An HR-Themed Phishing Email Just Compromised 35,000 Microsoft 365 Users in 72 Hours—and the Lure Was a Fake Disciplinary Action PDF

On May 4, 2026, Microsoft's Defender Research team published a detailed writeup of one of the largest single coordinated phishing campaigns the company has tracked this year. Between 06:51 UTC on April 14 and 03:54 UTC on April 16, attackers sent waves of HR themed emails that ultimately landed in front of more than 35,000 users at over 13,000 organizations across 26 countries. The vast majority of targets, 92 percent, were in the United States.

The interesting part of the campaign is not its scale, although the scale is significant. It is the design. The attackers built a five stage flow that mimicked a routine internal HR investigation, used a real PDF attachment, then funneled victims through a Cloudflare CAPTCHA into a real time adversary in the middle relay that stole the user's authentication token at the moment of sign in. Multi factor authentication did not stop it. The session token captured by the attackers was already validated.

For anyone running an inbox at one of the affected industries, especially in healthcare, financial services, or professional services, the campaign is a reminder that the modern phishing problem is no longer about catching typos. It is about whether the message ever lands in the inbox at all.

The Lure: A PDF You Cannot Ignore

Phishing kits live or die on whether the recipient opens the message. Most lures are interchangeable shipping notices, fake invoices, or fake Microsoft alerts. The April campaign used something more uncomfortable. The PDF attachments shipped with filenames designed to mimic an internal compliance investigation:

• Awareness Case Log File – Monday 13th, April 2026.pdf
• Awareness Case Log File – Tuesday 14th, April 2026.pdf
• Awareness Case Log File – Wednesday 15th, April 2026.pdf
• Disciplinary Action – Employee Device Handling Case.pdf

The filenames are calibrated. They reference a date close to the moment the email arrives, they read like internal HR vocabulary, and the "Disciplinary Action" variant directly threatens the recipient's job. Even employees who are normally cautious are statistically more likely to click on a message that looks like a personal compliance review than on a generic invoice.

The senders made the PDF look authentic by using a small set of attacker controlled but plausible looking domains. Sending addresses included cocpostmaster@cocinternal.com, nationaladmin@gadellinet.com, m365premiumcommunications@cocinternal.com, and documentviewer@na.businesshellosign.de. The "coc" in cocinternal stands for "code of conduct." The branding is intentional.

The Attack Chain

When a recipient opened the PDF, the document presented a "Review Case Materials" link. Clicking initiated the multi stage flow:

1. Initial landing page on one of two attacker domains, acceptable-use-policy-calendly[.]de or compliance-protectionoutlook[.]de. Both were registered to look plausible to a quick glance.
2. Cloudflare CAPTCHA gate. The page displayed a real Cloudflare challenge, framed as a "validate that you are coming from a valid session" check. The CAPTCHA did two useful things for the attacker. It made the page look legitimate, because every modern enterprise site shows a Cloudflare challenge from time to time. It also blocked automated security scanners from following the chain.
3. Authentication staging page. A site that asked the user to authenticate to "view the documentation."
4. Credential collection. An email entry field followed by a second image selection CAPTCHA, both of which the attacker proxied to the real Microsoft sign in service in real time.
5. Token harvest. A final redirect to what appeared to be the legitimate Microsoft sign in prompt. The user signed in with their real password and completed any MFA challenge. The attacker's adversary in the middle relay sat between the user and Microsoft, capturing the cookie and session token issued at the end of the successful sign in.

From the user's perspective the experience was indistinguishable from a normal Microsoft 365 sign in. They typed their password, approved the MFA prompt, and got into a real Microsoft session. The session token the attacker captured at the same moment was equally valid. With it, the attacker could read the user's mail, send mail as the user, and pivot inside the Microsoft 365 tenant for as long as the token remained alive.

Adversary in the Middle, Plain Language Version

Adversary in the middle phishing replaces the older "fake login form that records your password" pattern. The fake form pattern was easy to defeat with MFA, because even if the attacker had the password they could not pass the second factor. AiTM does not bother with capturing the password directly. It puts the attacker between the user and the real authentication server and lets the user complete the entire normal authentication, including MFA, while the attacker silently records the resulting cookie or session token.

Once the attacker has that cookie, the password and the MFA factor are no longer relevant. The cookie is the proof of authentication. Replaying it from the attacker's own browser produces a logged in session in the user's account. The attacker can disable MFA, register a new MFA device, set up forwarding rules, or quietly read everything the user has access to.

The same technique has been showing up across the ecosystem for the past 18 months. Bluekit shipped AiTM phishing kits with AI generated lures and 40 prebuilt brand templates earlier this year. EvilTokens turned device code phishing into a packaged service and hit 340 organizations. Venom is selling MFA bypass phishing as a subscription that targets executives. The April code of conduct campaign is a high volume member of the same family.

