- Microsoft says a large phishing wave targeted more than 35,000 users at 13,000 companies, mostly in the US.
- Slick business-style emails with urgent messages were used to bypass security controls.
- Victims were funneled through PDF and CAPTCHA files to collect Microsoft credentials in real time.
Microsoft has warned of a large-scale phishing email campaign targeting organizations primarily based in the United States.
In a new in-depth report, Microsoft said it observed a new campaign between April 14 and 16, 2026 targeting more than 35,000 users across 13,000 companies. While the campaign affected 26 countries, more than nine in ten emails (92%) went to organizations based in the United States.
Companies in the healthcare and life sciences sectors were hardest hit (19%), followed by financial services (18%), professional services (11%), and technology and software (11%).
Article continues below.
PDF and tokens
“The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity claims, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications,” Microsoft explained in the advisory.
“Because the messages contained accusations and repeated time-bound prompts for action, the campaign created a sense of urgency and pressure to act.”
In these emails, the threat actors assumed different identities, such as “Internal Regulatory COC,” “Workforce Communications,” or “Team Conduct Report.” The emails themselves were themed “internal case logs,” different reminders and warnings about non-compliance.
“At the top of each message, a notice said that the message had been ‘issued through an authorized internal channel’ and that links and attachments had been ‘reviewed and approved for secure access,’ reinforcing the supposed legitimacy of the email,” Microsoft added.
The criminals were apparently sending these emails from legitimate services, bypassing traditional protections such as SPF, DKIM, and DMARC. They also distributed PDF attachments through which they redirected victims to malicious landing pages.
People who opened the PDF files and clicked on the internal links would first be redirected through multiple CAPTCHAs, to create a false sense of legitimacy and filter out any bot or automated scanning activity.
The last step is to collect Microsoft credentials and tokens in real time and thus solve multi-factor authentication (MFA).
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
