216.73.216.86

Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise

· Published 04/05/2026 21:18 · Modified 05/05/2026 10:06

Export JSON

Essential information

Published
04/05/2026 21:18
Modified
05/05/2026 10:06
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
aitm authentication token captcha filtering credential theft multi-stage attack social engineering token compromise
Tags
2026-05-04 aitm authentication token captcha filtering credential-theft multi-stage attack social engineering token compromise
Related entities
1 vulnerabilities (cve), 9 indicators, 9 observables, 20 techniques (mitre), 22 others

Description

A sophisticated large-scale campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using techniques that created urgency through time-bound prompts and concerning accusations.

External references