Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries

What is happening now

Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The Hacker News form the main source layer behind the core facts in this piece.

Where the sources line up

The Hacker News is the main source layer for now, and the rest should be read as a signal that is still widening. The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries, with 92% of the targets located in the U. S. The Hacker News form the main source layer behind the core facts in this piece.

The details worth keeping

The majority of phishing emails were directed against healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%) sectors. In security, the real value is not just the warning itself but the way it changes operational risk, account safety, and the cost of responding later.

Why this matters most

The signal is strong enough to deserve attention, but it still needs to be read as something developing rather than fully settled. With 1 source layers on the table, the part worth reading most closely is where firm facts meet the market's early reaction. "The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications," the Microsoft Defender Security Research Team and Microsoft Threat Intelligence said .

What to watch next

The next layer to watch is scope, patch speed, and the operating cost if teams are forced to change process because of this story. Patrick Tech Media will keep checking rollout speed, user reaction, and how The Hacker News update the next pieces. From 1 early signals, the piece keeps 1 references that are useful for locking the main details in place.

Context Worth Keeping

Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries, with 92% of the targets located in the U. S. The majority of phishing emails were directed against healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%) sectors. The Hacker News is the main source layer for now, and the rest should be read as a signal that is still widening. In security, the real value is not just the warning itself but the way it changes operational risk, account safety, and the cost of responding later. In security coverage, the meaningful part is not just the flaw or the patch itself, but the operational risk and protection it changes. This is still a developing thread, so the useful part is knowing which source signals are hardening and which ones still need caution.

Source notes

The Hacker News pressGlobal

From Patrick Tech

Contextual tools

Secure Access Kit for Small Teams

Suggested tools for safe sign-in, account governance, and access handoff.

Open Patrick Tech Store

Community

What did you think of this story?

Drop a reaction or leave a comment right below the article.

Latest comments

0

No comments yet. You can start the conversation.