In this blog, we\u2019re sharing our analysis of this campaign\u2019s lures, infrastructure, and techniques. Organizations can defend against financial fraud initiated through phishing emails by educating users about phishing lures, investing in advanced anti-phishing solutions like Microsoft Defender for Office 365<\/a> and configuring essential email security settings, and encouraging users to employ web browsers that support SmartScreen. Organizations can also enable network protection, which lets Windows use SmartScreen as a host-based web proxy.<\/p>\n Multi-step social engineering campaign leading to credential theft<\/p>\n Between April 14 and 16, 2026, the Microsoft Defender Research team observed a series of sophisticated phishing campaigns targeting more than 35,000 users across over 13,000 organizations in 26 countries, with majority of targets located in the United States (92%). The campaign did not focus on a single vertical but instead impacted a broad range of industries, most notably Healthcare & life sciences (19%), Financial services (18%), Professional services (11%), and Technology & software (11%). Messages were distributed in multiple distinct waves between 06:51 UTC on April 14 and 03:54 UTC on April 16.\u00a0<\/p>\n Emails in this campaign posed as internal compliance or regulatory communications, using display names such as \u201cInternal Regulatory COC\u201d, \u201cWorkforce Communications\u201d, and \u201cTeam Conduct Report\u201d. Subject lines included \u201cInternal case log issued under conduct policy\u201d and \u201cReminder: employer opened a non-compliance case log\u201d.<\/p>\n Message bodies claimed that a \u201ccode of conduct review\u201d had been initiated, referenced organization-specific names embedded within the text, and instructed recipients to \u201copen the personalized attachment\u201d to review case materials. At the top of each message, a notice stated that the message had been \u201cissued through an authorized internal channel\u201d and that links and attachments had been \u201creviewed and approved for secure access\u201d, reinforcing the email\u2019s purported legitimacy. To further support the confidentiality of the supposed review, the end of each message contained a green banner stating that the contents had been encrypted using Paubox, a legitimate service associated with HIPAA-compliant communications.<\/p>\n Analysis of the sending infrastructure indicated that the campaign emails were sent using a legitime email delivery service, likely originating from a cloud-hosted Windows virtual machine. The messages were sent from multiple sender addresses using domains that are likely attacker-controlled.<\/p>\n Each campaign email included a PDF attachment with filenames such as Awareness Case Log File \u2013 Tuesday 14th, April 2026.pdf and Disciplinary Action \u2013 Employee Device Handling Case.pdf. The attachment provided additional context about the supposed conduct review, including a summary of the review process and instructions for accessing supporting documentation. Recipients were directed to click a \u201cReview Case Materials\u201d link within the PDF, which initiated the credential harvesting flow.<\/p>\n When clicked, users were initially directed to one of two attacker-controlled domains (for example, acceptable-use-policy-calendly[.]de or compliance-protectionoutlook[.]de). These landing pages displayed a Cloudflare CAPTCHA, presented as a mechanism to validate that the user was coming \u201cfrom a valid session\u201d. This CAPTCHA likely served as a gating mechanism to impede automated analysis and sandbox detonation.\u00a0<\/p>\n After completing the CAPTCHA, users were redirected to an intermediate site designed to prepare them for the final stage of the attack. This page informed users that the requested documentation was encrypted and required account authentication. While this stage of the attack has several hallmarks of device code phishing, we were only able to confirm the AITM portion of the attack chain.<\/p>\n After clicking the provided \u201cReview & Sign\u201d button, users were presented with a sign-in prompt requesting their email address.<\/p>\n After submission, users were required to complete a second CAPTCHA involving image selection.<\/p>\n Once these steps were completed, users were shown a message indicating that verification was successful and that their \u201ccase\u201d was being prepared.