Microsoft has revealed details of a large global phishing attack that targeted more than 35,000 users across over 13,000 organisations. Most of the victims were based in the United States, but the campaign affected companies in 26 countries.
The attack took place between April 14 and April 16, 2026, and used highly convincing emails to trick people into giving access to their accounts.
These emails were designed to look like official internal messages related to workplace rules or “code of conduct” reviews.
According to Microsoft, the attackers used polished email templates that looked professional and trustworthy. The messages created urgency by claiming that users needed to review important compliance issues immediately.
Once users clicked on the links or opened attachments, they were redirected to fake websites controlled by hackers.
These sites were designed to look like real login pages. When users entered their credentials, attackers were able to capture login details and authentication tokens, allowing them to access accounts directly.
The attack used a technique known as “adversary-in-the-middle” (AiTM), which can bypass some types of multi-factor authentication by intercepting login sessions in real time.
This makes the attack more dangerous than traditional phishing methods.
The phishing emails were sent using legitimate email services, which made them harder to detect. Attackers also used multiple domains and sender addresses to avoid security filters.
The campaign affected several industries, including healthcare, financial services, professional services, and technology.
Microsoft said this incident highlights how phishing attacks are becoming more advanced and harder to detect.
The company has advised organisations to improve email security, educate employees about suspicious messages, and use advanced protection tools to prevent such attacks.
