Microsoft warned that a sophisticated phishing campaign used a “code of conduct review” theme to lure victims to malicious sites, generating over 35,000 attempts targeting roughly 13,000 organizations between April 14–16. The attack used PDF attachments and Cloudflare CAPTCHAs to funnel victims into an adversary-in-the-middle (AitM) flow that captures authentication tokens and can bypass non-phishing-resistant MFA. #Microsoft #Cloudflare
Keypoints
- Microsoft observed more than 35,000 phishing attempts from April 14–16 targeting about 13,000 organizations, with 92% of targets in the US.
- Emails impersonated internal compliance notices using display names like “Team Conduct Report” and urged recipients to open attached PDFs.
- Attachments titled “Awareness Case Log File” or “Disciplinary Action” directed users to click links that start a multi-step verification flow behind Cloudflare CAPTCHAs.
- The final step is an adversary-in-the-middle (AitM) attack that proxies sign-ins to capture authentication tokens and can bypass non-phishing-resistant MFA.
- Microsoft issued mitigation guidance, threat-hunting queries, and indicators of compromise to help organizations detect and respond.