Microsoft has issued a critical warning about a sophisticated phishing campaign operating globally. The attack targets 35,000 users across 13,000 organisations and employs social engineering techniques designed to appear legitimate. Attackers masquerade as internal security teams, creating emails that claim all links and attachments have been securely reviewed.
The campaign uses visual deception to enhance credibility. A green banner falsely claims the message is encrypted using Paubox, a genuine HIPAA-compliant communications service. This technique exploits users’ trust in recognised security tools. When recipients click the embedded link in a PDF attachment, they are redirected to a landing page displaying a Cloudflare CAPTCHA, presented as a validation mechanism for “valid sessions”.
Multi-Stage Attack Flow and Token Theft
The attack employs multiple staged pages, each presenting email entry fields, CAPTCHAs, and reassuring status messages. This layered approach deter automated security analysis and sandboxes. After passing the CAPTCHA, users encounter another page claiming documents are encrypted and require account authentication to proceed.
The final redirect is device-specific. Desktop users are directed to a phishing site where they are prompted to sign in with Microsoft credentials under the pretence of a compliance review. This triggers an adversary-in-the-middle (AiTM) session hijack. Once the session is hijacked, attackers steal authentication tokens and gain direct access to compromised accounts.
Microsoft’s Recommended Defence Strategy
Microsoft recommends organisations take immediate action to protect against this threat. Essential steps include reviewing recommended settings for Exchange Online Protection and Microsoft Defender for Office 365. Organisations should establish proper monitoring and response procedures for threat activity. Where possible, password-less authentication methods should be enabled to reduce reliance on credentials.
For accounts still requiring passwords, authenticator apps such as Microsoft Authenticator should be used for multifactor authentication. Safe Links and Safe Attachments should be activated in Microsoft Defender for Office 365. Automatic attack disruption in Microsoft Defender XDR should be configured to respond to detected threats in real time.
Training and Awareness
Technical controls alone cannot eliminate phishing risk. User awareness and training are equally critical. Organisations should conduct realistic attack simulations during awareness training to help employees recognise phishing attempts. Employees should be taught to verify sender email addresses and scrutinise requests for authentication, even when the email appears to come from internal teams.
The multi-stage nature of this campaign demonstrates the importance of defence-in-depth strategies. Even if one stage is bypassed, for example, if a user passes the CAPTCHA, subsequent technical controls should prevent account compromise. Organisations must treat security as a shared responsibility between technical systems and human vigilance.