Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails masquerading as internal compliance communications, sent through legitimate email delivery services from attacker-controlled domains. Victims received polished HTML emails with PDF attachments containing fake disciplinary logs and CAPTCHA gates to evade automated analysis. The multi-stage attack chain ultimately directed users to counterfeit Microsoft authentication pages operating as adversary-in-the-middle infrastructure, enabling real-time interception of credentials and session tokens while bypassing multi-factor authentication defenses.
AI Analysis
Technical Summary
This threat involves a multi-stage adversary-in-the-middle (AiTM) phishing campaign that uses code of conduct-themed emails to deceive users into submitting credentials. The attackers leveraged legitimate email delivery services and attacker-controlled domains to send convincing phishing emails with PDF attachments and CAPTCHA challenges to avoid automated detection. The final stage redirects victims to fake Microsoft authentication pages that intercept credentials and session tokens in real time, effectively bypassing multi-factor authentication protections. The campaign primarily affected U.S.-based healthcare and financial organizations and targeted over 35,000 users across 13,000 organizations.
Potential Impact
The campaign enables attackers to steal user credentials and session tokens in real time, bypassing multi-factor authentication defenses. This can lead to unauthorized access to sensitive accounts and data, particularly impacting healthcare and financial sectors in the United States. The use of CAPTCHA gates and polished phishing content increases the likelihood of successful credential theft by evading automated detection systems.
Mitigation Recommendations
No official patch or fix is applicable as this is a phishing campaign rather than a software vulnerability. Organizations should educate users to recognize phishing emails, especially those masquerading as internal compliance communications. Blocking or monitoring the identified attacker-controlled domains (acceptable-use-policy-calendly.de, cocinternal.com, compliance-protectionoutlook.de) can help reduce exposure. Implementing advanced email filtering and multi-factor authentication methods resistant to AiTM attacks may also reduce risk. Since no vendor advisory or patch is available, continuous vigilance and user awareness are critical.
Affected Countries
United States
Indicators of Compromise
- domain: acceptable-use-policy-calendly.de
- domain: cocinternal.com
- domain: compliance-protectionoutlook.de
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Description
A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails masquerading as internal compliance communications, sent through legitimate email delivery services from attacker-controlled domains. Victims received polished HTML emails with PDF attachments containing fake disciplinary logs and CAPTCHA gates to evade automated analysis. The multi-stage attack chain ultimately directed users to counterfeit Microsoft authentication pages operating as adversary-in-the-middle infrastructure, enabling real-time interception of credentials and session tokens while bypassing multi-factor authentication defenses.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a multi-stage adversary-in-the-middle (AiTM) phishing campaign that uses code of conduct-themed emails to deceive users into submitting credentials. The attackers leveraged legitimate email delivery services and attacker-controlled domains to send convincing phishing emails with PDF attachments and CAPTCHA challenges to avoid automated detection. The final stage redirects victims to fake Microsoft authentication pages that intercept credentials and session tokens in real time, effectively bypassing multi-factor authentication protections. The campaign primarily affected U.S.-based healthcare and financial organizations and targeted over 35,000 users across 13,000 organizations.
Potential Impact
The campaign enables attackers to steal user credentials and session tokens in real time, bypassing multi-factor authentication defenses. This can lead to unauthorized access to sensitive accounts and data, particularly impacting healthcare and financial sectors in the United States. The use of CAPTCHA gates and polished phishing content increases the likelihood of successful credential theft by evading automated detection systems.
Mitigation Recommendations
No official patch or fix is applicable as this is a phishing campaign rather than a software vulnerability. Organizations should educate users to recognize phishing emails, especially those masquerading as internal compliance communications. Blocking or monitoring the identified attacker-controlled domains (acceptable-use-policy-calendly.de, cocinternal.com, compliance-protectionoutlook.de) can help reduce exposure. Implementing advanced email filtering and multi-factor authentication methods resistant to AiTM attacks may also reduce risk. Since no vendor advisory or patch is available, continuous vigilance and user awareness are critical.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://cyberpress.org/aitm-attack-uses-phishing/"]
- Adversary
- null
- Pulse Id
- 69fb1736879a4a945346b9ba
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainacceptable-use-policy-calendly.de | — | |
domaincocinternal.com | — | |
domaincompliance-protectionoutlook.de | — |
Threat ID: 69fc4f06cbff5d8610c39dec
Added to database: 5/7/2026, 8:36:22 AM
Last enriched: 5/7/2026, 8:51:24 AM
Last updated: 5/8/2026, 9:57:41 PM
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.