Microsoft Threat Intelligence has published a detailed analysis of a large-scale adversary-in-the-middle (AiTM) phishing campaign that operated during a concentrated 48-hour window between 14 and 16 April 2026, compromising approximately 35,000 Microsoft 365 user accounts across organisations in 26 countries. The campaign’s velocity, geographic breadth, and targeting of healthcare and financial services organisations point to a well-resourced threat actor with access to industrial-scale AiTM phishing infrastructure.
Campaign Overview
The attack used an AiTM proxy approach — a technique that has become the dominant method for bypassing modern MFA deployments. Rather than collecting credentials and attempting to use them later (at which point a TOTP code would be expired), AiTM phishing operates a real-time reverse proxy that relays authentication requests between the victim and the legitimate service, intercepting the authenticated session token after the victim completes MFA.
The campaign’s phishing emails impersonated Microsoft 365 compliance and HR notifications — specifically, messages purporting to be “Microsoft 365 Code of Conduct Review” and “Acceptable Use Policy Acknowledgement” notices. These lures exploit a credible scenario: employees receiving a policy compliance request from what appears to be their own Microsoft 365 tenant would be plausible and require no unusual action beyond clicking a link and authenticating.
Technical Infrastructure
Lure quality: The phishing templates were at a level of craft that Microsoft’s analysis describes as “among the most convincing enterprise-impersonation lures observed in 2025–2026.” They used:
- Accurate reproduction of Microsoft 365 UI elements including tenant-specific logos loaded dynamically at open time
- Correct corporate typography and email formatting
- Plausible sender display names referencing the victim organisation’s IT or HR department
- Valid SPF/DKIM alignment achieved through compromised legitimate sending infrastructure
AiTM proxy infrastructure: The campaign used a distributed relay network rather than a single AiTM proxy — distributing victim sessions across hundreds of relay nodes to avoid per-node volume thresholds that might trigger automated detection. Microsoft identified relay infrastructure in 34 countries, consistent with use of a commercial AiTM kit rather than bespoke tooling.
Post-compromise activity: Within minutes of session token theft, automated activity was observed on compromised accounts including: inbox rule creation to forward emails to external addresses, OAuth application consent grants to attacker-controlled applications, and in approximately 3,200 cases (9%), business email compromise activity targeting finance and procurement contacts.
Sector Targeting
Healthcare organisations accounted for 19% of confirmed victims and financial services 18%. The healthcare concentration is significant because healthcare Microsoft 365 tenants often contain sensitive clinical data, patient records, and insurance claims data — with post-compromise activity focused on data exfiltration rather than BEC in the healthcare victims.
Defensive Measures Against AiTM
This campaign reinforces that standard MFA (TOTP, push notification) does not prevent AiTM phishing. Defences that are effective against this class of attack:
Phishing-resistant MFA: FIDO2 security keys (physical hardware keys), passkeys (platform authenticators), and Windows Hello for Business bind authentication cryptographically to the legitimate domain — making the authentication proof non-transferable to an AiTM relay. Deploying phishing-resistant MFA is the single most effective control against this attack class.
Conditional Access evaluation of token binding: Microsoft’s Continuous Access Evaluation (CAE) can revoke tokens when anomalous conditions are detected post-issuance. Ensure CAE is enabled and configured to evaluate session properties including IP address anomalies.
Impossible travel detection: Sign-in risk policies that flag authentication from unusual locations relative to the account’s historical patterns can catch the post-theft sign-in from attacker infrastructure. This requires Entra ID P2 and Identity Protection configuration.
User awareness: While user training cannot reliably prevent AiTM, users who are suspicious of compliance-related emails during non-announcement periods — especially those generating Microsoft sign-in prompts — should have a clear path to report without completing the authentication flow.
Microsoft’s full technical indicator set, including phishing infrastructure IP ranges and relay node characteristics, is available to Microsoft Defender XDR customers via the threat intelligence platform.
Share this article