Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise

Microsoft Defender Research observed a multi-step phishing campaign (April 14–16, 2026) that targeted over 35,000 users across more than 13,000 organizations—primarily in the United States—using code-of-conduct-themed lures, enterprise-style PDFs with embedded links, CAPTCHA gating, intermediate staging pages, and an adversary-in-the-middle (AiTM) sign-in flow to capture authentication tokens; the report provides IoCs, hunting queries, and mitigation guidance for defenders.