Microsoft warns of a phishing campaign bypassing MFA protections

Microsoft is warning of a highly sophisticated phishing campaign that targeted tens of thousands of users across thousands of organizations, primarily in the United States.

What happened

According to Security Week, Microsoft has issued a warning about a large-scale and highly sophisticated phishing campaign targeting organizations, primarily in the United States. According to the company, more than 35,000 phishing attempts were recorded between April 14 and 16, affecting users across over 13,000 organizations in 26 countries, with 92% of targets based in the US.

The campaign used emails disguised as internal communications, often themed around a “code of conduct review” or workplace compliance notice. These messages were designed to trick recipients into clicking links that redirected them to malicious websites impersonating Microsoft login pages.

Going deeper

The phishing emails often include attachments or links that lead victims through several layers of deception before reaching credential-harvesting sites. Additionally, the campaign leverages an Adversary-in-the-Middle (AiTM) technique, allowing attackers to intercept login credentials and authentication tokens in real time. This enabled them to bypass traditional security protections, including multi-factor authentication (MFA).

Attackers also used legitimate email delivery services to distribute messages, helping them evade detection systems such as SPF, DKIM, and DMARC.

The campaign does not focus on a single industry. However, sectors such as healthcare, financial services, professional services, and technology were among the most affected.

What was said

According to the Security Week article, Microsoft explained that “Analysis of the sending infrastructure indicated that the campaign emails were sent using a legitimate email delivery service, likely originating from a cloud-hosted Windows virtual machine. The messages were sent from multiple sender addresses using domains that are likely attacker-controlled.” Microsoft also notes that “Unlike traditional credential harvesting, AiTM attacks intercept authentication traffic in real time, bypassing non-phishing-resistant multifactor authentication (MFA).”

In the know

According to Paubox’s 2025 Healthcare Email Security Report, phishing is the leading cause of healthcare data breaches, serving as the primary entry point for more sophisticated attacks such as ransomware, credential theft, and mailbox takeovers. In 2024, over 70% of healthcare data breaches originated from phishing attacks.

However, using products such as Paubox’s inbound email security can significantly reduce this risk by detecting and blocking malicious emails before they reach users’ inboxes. With capabilities like real-time threat analysis, URL and attachment scanning, and protection against impersonation attacks, these tools help stop phishing attempts at the gateway. This proactive approach minimizes reliance on end users to identify threats, strengthening overall security posture and helping healthcare organizations maintain compliance while safeguarding sensitive patient data.

Why it matters

This campaign is a reminder that phishing has evolved far beyond poorly written emails and suspicious links. Attackers are now using highly convincing, multi-step techniques that can bypass even multifactor authentication (MFA).

For healthcare organizations and other regulated industries, the implications are even more serious. A single compromised login can expose protected health information (PHI), trigger regulatory investigations, and lead to costly breaches. Given how frequently phishing is the entry point for cyber incidents, understanding how these attacks are evolving is critical for compliance, risk management, and patient trust.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

Why is this campaign considered sophisticated?

It used advanced tactics such as Adversary-in-the-Middle (AiTM) techniques, allowing attackers to intercept login credentials and session tokens in real time, even bypassing multi-factor authentication in some cases.

How can organizations protect themselves?

Organizations can strengthen defenses by using advanced email security tools, training employees to recognize phishing attempts, and implementing layered security controls beyond multi-factor authentication.