Phishing Campaign Compromises Credentials of 35,000 Users Across 26 Countries Targeting Microsoft Services
What Happened — Microsoft disclosed a multi‑stage credential‑theft phishing operation that used “code‑of‑conduct” themed lures and legitimate email platforms to redirect victims to attacker‑controlled domains, where authentication tokens were harvested. The campaign ran from April 14‑16 2026 and affected more than 35 000 users in 13 000 organizations across 26 countries.
Why It Matters for TPRM —
- Credential theft on a Microsoft‑based identity platform can cascade to downstream SaaS applications used by third‑party vendors.
- The use of legitimate email services makes detection harder for traditional email security controls, increasing supply‑chain risk.
- Exposure of authentication tokens may enable lateral movement into partner environments, amplifying third‑party impact.
Who Is Affected — Enterprises across all sectors that rely on Microsoft 365, Azure AD, or other Microsoft identity services; MSPs and MSSPs managing those accounts.
Recommended Actions —
- Review all third‑party contracts that include Microsoft identity services and verify MFA enforcement.
- Validate that your email security gateway can detect “code‑of‑conduct” lure patterns and block suspicious redirects.
- Conduct token‑revocation sweeps for affected accounts and enforce password resets.
Technical Notes — Attack vector: phishing emails with socially engineered lures; tokens stolen via malicious redirect domains. No specific CVE cited. Data types: authentication tokens, potentially enabling access to email, files, and SaaS apps. Source: The Hacker News