Microsoft Discloses Global Credential Theft Campaign Targeting 35,000 Users
AI-generated from multiple sources. Verify before acting on this reporting.
REDMOND, Wash. — Microsoft disclosed a large-scale credential theft campaign that compromised over 35,000 users across 13,000 organizations in 26 countries. The Microsoft Defender Security Research Team and Microsoft Threat Intelligence identified the operation, which utilized code of conduct-themed lures and legitimate email services to harvest authentication tokens.
The attack, detected on May 5, 2026, primarily targeted entities within the United States, accounting for 92% of the affected organizations. The campaign leveraged social engineering tactics disguised as corporate governance communications to trick recipients into entering credentials on fraudulent login pages. Once users authenticated, the attackers captured valid tokens, granting them unauthorized access to corporate email systems and internal networks.
Microsoft stated that the threat actors exploited the trust users place in official-sounding communications regarding workplace policies. By mimicking standard code of conduct reminders, the attackers bypassed initial scrutiny. The operation relied on compromised legitimate email accounts to send the malicious links, making the phishing attempts appear more credible to recipients.
The scope of the intrusion spans multiple industries, though specific sector breakdowns were not immediately detailed. The attackers focused on stealing authentication tokens rather than installing malware, allowing them to maintain persistent access without triggering traditional antivirus alerts. This method of token harvesting enables threat actors to move laterally within networks and exfiltrate sensitive data over extended periods.
Microsoft has implemented additional protections within its Defender suite to detect and block similar token theft attempts. The company advised organizations to review their email security configurations and enforce multi-factor authentication across all user accounts. Security researchers noted that the campaign's sophistication suggests a well-resourced group with a specific interest in corporate credentials.
The disclosure comes as organizations globally face increasing pressure from cybercriminals seeking to exploit remote work vulnerabilities. While Microsoft has shared indicators of compromise to help partners mitigate the threat, the full extent of the data exfiltration remains unclear. Questions persist regarding whether the stolen tokens have been used for further attacks or sold on underground markets.
Microsoft continues to monitor the situation and will provide updates as more information becomes available. The incident highlights the evolving nature of social engineering attacks and the critical need for user awareness training alongside technical defenses. Organizations are urged to remain vigilant against similar lures that exploit routine business communications.