- Microsoft says a large phishing spree targeted more than 35,000 users at 13,000 companies, mostly in the United States.
- Slick business emails with urgent prompts were used to bypass security controls.
- Victims were redirected to PDF and CAPTCHA files to harvest Microsoft credentials in real time.
Microsoft has warned of a large-scale phishing email campaign primarily targeting US-based organizations.
In an in-depth new report, Microsoft said it observed a new campaign between April 14 and 16, 2026 targeting more than 35,000 users across 13,000 companies. While the campaign reached 26 countries, more than nine in ten (92%) emails were sent to U.S.-based organizations.
Companies in the healthcare and life sciences vertical were most affected (19%), followed by financial services (18%), professional services (11%), and technology and software (11%).
Article continues below
PDF and tokens
“The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity claims, making them more credible than typical phishing emails and increasing their plausibility as legitimate internal communications,” Microsoft explained in the advisory.
“Because the messages contained repeated accusations and incitements to act within a specific time frame, the campaign created a sense of urgency and pressure to act.”
In these emails, threat actors took on different identities, such as “Internal Regulatory COC,” “Staff Communications,” or “Team Conduct Report.” The emails themselves were themed around “internal case logs,” various reminders and warnings for non-compliance.
“At the top of each message, a notice stated that the message had been ‘sent through an authorized internal channel’ and that links and attachments had been ‘reviewed and approved for secure access,’ reinforcing the purported legitimacy of the email,” Microsoft added.
The scammers were apparently sending these emails from legitimate services, bypassing traditional protections like SPF, DKIM, and DMARC. They also distributed PDF attachments through which they redirected victims to malicious landing pages.
People who opened the PDF files and clicked on the links inside would first be redirected to multiple CAPTCHAs, to create a false sense of legitimacy and to filter out bots or automated scanning activities.
The final step is to harvest Microsoft credentials and tokens in real time and thus bypass multi-factor authentication (MFA).
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
