.png)
Microsoft Token Theft Campaign 2026: 35,000 Users Across 13,000 Organizations Targeted in 48 Hours
Between April 14 and 16, 2026, Microsoft tracked a large-scale credential theft campaign that targeted more than 35,000 users across 13,000+ organizations in 26 countries. The attackers used a sophisticated combination of code-of-conduct-themed phishing lures and legitimate email services to direct targets to attacker-controlled domains, where they harvested authentication tokens. The campaign was notable for its scale, precision, and the sophistication of its evasion — using trusted email infrastructure to bypass email security controls and legitimate-looking pages to steal tokens rather than passwords.
Healthcare and life sciences organizations (19% of targets) were the primary sector targeted, followed by financial services and technology companies. 92% of targets were located in the United States.
Microsoft's Threat Intelligence team detected the campaign on April 14, 2026 and tracked it through April 16. The attackers sent phishing emails themed around code-of-conduct violations to a broad range of targets concentrated in healthcare and financial services. The emails passed email authentication controls by using legitimate email services as delivery infrastructure. Targets who clicked the links were directed to AiTM proxy pages that captured their Microsoft authentication tokens in real time. The stolen tokens were immediately used to access victim accounts. Microsoft published detailed indicators of compromise and detection guidance within 24 hours of detecting the campaign.
The attackers sent phishing emails using code-of-conduct violation themes — telling recipients they had violated company or platform policies and needed to take immediate action. The emails were sent through legitimate email services, which allowed them to pass email authentication checks (SPF, DKIM, DMARC) that would typically flag malicious senders. The links directed users to attacker-controlled landing pages that used adversary-in-the-middle (AiTM) proxying to capture authentication tokens in real time. By capturing tokens rather than passwords, the attack bypassed MFA — the stolen token was already authenticated. Microsoft's Threat Intelligence team detected the campaign through behavioral analytics and published detailed indicators of compromise to enable rapid defensive response.
The April 2026 Microsoft campaign established three current-state lessons. First, adversary-in-the-middle token theft attacks have matured into a mainstream attack technique that bypasses conventional MFA. The only defense is phishing-resistant MFA — FIDO2/passkeys — which cannot be intercepted by AiTM proxies. Second, code-of-conduct and policy violation lures are highly effective because they create urgency and fear of professional consequences that override the target's normal skepticism. Third, healthcare organizations are now among the top priority targets for credential theft campaigns — the combination of sensitive data, regulatory requirements, and typically weaker identity security than financial services creates an attractive target profile.
For PE sponsors, the April 2026 campaign establishes that conventional MFA is not sufficient protection against token theft attacks. Portfolio companies — particularly in healthcare, financial services, and technology — must deploy phishing-resistant MFA (FIDO2/passkeys) for privileged accounts and high-value employees. The 48-hour timeframe of the campaign demonstrates that these attacks move faster than most organizations' incident detection cycles.