Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Essential information
- Published
- 06/05/2026 12:25
- Modified
- 07/05/2026 08:42
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- aitm captcha evasion credential theft financial services healthcare targeting mfa bypass phishing campaign session hijacking
- Tags
- 2026-05-06 aitm captcha evasion credential-theft financial services healthcare targeting mfa bypass phishing campaign session hijacking
- Related entities
- 3 indicators, 3 observables, 6 others
Description
A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails masquerading as internal compliance communications, sent through legitimate email delivery services from attacker-controlled domains. Victims received polished HTML emails with PDF attachments containing fake disciplinary logs and CAPTCHA gates to evade automated analysis. The multi-stage attack chain ultimately directed users to counterfeit Microsoft authentication pages operating as adversary-in-the-middle infrastructure, enabling real-time interception of credentials and session tokens while bypassing multi-factor authentication defenses.