HackWatch
! High riskPH Phishing

Microsoft Flags Multi-Stage Phishing Campaign Exploiting Code of Conduct Themes to Steal Tokens

Verification-lure coverage focused on fake messages, cloned pages and account defense steps.

Phishing signal detected. Verify the sender independently, avoid login links and rotate credentials if any code or password was exposed.
Microsoft Flags Multi-Stage Phishing Campaign Exploiting Code of Conduct Themes to Steal Tokens - HackWatch phishing alert image
HackWatch phishing alert image for: Microsoft Flags Multi-Stage Phishing Campaign Exploiting Code of Conduct Themes to Steal Tokens
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Artur Ślesik

Published: May 04, 2026

Incident status: Mitigation available

Corroborating sources: 1

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 04, 2026 for server impact, affected-version evidence, privilege or code-execution claims and realistic patch priority. His remediation note follows the same discipline he would use around Juniper routers and production servers: verify scope, preserve useful logs, reduce exposed management access and only then apply the fix or compensating control supported by the 1 corroborating source.

Review our editorial policy or send corrections to [email protected].

Mitigation available. Mitigation guidance or a workaround is available, but defenders should still verify rollout status and exposure.

Microsoft Defender Research uncovered a sophisticated phishing campaign leveraging code of conduct-themed emails and legitimate services to hijack authentication tokens via an adversary-in-the-middle (AiTM) attack.

GLOBAL, May 4, 2026, 16:23 UTC

Microsoft Defender Research has identified a widespread phishing campaign that uses a multi-stage attack chain centered around code of conduct-themed lures to compromise user credentials and authentication tokens.

The attackers exploited legitimate email services to send fully authenticated messages from domains under their control, increasing the trustworthiness of their phishing emails. This method allowed them to bypass common email security filters and deceive recipients into engaging with malicious content.

Central to the campaign is an adversary-in-the-middle (AiTM) technique that targets authentication tokens, enabling attackers to circumvent traditional multi-factor authentication protections and gain persistent access to compromised accounts.

Microsoft's analysis highlights that the campaign’s multi-step approach begins with carefully crafted emails referencing company policies and conduct guidelines, a tactic designed to prompt immediate attention and reduce suspicion among employees.

Once a user interacts with the phishing content, the attackers initiate token theft by intercepting authentication flows, effectively capturing session tokens that grant access without requiring password input.

This attack vector is particularly concerning because it undermines token-based security measures widely adopted by enterprises, including OAuth tokens used in cloud services and single sign-on systems.

Microsoft’s report underscores the sophistication of the campaign, noting the use of legitimate infrastructure and authenticated email channels, which complicates detection and response efforts.

Security teams are urged to review email authentication practices, including DMARC, DKIM, and SPF configurations, and to monitor for unusual token usage patterns that could indicate compromise.

Users should be cautious of unexpected emails referencing internal policies and avoid clicking links or downloading attachments without verification through separate channels.

The campaign’s scale and complexity suggest a well-resourced threat actor aiming to infiltrate organizations by exploiting trust in internal communications and the growing reliance on token-based authentication.

Microsoft continues to track the campaign and recommends organizations implement robust token monitoring, enforce conditional access policies, and educate employees on phishing indicators.

While no specific sectors were singled out, the attack’s reliance on corporate policy themes implies a focus on enterprise environments where such communications are routine.

The evolving nature of AiTM attacks signals a shift in attacker strategies, emphasizing the need for continuous adaptation of security controls beyond password protection.

Organizations should also consider deploying advanced threat detection tools capable of identifying anomalous authentication attempts and token misuse.

As this campaign unfolds, the risk of widespread credential theft and unauthorized access remains high, with potential impacts including data breaches and account takeovers.

Microsoft’s detailed advisory is available on their security blog, providing technical guidance and mitigation strategies for affected entities.

https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/

Sources used for this article

microsoft.com

Related alerts

Recommended next steps

Readers following this phishing alerts story usually need both context and action. Use the tools and recovery pages below to verify exposure, secure accounts and document the incident path.

Scam Checker for Suspicious Messages

Paste suspicious text to review social-engineering markers, urgency patterns and the safest next steps before you interact with the message.

Open guide

Identity Theft Recovery Planner

The planner converts identity-theft exposure into a 24-hour, 72-hour and 7-day response checklist with fraud reporting, documentation and account-hardening priorities.

Open guide

Breach Exposure Checker for Email and Password Reuse Risk

The breach checker turns a suspected exposure into a prioritized action plan covering credential rotation, MFA hardening, account review, fraud monitoring and evidence capture.

Open guide

Incident Report Intake

The incident intake form helps HackWatch collect early reader signals so new phishing and fraud clusters can be reviewed faster and escalated into coverage.

Open guide

Payment fraud alerts

Review invoice scams, wire-fraud attempts, bank impersonation campaigns and payment-diversion coverage.

Open incident hub

Phishing alerts

Explore the dedicated category archive to review similar incidents, compare tactics and find additional response coverage tied to this incident type.

Open category archive
Artur Ślesik

Real reviewer profile

Artur Ślesik

Founder of HackWatch.io and WEB-NET; Editorial Reviewer

Open reviewer profile

Artur Ślesik is the founder of HackWatch.io and WEB-NET, a real named reviewer with 17+ years of experience building and maintaining web portals.

Coverage focus: Secure web portals, phishing prevention, user-facing recovery guides and practical web-security review

Editorial disclosure: This is a real named founder profile. HackWatch does not claim unverified security certifications, SOC employment history or CERT incident-response credentials for Artur. Security guidance is grounded in public sources, HackWatch tooling and first-hand web-portal experience.

Artur leads this phishing alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "Microsoft Flags Multi-Stage Phishing Campaign Exploiting Code of Conduct Themes to Steal Tokens".

Secure web portals and publishing operationsPhishing prevention and account-safety guidanceUser-facing recovery playbooks