Overview
- The campaign, observed April 14–16, routed employees from PDF attachments through CAPTCHA pages to a fake Microsoft sign-in that proxied their session in real time.
- More than 35,000 users at about 13,000 organizations were targeted, with 92% in the U.S. and a focus on healthcare, financial services, professional services, and technology.
- Attackers sent polished compliance-themed emails via legitimate delivery services, embedding a “Review Case Materials” link in PDFs and using Cloudflare CAPTCHA to block automated checks.
- The adversary-in-the-middle setup stole session tokens that defeat code-based MFA, so Microsoft urges phishing-resistant sign-in like FIDO security keys and features such as Safe Links and Zero-hour Auto Purge.
- Microsoft tied many final phishing sites to Tycoon 2FA and other kits, noted Tycoon’s hosting shifts after March disruptions, and reported a sharp Q1 rise in QR code and link-based phishing.