Microsoft Defender details AITM phishing

Microsoft is out with a useful breakdown of a phishing campaign that looks ordinary at first and then gets much nastier. The lure was a fake “code of conduct” complaint — basically an email that tries to make an employee panic and click fast. But the real trick came later. The attackers didn’t just want a password. They wanted the live session after login, which can let them walk past normal MFA and take over the account anyway. (microsoft.com) ### What was the bait? The emails were dressed up like internal corporate messages and sent through legitimate email services from attacker-controlled domains, so they looked more authentic than the usual spam blast. The message pushed urgency — accusations, deadlines, and a prompt to review the supposed complaint in a PDF. Microsoft said the campaign targeted tens of thousands of users, mostly in the U.S. (microsoft.co([microsoft.com)“code of conduct” angle? Because it messes with judgment. A fake invoice is easy to ignore. A message implying HR trouble or misconduct is harder. Microsoft’s write-up says the templates were polished and enterprise-looking, with little authenticity cues baked in to make the recipient think, “This is annoying, but probably real.” That emotional shove is part of the attack, not decoration. (microsoft.com)after the click? The victim didn’t go straight to a fake Microsoft login page. The chain used multiple intermediate steps — CAPTCHA screens, staging pages, and other detours that made the flow feel more legitimate while also filtering out bots and automated scanners. Only at the end did the victim hit what looked like a normal sign-in experience inside an adversary-in-the-middle, or AiTM, setup. (micro([microsoft.com)hat does AiTM actually steal? Not just credentials. The attacker sits in the middle of the real authentication flow, proxies the traffic, and captures the authentication tokens or session cookies created after the user signs in. That matters because those tokens are the proof that the service already accepted the login. If an attacker has them, a password reset alone may not kick them out. (microsoft.com) this? Because the victim really does complete MFA. The attacker isn’t guessing the code afterward. The attacker is relaying the whole login in real time and then grabbing the authenticated session that comes out the other side. It’s like stealing the wristband after security already checked your ticket. The checkpoint worked — but the proof of entry got copied. (microsoft.com)the scope at more than 35,000 users across more than 13,000 organizations in 26 countries between April 14 and April 16, 2026. Roughly 92% of the emails hit U.S. inboxes, and healthcare and life sciences were especially exposed. That scale is the point — this was not a boutique spearphish. (expertinsights.com)n-protection guidance pushes a layered setup — harden endpoints, block risky destinations, enable network protection, and use controls that reduce token theft and replay risk. Just as important, responders need to revoke active sessions and tokens after a compromise, not only reset passwords. (learn.microsoft.com)e ordinary password phishing is getting less useful. More companies have MFA, so attackers have shifted to stealing the post-login session instead. Microsoft has been tracking that broader trend for a while, including large AiTM services like Tycoon2FA that lowered the skill needed to run these attacks at scale. (microsoft.com)attacker assumes MFA is already there. The email is just the opener. The real target is the authenticated session — and if defenders treat this like old-school password theft, they’ll miss the part that actually keeps the attacker inside. (microsoft.com)