<\/p>\n Following these steps, users were redirected to a third site hosting the final stage of the attack. Analysis of the underlying code indicates that the final destination varied depending on whether the user accessed the workflow from a mobile device or a desktop system.<\/p>\n On the final page, users were informed that all materials related to their code of conduct review had been \u201csecurely logged\u201d, \u201ctime-stamped\u201d, and \u201cmaintained within the organization\u2019s centralized compliance tracking system\u201d. They were then prompted to schedule a time to discuss the case, which required signing in to their account.<\/p>\n Selecting the \u201cSign in with Microsoft\u201d option redirected users to a Microsoft authentication page, initiating an AiTM session hijacking flow designed to capture authentication tokens and compromise user accounts.<\/p>\n Mitigation and protection guidance<\/p>\n Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.<\/p>\n Review the recommended settings<\/a> for Exchange Online Protection and Microsoft Defender for Office 365 to ensure your organization has established essential defenses and knows how to monitor and respond to threat activity.<\/p>\n Invest in user awareness training and phishing simulations. Attack simulation training<\/a> in Microsoft Defender for Office 365, which also includes simulating phishing messages in Microsoft Teams, is one approach to running realistic attack scenarios in your organization.<\/p>\n Enable Zero-hour auto purge (ZAP)<\/a> in Defender for Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.<\/p>\n Responders could also manually check for and purge unwanted emails containing URLs and\/or Subject fields that are similar, but not identical, to those of known bad messages. Investigate malicious email that was delivered in Microsoft 365<\/a> and use Threat Explorer<\/a> to find and delete phishing emails.<\/p>\n Turn on Safe Links<\/a> and Safe Attachments<\/a> in Microsoft Defender for Office 365.<\/p>\n Enable network protection<\/a> in Microsoft Defender for Endpoint.<\/p>\n Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen<\/a>, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.<\/p>\n Enable password-less authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support password-less. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for multifactor authentication (MFA). Refer to this article<\/a> for the different authentication methods and features.<\/p>\n Configure automatic attack disruption<\/a> in Microsoft Defender XDR. Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization\u2019s assets, and provide more time for security teams to remediate the attack fully.<\/p>\n Microsoft Defender detections<\/p>\n Microsoft Defender<\/a> customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n Tactic\u00a0Observed activity\u00a0Microsoft Defender coverage\u00a0Initial accessPhishing emailsMicrosoft Defender for Office 365<\/a> Microsoft Defender for Cloud Apps<\/a> Microsoft Security Copilot<\/p>\n Microsoft Security Copilot<\/a> is embedded in Microsoft Defender<\/a> and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.<\/p>\n Customers can also deploy AI agents<\/a>, including the following Microsoft Security Copilot agents<\/a>, to perform security tasks efficiently:<\/p>\n Security Copilot is also available as a standalone experience<\/a> where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios<\/a> that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.<\/p>\n Threat intelligence reports<\/p>\n Microsoft Defender XDR customers can use the following threat analytics<\/a> reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration<\/a> in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience<\/a> in the Microsoft Defender portal to get more information about this threat actor.<\/p>\n Hunting queries<\/p>\n Microsoft Defender XDR customers can run the following advanced hunting<\/a> queries to find related activity in their networks:<\/p>\n Campaign emails by sender address<\/p>\n The following query identifies emails associated with this campaign using a message\u2019s sending email address.