Microsoft flags AitM phishing wave dressed up as HR conduct reviews

Microsoft has published indicators of compromise and threat-hunting queries for a phishing campaign that ran an extraordinary volume of activity in a short window. Between 14 and 16 April, the company logged more than 35,000 attempts against users in roughly 13,000 organisations across 26 countries. Ninety-two per cent of the targets were in the United States. That is a tightly time-boxed, US-focused operation — closer to a smash-and-grab than to slow-cook intrusion work.

The lure is what makes the campaign worth thinking about. No fake invoices, no spoofed DocuSign envelope, no parcel-delivery pretext. The emails impersonate internal HR and compliance functions. Display names sit in the ‘Team Conduct Report’, ‘Workforce Communications’ and ‘Internal Regulatory COC’ family. Subject lines run along the lines of ‘Reminder: employer opened a non-compliance case log’ and ‘Internal case log issued under conduct policy’. The pretext is designed to push the recipient to click before thinking — the social pressure of being told your employer has filed a conduct complaint against you is doing most of the engineering. Awareness programmes that have spent five years training people on parcel-delivery and tax-rebate templates have not prepared people for this.

The infrastructure behind it is, by 2026 standards, commodity. Microsoft attributes the sending side to a legitimate cloud-hosted Windows VM running through a real email-delivery service, with multiple sender addresses on attacker-controlled domains. The link in the body lands the victim on a Cloudflare CAPTCHA page first; Microsoft assesses this is acting as a gating mechanism against automated analysis, which is now standard kit in commodity phishing. A sandbox that can’t solve a CAPTCHA never sees the next page. The victim then walks through a fake document-review screen, an email-collection field, a second CAPTCHA, and finally a page that looks like a Microsoft sign-in.

That last step is where the campaign earns the “sophisticated” label in the headline. The sign-in page is an adversary-in-the-middle proxy. The user enters their credentials and completes whatever MFA step their tenant enforces; the attacker, sitting in the middle, captures the live authentication token and is straight into the account in the same session. Microsoft’s own writeup is unambiguous about the consequence: “Unlike traditional credential harvesting, AiTM attacks intercept authentication traffic in real time, bypassing non-phishing-resistant multifactor authentication.” SMS codes, push approvals, six-digit TOTP — all defeated.

Two practical takeaways for defenders.

The first is that phishing-resistant MFA is now the only authentication factor that survives a live AitM session. FIDO2 security keys, platform passkeys, Windows Hello for Business with attested hardware — these bind the credential to the genuine domain at the protocol level, so a proxy in the middle simply cannot complete the handshake. Everything else is delay, not defence. Organisations that still treat hardware-bound authenticators as a senior-executive privilege are running an MFA programme that has been outpaced by the attacker class targeting them.

The second is about the lure category. Most employee phishing-awareness content is built around fake invoices, fake delivery notifications, and fake password-reset emails. HR-themed conduct-policy phishing is a different beast — it weaponises an employee’s relationship with their own employer. It is harder to laugh off, harder to forward to IT without anxiety, and harder to spot because the visual cues match what real internal regulatory comms look like. If your security-awareness programme hasn’t tested against an HR pretext in the last twelve months, this is the moment to add it.

The honest take. The attack chain itself isn’t novel — AitM-via-Cloudflare-CAPTCHA is the dominant phishing playbook of the year. What’s notable is the speed and the geography. A sustained 35,000-attempt run in 72 hours, 92% of it aimed at the United States, suggests an operator burning infrastructure fast for maximum hit rate before takedown — and confident enough in the lure to do it loudly.