Who Got Hit

Microsoft did not name specific victim organizations, but the industry breakdown across the 13,000 affected tenants is informative:

• Healthcare and life sciences: 19 percent
• Financial services: 18 percent
• Professional services: 11 percent
• Technology and software: 11 percent
• All other industries combined: 41 percent

The mix is consistent with what attackers go after when the goal is data resale, business email compromise, or downstream ransomware staging. Healthcare and financial services produce high value internal email content. Professional services and technology firms produce credentials with downstream access to client tenants. The 41 percent "other" category includes manufacturing, retail, education, and public sector targets. The campaign was not surgical. It was wide.

Why MFA Did Not Help

Microsoft is unusually direct about this in its writeup. The campaign was specifically designed to bypass non phishing resistant MFA. SMS codes, time based one time passwords from authenticator apps, and push notification approvals are all defeated by AiTM, because the attacker is not trying to predict or steal the second factor. The attacker is sitting on the live connection while the user enters and approves it.

The categories of MFA that do hold up against AiTM are the ones bound to the underlying browser session or hardware:

• Hardware security keys (FIDO2/WebAuthn) verify the origin of the sign in request. An attacker proxying the session shows a different origin than the real one, and the key refuses to sign.
• Passkeys and Windows Hello are equivalent for the same origin reason.
• Certificate based authentication with strong device binding.

Anything else, including the Microsoft Authenticator push notification that most enterprises rely on by default, is bypassable by AiTM. The fix is not "do MFA harder." It is "switch to phishing resistant MFA on the highest risk roles," which Microsoft is now actively pushing as policy.

What Microsoft Recommends

The blog post closes with a defensive checklist for tenants that want to lower exposure to the same campaign:

• Enable Zero hour auto purge, Safe Links, and Safe Attachments in Defender for Office 365.
• Deploy network protection and SmartScreen in Microsoft Edge so users hitting the AiTM relay get a browser block before the credential entry stage.
• Move the highest risk users, especially admins and finance roles, to passwordless authentication using Windows Hello, FIDO2 keys, or Microsoft Authenticator passkeys.
• Apply phishing resistant MFA via Conditional Access policies for any sign in to sensitive applications.
• Enable automatic attack disruption in Defender XDR so a confirmed AiTM session can be cut off without waiting for analyst review.
• Run user awareness training that includes simulated AiTM attacks. The traditional "look for typos" content does not match the campaign's quality.

For organizations that cannot move every user to phishing resistant MFA in the short term, the highest leverage step is the conditional access policy. Restricting sign ins to devices that pass a compliance check, or to known network ranges, raises the cost of replaying a stolen token.

What Individual Users Can Do

If you got one of the disciplinary action emails and clicked through, the practical sequence is:

• Sign out of all sessions in your Microsoft 365 account immediately. The Microsoft account portal has a "Sign out everywhere" option that invalidates current session cookies.
• Reset your password after the sign out, not before. A password reset issued before the session sign out leaves the stolen token still active.
• Audit MFA registrations in your account. Attackers who get into a token frequently register a new authenticator device they control. Remove anything you do not recognize.
• Audit mailbox forwarding rules and inbox rules. Attackers commonly add a quiet forwarding rule to grab future messages even if the session is later killed.
• Tell IT or security. The forensic value of a fresh post compromise environment is high. Letting the security team capture logs before they roll over is critical.
• Block tracking pixels in your inbox. Phishing operators frequently embed tracking pixels in lure emails to confirm a live recipient before sending the AiTM payload. Stripping the pixel removes that signal.

The Bigger Picture

The April campaign is a useful data point because Microsoft published the technical analysis in detail, but the trend is the actual story. Phishing kits are becoming professionalized. Multi stage flows that include real Cloudflare challenges, real CAPTCHAs, and real proxied sign in pages are now within reach for any operator who can rent a kit. Microsoft's Q1 2026 email threat landscape numbers already showed an 8.3 billion email phishing volume for the quarter, with QR code lures more than doubling. The April campaign is the kind of thing that produces at scale on top of those numbers.

The defensive direction is unambiguous. Phishing resistant MFA on the high risk roles, conditional access on the rest, automatic session termination on confirmed AiTM detection, and inbox layer controls that stop the lure before it hits the recipient. Each one of those is a project. Each one is also the difference between a campaign that produces 35,000 token compromises and one that produces 350.

The same AiTM pattern is now being aimed at WordPress agencies through paid search: Guardio Labs found a Google Ad ranking above the real ManageWP login that has already proxied 200 admin accounts controlling thousands of sites.