Microsoft phishing campaign stole auth tokens from 35,000 users
Microsoft disclosed a large-scale phishing campaign that targeted more than 35,000 users at over 13,000 organizations across 26 countries, with most victims in the United States and concentrations in healthcare, life sciences, financial services, professional services, and technology. The operation used code-of-conduct and compliance-themed emails delivered through legitimate email services, including abuse of platforms such as Amazon SES, to make messages appear trustworthy and help them pass common email authentication checks. Victims received PDF attachments containing links that led through fake CAPTCHA and document-review pages before landing on spoofed Microsoft sign-in portals.
Microsoft said the attackers used an adversary-in-the-middle phishing flow to capture credentials and authentication tokens in real time, allowing them to bypass weak multifactor authentication and gain immediate account access. The company described the activity as one of the most sophisticated code-of-conduct-themed credential theft campaigns it has observed and said it reflects broader trends including CAPTCHA-gated phishing, QR-code phishing, and phishing-as-a-service ecosystems such as Tycoon 2FA, Kratos, and EvilTokens. Microsoft urged organizations to strengthen defenses with Defender for Office 365, SmartScreen-enabled browsers, phishing awareness training, stronger authentication, conditional access policies, and automated attack disruption in Defender XDR.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes findings on global token-stealing phishing campaign
Microsoft publicly disclosed details of the April 2026 phishing campaign, describing it as a sophisticated operation that stole credentials and authentication tokens from more than 35,000 users. The company also recommended layered defenses such as Defender protections, SmartScreen, stronger authentication, conditional access, and automated attack disruption.
Wiz publicly discloses 20-year-old PostgreSQL vulnerabilities
At a ZeroDay.Cloud event in London, Wiz publicly detailed PostgreSQL vulnerabilities CVE-2026-2005 and CVE-2026-2006 on May 4, 2026, highlighting their potential for memory corruption and possible code execution. The disclosure also emphasized PostgreSQL's broad cloud exposure and advised administrators to update immediately and review logs for suspicious activity.
Attackers use AiTM phishing to steal Microsoft auth tokens
In the same April 2026 campaign, victims were routed through PDF links, fake CAPTCHA and document-review pages, and deceptive Microsoft sign-in pages that captured credentials and authentication tokens in real time. This adversary-in-the-middle flow enabled attackers to bypass multifactor authentication and gain immediate account access.
Large phishing campaign targets 35,000 users across 26 countries
From April 14 to 16, 2026, attackers ran a large-scale phishing and credential theft campaign using code-of-conduct and compliance-themed lures sent through legitimate email delivery services. The operation targeted more than 35,000 users at over 13,000 organizations, with most victims in the United States and sectors including healthcare, finance, professional services, and technology.
MariaDB releases fixes for CVE-2026-32710
MariaDB released patches for the JSON_SCHEMA_VALID vulnerability identified during the Wiz competition. The fixes were made available on February 4, 2026.
PostgreSQL patches critical pgcrypto vulnerabilities
PostgreSQL maintainers fixed CVE-2026-2005 and CVE-2026-2006 across supported branches in February 2026 and urged users to upgrade. The fixes were released in versions 18.2, 17.8, 16.12, 15.16, and 14.21.
