From Panic to Token Theft: Multi-Stage AiTM Phishing

Written By Daniel Zhang

The Funny Summary

This campaign is basically a corporate themed escape room where the villain wears a HR pin: you get a WTF “code of conduct” email, and a very official-looking PDF, then you’re marched through not one but two CAPTCHAs like you’re auditioning for Aussie Idol, before being told your “case materials” are securely logged, time‑stamped, and encrypted; which is attacker-speak for “please “click me baby one more time”. And just when you think MFA has your back, the AiTM proxy sidesteps in like a bouncer with a clipboard and quietly walks off with your session tokens, leaving your account wondering how it got robbed by someone wearing a tie.

The (5) Takeaways

  • Mass, broad targeting (Apr 14–16, 2026): Microsoft observed multiple waves hitting 35,000+ users across 13,000+ organizations in 26 countries, with 92% of targets in the United States, spanning many industries (not just one vertical).

  • “Code of conduct” pressure-cooker lure: Emails masqueraded as internal compliance/regulatory notices (e.g., “Internal Regulatory COC”) with subject lines implying a non‑compliance case log, using urgency and credibility cues to push recipients to open an attachment.

  • Legit-looking delivery + PDF as the trapdoor: Messages were sent via a legitimate email delivery service from attacker-controlled domains and included PDF attachments whose “Review Case Materials” link launched the credential theft flow.

  • Multi-stage “trust-building” gauntlet (CAPTCHAs + staging pages): Victims were funneled through Cloudflare CAPTCHA gating, intermediate pages claiming documents were encrypted and needed authentication, and even a second image-selection CAPTCHA (a setup designed to look authentic and hinder automated analysis).

  • AiTM token theft to bypass non‑phishing‑resistant MFA: The final stage redirected users into a Microsoft sign-in within an adversary‑in‑the‑middle (AiTM) flow that proxies authentication and captures auth tokens, enabling account access even when MFA isn’t phishing‑resistant.

The Long Boring Article

Reference:

Microsoft Security Blog — “Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise”

Daniel Zhang
Previous

cPanel/WHM: When the “Login” Button Is Just Decorative