the scam.
Widespread Trends and Methods in Phishing and BEC Campaigns
This campaign highlights the evolving tactics used by cybercriminals in 2026. Microsoft analysis indicates that QR code phishing has become the fastest-growing attack vector, with a 146% increase from January to March. Attackers now embed QR codes directly into emails, disguising malicious destinations or linking to harmful apps. Business email compromise (BEC) scams remain prevalent, with over 10 million reported attacks. Notably, cybercriminals have shifted to using trusted services, such as Amazon Simple Email Service (SES), to bypass email security measures. They hijack legitimate cloud infrastructure by stealing AWS access keys, allowing for large volumes of convincing phishing emails. Meanwhile, threat actors continue leveraging advanced techniques, including CAPTCHA checks and adversary-in-the-middle tactics, to harvest credentials and tokens in real-time. This trend reflects the ongoing arms race between cybersecurity defenses and malicious actors, emphasizing the importance of vigilance and updated protection measures for organizations worldwide.
Stay Ahead with the Latest Tech Trends
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Discover archived knowledge and digital history on the Internet Archive.
DataProtection-V1
