Microsoft Warns of AiTM Token Compromise Via Phishing Campaign

The latest development in cyber threats is the AiTM (Adversary-in-the-Middle) token compromise. Malicious actors are known to constantly upgrade their tactics to attack innocent internet users; however, a recent campaign flagged by Microsoft underlines how "close-to-perfect" hackers are becoming at stealing sensitive data.

A phishing campaign was deployed that affected thousands of users from thousands of organizations worldwide. Several organizations were targeted in mid-April 2026. Users were tricked into clicking a link by attackers who sent Code of Conduct (CoC) themed emails.

Background

Approximately 35,000 users from over 13,000 organizations across the globe received an email with a convincing subject line and body. Users unknowingly granted access to their accounts and, consequently, to critical information. Reportedly, 92% of the targets were from the United States.

Also Read

The most-affected industry was Healthcare & Life Sciences (19%), followed by Financial Services (18%). Around 11% of the Professional Services and Technology & Software industries, each, were also affected.

The incident occurred between April 14, 2026 (06:51 UTC) and April 16, 2026 (03:54 UTC). Beyond the US, targets were based in 25 other countries. The emails were themed around the Code of Conduct (CoC), informing users that an internal log had been issued under a conduct policy or that an employer had opened a non-compliance case log.

These messages contained customized content and urged victims to click a link to "review the case material." This incident has been termed one of the most sophisticated cyberattacks to date because attackers were able to bypass multi-factor authentication (MFA) in many cases.

Microsoft on the AiTM Token Compromise

Microsoft announced that the incident was first observed by the Microsoft Defender Research team. The company shared that the emails were made to look authentic by including messages such as "issued through an authorized internal channel" and a green banner stating that the contents were encrypted using a legitimate service called Paubox.

Microsoft added that files were given names like:

• Disciplinary Action - Employee Device Handling Case

• Awareness Case Log File - Tuesday 14th April 2026

Every PDF contained text that said "Review Case Materials," which initiated a credential-harvesting flow. Victims were led to believe the webpage was legitimate through the inclusion of a CAPTCHA and a "Review & Sign" button.

AiTM is a type of token theft where attackers use a reverse proxy server to intercept user credentials and session cookies in real-time. Attackers then take over the active user session to gain complete access to cloud services.

Preventive Measures

Microsoft has outlined several preventive measures to reduce the impact of such attacks:

• Review Settings: Users are recommended to check their settings for Exchange Online Protection and Microsoft Defender for Office 365.

• Enable ZAP: Users should enable Zero-hour Auto Purge (ZAP), along with the Safe Links and Safe Attachments features.

• Employee Training: Organizations should invest in Attack Simulation Training to run realistic scenarios and monitor employee responses.

• Enhanced Protection: Enabling Network Protection and Microsoft Defender SmartScreen are additional recommended preventive measures.

It is recommended to contact the IT department of your respective organization for more such information.