Wiz ZeroDay.Cloud competition exposes PostgreSQL and MariaDB flaws
During Wiz's ZeroDay.Cloud competition in December 2025, Team Xint Code and Team Bugz Bunnies exploited and identified two PostgreSQL vulnerabilities in the pgcrypto extension, while Team Xint Code also found a MariaDB flaw in JSON_SCHEMA_VALID. The PostgreSQL bugs had existed since roughly 2005, making them long-lived issues in widely deployed database software.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Code of Conduct Phishing Emails Target 35,000 Users in Multi-Stage AiTM Attack
cybersecuritynews.com
Open sourceMicrosoft warns of global campaign stealing auth tokens from 35K users
securityaffairs.com
Open sourceMicrosoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries
thehackernews.com
Open sourceAI finds 20-year-old bugs in PostgreSQL and MariaDB | InfoWorld
infoworld.com
Open sourceWiz ZeroDay.Cloud Event Reveals 20-Year-Old PostgreSQL Vulnerabilities
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multi-Stage Phishing Campaigns Bypassing MFA to Steal Microsoft 365 Credentials
A wave of sophisticated phishing campaigns is targeting organizations globally to steal Microsoft 365 credentials by bypassing traditional email security gateways and multi-factor authentication (MFA) protections. Attackers are employing advanced techniques such as multi-stage payload delivery using nested PDF attachments, legitimate content delivery networks, and mouse tracking to evade detection. Once victims interact with these emails and enter their credentials on a credential harvesting site, attackers leverage legitimate Microsoft infrastructure to bypass MFA and gain immediate access to the victim’s Microsoft 365 environment. These campaigns are engineered to filter out security analysts and block standard security tools, making detection and response more challenging. In parallel, threat actors are increasingly using attacker-in-the-middle toolkits like Evilginx and hybrid phishing-as-a-service kits such as Salty2FA and Tycoon2FA to capture both user credentials and session cookies. By stealing session cookies, attackers can impersonate users and maintain access without triggering additional MFA prompts, even after successful authentication. The blending of different phishing kits into hybrid strains is making detection harder, as traditional security rules tuned to individual kits are now being evaded. Security researchers warn that static indicators are no longer sufficient, and behavioral analysis is required to spot these evolving threats.
Mar 21, 2026
EvilTokens Turns Microsoft Device Code Phishing Into a Scalable Account Takeover Service
Researchers identified **EvilTokens** as a new phishing-as-a-service platform built to hijack **Microsoft 365** accounts by abusing Microsoft’s legitimate OAuth 2.0 **device code** authentication flow. Sold and operated through Telegram bots, the service gives affiliates phishing templates, email harvesting and reconnaissance features, automated Microsoft API interactions, webmail access, and mailbox triage capabilities. Victims are lured into entering attacker-supplied device codes on Microsoft’s real login page, allowing attackers to capture access and refresh tokens—and in some cases a **Primary Refresh Token**—without stealing passwords or directly defeating MFA. Security teams linked a sharp rise in device code phishing to EvilTokens, describing it as the first known turnkey PhaaS offering dedicated Microsoft device code phishing pages and warning that it lowers the barrier for low-skill operators. More than **1,000 phishing domains** were observed by late March, with campaigns affecting organizations worldwide and notable activity in the United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates; finance, HR, and transportation/logistics staff were highlighted as frequent targets. Researchers from Sekoia and Mnemonic urged defenders to disable or restrict unnecessary device code flows in **Microsoft Entra ID**, monitor device code grant sign-ins for anomalies, train users on device authentication abuse, and revoke refresh tokens when compromise is suspected.
Apr 4, 2026
Adversary-in-the-Middle Phishing Campaigns Targeting Microsoft 365 and Okta Users
A sophisticated phishing campaign has been identified targeting organizations that use Microsoft 365 and Okta for single sign-on (SSO). Attackers employ adversary-in-the-middle (AiTM) techniques to hijack legitimate SSO authentication flows, bypassing multi-factor authentication (MFA) methods that are not phishing-resistant. The campaign uses lookalike domains to impersonate Okta login pages and proxies authentication requests, capturing credentials and session tokens. Hundreds of users across dozens of organizations have been targeted, with phishing emails and malicious URLs designed to closely mimic legitimate login experiences, making detection challenging. Broader trends in SaaS security highlight the increasing abuse of OAuth tokens and session cookies, enabling persistent, non-interactive access to cloud services even after password resets or MFA changes. Attackers leverage browser extensions and session exfiltration to maintain access, and AI-driven lures accelerate the speed and scale of these attacks. The combination of AiTM phishing, token replay, and browser-based persistence underscores the evolving threat landscape for organizations relying on cloud identity providers like Okta and Microsoft 365.
Mar 21, 2026