Microsoft says fake HR compliance emails fooled 35,000 people across 26 countries - phishing kit captured login tokens even with MFA enabled

Microsoft disclosed Monday that a phishing campaign between April 14 and 16 hit 35,000+ users across 13,000+ organizations in 26 countries (92% in the US). Lures impersonated internal HR with subjects like 'Internal case log issued under conduct policy.' Each email had a PDF attachment with a 'Review Case Materials' link that walked victims through Cloudflare CAPTCHAs and a final adversary-in-the-middle (AiTM) Microsoft sign-in page. AiTM proxies the real Microsoft login and captures session tokens after MFA - so traditional MFA is bypassed. Healthcare (19%), financial services (18%), and professional services (11%) were the most-targeted sectors.

Check

Search Exchange Online logs for emails between April 14-16 with subjects containing 'conduct policy' or 'awareness case log.' Hunt sign-in logs for OAuth grants from acceptable-use-policy-calendly.de or compliance-protectionoutlook.de.

Affected

Microsoft 365 / Entra ID tenants with users on traditional MFA (push, SMS, TOTP). AiTM bypasses any non-phishing-resistant MFA factor - only FIDO2 hardware keys and Windows Hello are immune. US users in healthcare, life sciences, financial services, and professional services are at acute risk based on Microsoft's targeting data.

Fix

Migrate users to phishing-resistant MFA (FIDO2 hardware keys, Windows Hello, passkeys) for all accounts. Enable Conditional Access policies that require token binding for high-privilege accounts. Turn on Zero-hour auto purge in Defender for Office 365 to retroactively quarantine campaign emails. Revoke session tokens for any user who visited a fake sign-in page.