Global Phishing Campaign Hijacks Auth Tokens from 35K Users Across 26 Countries
What Happened — Microsoft disclosed a sophisticated phishing operation that compromised authentication tokens from more than 35,000 users in 26 nations, primarily the United States. Attackers leveraged fake “code‑of‑conduct” emails, PDF attachments, and an adversary‑in‑the‑middle (AiTM) flow to capture tokens even when MFA was enabled.
Why It Matters for TPRM —
- Credential theft bypasses traditional MFA, exposing downstream SaaS and cloud services.
- The use of legitimate email delivery platforms makes detection harder for third‑party security controls.
- Affected sectors (healthcare, finance) often host sensitive PII, raising downstream breach risk for their vendors.
Who Is Affected — Healthcare providers, financial institutions, and any organization using Microsoft Azure AD or similar identity services.
Recommended Actions — Review authentication and MFA configurations with vendors, enforce anti‑phishing training, deploy advanced email threat protection, and monitor for anomalous token usage.
Technical Notes — Attack vector: phishing emails with PDF links → Cloudflare CAPTCHA → fake Microsoft sign‑in page → AiTM token capture. No specific CVE. Data stolen: OAuth/SAML authentication tokens granting direct account access. Source: Security Affairs