Overview
- Microsoft says a mid‑April campaign used fake code‑of‑conduct emails to target more than 35,000 users at over 13,000 organizations across 26 countries, with 92% of intended victims in the U.S.
- The emails mimicked internal compliance notices and attached PDFs that funneled clicks to attacker sites, where CAPTCHA pages led to a look‑alike Microsoft sign‑in that proxied the session to steal credentials and tokens.
- CAPTCHA gates served to block automated scanners and to make the sign‑in flow feel routine, which raised trust and increased the chance that workers entered their passwords and second‑factor codes.
- Microsoft reports broader first‑quarter trends that include 8.3 billion detected email threats, rapid growth in QR‑code phishing, and large February and March waves that used SVG or HTML attachments to route users through CAPTCHA checks to fake login pages.
- Operators tied to phishing‑as‑a‑service moved infrastructure after March disruption, with Tycoon 2FA shifting off Cloudflare to alternate hosts, and researchers also observed abuse of Amazon SES to send convincing messages from trusted mail systems.