{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-account/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft account","Cloudflare CAPTCHA"],"_cs_severities":["high"],"_cs_tags":["phishing","aitm","credential-access","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cloudflare"],"content_html":"\u003cp\u003eMicrosoft has warned of a sophisticated phishing campaign primarily targeting US organizations, with 92% of observed attempts focused within the United States. The campaign, active between April 14 and 16, 2026, involved over 35,000 phishing attempts across approximately 13,000 organizations spanning 26 countries. The phishing emails masquerade as internal regulatory or compliance messages, using display names like ‘Team Conduct Report’ and subject lines such as ‘Reminder: employer opened a non-compliance case log.’ The targeted sectors include healthcare, life sciences, financial services, professional services, and technology/software. The attackers are leveraging a legitimate email delivery service and likely attacker-controlled domains to send the malicious emails. This campaign is significant because it employs AitM phishing, bypassing traditional MFA protections.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim receives a phishing email purporting to be an internal regulatory or compliance message, with subjects related to conduct reports or non-compliance.\u003c/li\u003e\n\u003cli\u003eThe email instructs the recipient to open a personalized attachment (PDF document) to review case materials.\u003c/li\u003e\n\u003cli\u003eThe attachment contains a link, such as \u0026ldquo;Review Case Materials,\u0026rdquo; that the user is directed to click.\u003c/li\u003e\n\u003cli\u003eClicking the link redirects the user to a Cloudflare CAPTCHA page, likely to thwart automated analysis.\u003c/li\u003e\n\u003cli\u003eThe user is then directed to a page indicating that documents need review and signature.\u003c/li\u003e\n\u003cli\u003eThe victim is prompted to enter their email address, followed by a second CAPTCHA page.\u003c/li\u003e\n\u003cli\u003eAfter successful verification, the user is asked to sign in to their Microsoft account.\u003c/li\u003e\n\u003cli\u003eThis final step uses AitM phishing, where the attacker proxies the session in real-time to capture authentication tokens and gain immediate access to the targeted account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis phishing campaign can lead to unauthorized access to Microsoft accounts, potentially enabling data theft, business email compromise (BEC), and further malicious activities within the compromised organization. With 35,000 attempts observed in a short period, the potential scale of compromise is significant. The targeting of healthcare, financial services, and technology sectors suggests a focus on high-value targets. Successful attacks can result in financial losses, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Phishing Email Redirection to CAPTCHA\u0026rdquo; Sigma rule to identify potential phishing attempts leading to CAPTCHA challenges (rules).\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect Microsoft Account AitM Phishing Login Page\u0026rdquo; Sigma rule to detect access to Microsoft login pages after CAPTCHA verification, indicating potential AitM activity (rules).\u003c/li\u003e\n\u003cli\u003eReview email gateway configurations to ensure robust filtering of emails with subjects related to compliance or conduct reports (overview).\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of AitM phishing and the importance of verifying the authenticity of login pages, especially after CAPTCHA challenges (overview).\u003c/li\u003e\n\u003cli\u003eLeverage Microsoft\u0026rsquo;s threat-hunting queries and indicators of compromise (IoCs) to proactively search for related activity within your environment (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T12:00:00Z","date_published":"2026-05-06T12:00:00Z","id":"/briefs/2026-05-aitm-phishing/","summary":"A sophisticated phishing campaign targeting US organizations uses a 'code of conduct review' theme to lure victims to a malicious website, employing adversary-in-the-middle (AitM) techniques to capture authentication tokens and gain account access.","title":"Sophisticated AitM Phishing Campaign Targeting US Organizations","url":"https://feed.craftedsignal.io/briefs/2026-05-aitm-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft Account","version":"https://jsonfeed.org/version/1.1"}