Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
Essential information
- Published
- 04/05/2026 21:18
- Modified
- 05/05/2026 10:06
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- aitm authentication token captcha filtering credential theft multi-stage attack social engineering token compromise
- Tags
- 2026-05-04 aitm authentication token captcha filtering credential-theft multi-stage attack social engineering token compromise
- Related entities
- 1 vulnerabilities (cve), 9 indicators, 9 observables, 20 techniques (mitre), 22 others
Description
A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.