<\/p>\n EmailEvents Indicators of compromise<\/p>\n IndicatorTypeDescriptionFirst seenLast seencompliance-protectionoutlook[.]deDomainDomain hosting malicious campaign content2026-04-142026-04-16acceptable-use-policy-calendly[.]deDomainDomain hosting malicious campaign content2026-04-142026-04-16cocinternal[.]comDomainDomain hosting sender email address2026-04-142026-04-16Gadellinet[.]comDomainDomain hosting sender email address2026-04-142026-04-16Harteprn[.]comDomainDomain hosting sender email address2026-04-142026-04-16Cocpostmaster[@]cocinternal.comEmail addressEmail address used to send campaign emails2026-04-142026-04-16Nationaladmin[@]gadellinet.comEmail addressEmail address used to send campaign emails2026-04-142026-04-16Nationalintegrity[@]harteprn.comEmail addressEmail address used to send campaign emails2026-04-142026-04-16M365premiumcommunications[@]cocinternal.comEmail addressEmail address used to send campaign emails2026-04-142026-04-16Documentviewer[@]na.businesshellosign.deEmail addressEmail address used to send campaign emails2026-04-142026-04-16Awareness Case Log File \u2013 Monday 13th, April 2026.pdfFilenameName of PDF attachment containing phishing link2026-04-142026-04-14Awareness Case Log File \u2013 Tuesday 14th, April 2026.pdfFilenameName of PDF attachment containing phishing link2026-04-152026-04-15Awareness Case Log File \u2013 Wednesday 15th, April 2026.pdfFilenameName of PDF attachment containing phishing link2026-04-162026-04-165DB1ECBBB2C90C51D81BDA138D4300B90EA5EB2885CCE1BD921D692214AECBC6SHA-256File hash of campaign PDF attachment2026-04-14 \u00a02026-04-16 \u00a0B5A3346082AC566B4494E6175F1CD9873B64ABE6C902DB49BD4E8088876C9EADSHA-256File hash of campaign PDF attachment2026-04-142026-04-1611420D6D693BF8B19195E6B98FEDD03B9BCBC770B6988BC64CB788BFABE1A49DSHA-256File hash of campaign PDF attachment2026-04-142026-04-16<\/p>\n Learn more<\/p>\n For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog<\/a>. <\/p>\n To get notified about new publications and to join discussions on social media, follow us on LinkedIn<\/a>, X (formerly Twitter)<\/a>, and Bluesky<\/a>. <\/p>\n![\"Bar](\"https:\/\/www.europesays.com\/ai\/wp-content\/uploads\/2026\/05\/Figure1-timeline.webp\")
Figure 1. Timeline of campaign messages sent by hour<\/p>\n![\"Pie](\"https:\/\/www.europesays.com\/ai\/wp-content\/uploads\/2026\/05\/Figure2-geographic-industry-distribution.webp\")
Figure 2. Campaign recipients by country and industry<\/p>\n![\"Screenshot](\"https:\/\/www.europesays.com\/ai\/wp-content\/uploads\/2026\/05\/Figure3-phishing-email.webp\")
Figure 3. Sample phishing email<\/p>\n![\"Screenshot](\"https:\/\/www.europesays.com\/ai\/wp-content\/uploads\/2026\/05\/Figure4-pdf-attachment-677x1024.webp\")
Figure 4. PDF attachment<\/p>\n![\"Screenshot](\"https:\/\/www.europesays.com\/ai\/wp-content\/uploads\/2026\/05\/Figure5-captcha.webp\")
Figure 5. CAPTCHA challenge<\/p>\n![\"Screenshot](\"https:\/\/www.europesays.com\/ai\/wp-content\/uploads\/2026\/05\/Figure6-intermediate-site.webp\")
Figure 6. Intermediate site asking users to click \u201cReview & Sign\u201d<\/p>\n![\"Screenshot](\"https:\/\/www.europesays.com\/ai\/wp-content\/uploads\/2026\/05\/Figure7-prompt-enter-email-address.webp\")
Figure 7. Prompt directing users to enter their email address<\/p>\n![\"Screenshot](\"https:\/\/www.europesays.com\/ai\/wp-content\/uploads\/2026\/05\/Figure8-second-captcha.webp\")
Figure 8. Second CAPTCHA challenge<\/p>\n![\"Screenshot](\"https:\/\/www.europesays.com\/ai\/wp-content\/uploads\/2026\/05\/Figure9-verification.webp\")
Figure 9. Message telling users that \u201cVerification completed successfully\u201d<\/p>\n![\"Screenshot](\"https:\/\/www.europesays.com\/ai\/wp-content\/uploads\/2026\/05\/Figure10-redirection-code.webp\")
Figure 10. Code used to redirect users based on platform<\/p>\n![\"screenshot](\"https:\/\/www.europesays.com\/ai\/wp-content\/uploads\/2026\/05\/Figure11-final-page.webp\")
Figure 11. Final page instructed users to sign in<\/p>\n
\u2013 A potentially malicious URL click was detected
\u2013 A user clicked through to a potentially malicious URL
\u2013 Suspicious email sending patterns detected
\u2013 Email messages containing malicious URL removed after delivery
\u2013 Email messages removed after delivery
\u2013 Email reported by user as malware or phishPersistenceThreat actors sign in with stolen valid entitiesMicrosoft Entra ID Protection<\/a>
\u2013 Anomalous Token
\u2013 Unfamiliar sign-in properties
\u2013 Unfamiliar sign-in properties for session cookies \u00a0 <\/p>\n
\u2013 Impossible travel activity<\/p>\n
\n| where SenderMailFromAddress in (” cocpostmaster@cocinternal.com “,” nationaladmin@gadellinet.com “,”
\nnationalintegrity@harteprn.com\u201d,\u201d m365premiumcommunications@cocinternal.com\u201d,\u201d documentviewer@na.businesshellosign.de\u201d)<\/p>\n