Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise
A large-scale Adversary-in-the-Middle (AiTM) phishing campaign targeted over 35,000 users using sophisticated 'code of conduct' lures. The attack chain leveraged legitimate email services, PDF attachments, and multiple CAPTCHA gates to evade detection, ultimately proxying Microsoft 365 authentication sessions to steal tokens and bypass standard MFA.
Authors: Microsoft Defender Research
Source:
Microsoft
- domainacceptable-use-policy-calendly[.]deInitial attacker-controlled landing page hosting a CAPTCHA.
- domaincocinternal[.]comAttacker-controlled sender domain.
- domaincompliance-protectionoutlook[.]deInitial attacker-controlled landing page hosting a CAPTCHA.
- domaingadellinet[.]comAttacker-controlled sender domain.
- domainharteprn[.]comAttacker-controlled sender domain.
- domainlogin[.]managedservice365[.]blueprivacer[.]comFinal stage AiTM phishing domain targeting mobile devices.
- domainlogin[.]managedservices365[.]assumetrend[.]orgFinal stage AiTM phishing domain targeting desktop devices.
- domainna[.]businesshellosign[.]deAttacker-controlled sender domain.
- emailcocpostmaster@cocinternal.comMalicious sender address used to distribute the phishing emails.
- urlhxxps://login[.]managedservice365[.]blueprivacer[.]com/qnDaNmPMFull URL for the mobile AiTM phishing page.
- urlhxxps://login[.]managedservices365[.]assumetrend[.]org/yvFYpxLLFull URL for the desktop AiTM phishing page.
Detection / HunterGoogle
What Happened
Cybercriminals launched a massive email scam targeting tens of thousands of employees, mostly in the United States. The emails falsely claimed the recipient was under a 'code of conduct' review and urged them to open an attached document. Clicking the link in the document took users through several fake security checks before asking them to log into their Microsoft account. This allowed the attackers to steal their login sessions and bypass standard security protections. Organizations should train employees to spot these fake alerts and upgrade to stronger, phishing-resistant login methods.
Key Takeaways
- A large-scale phishing campaign targeted over 35,000 users primarily in the US using 'code of conduct' and HR-themed lures.
- The attack chain utilizes legitimate email delivery services, PDF attachments, and multiple CAPTCHA gates to evade automated analysis.
- The final stage employs an Adversary-in-the-Middle (AiTM) framework to proxy authentication sessions and steal tokens.
- The AiTM technique successfully bypasses traditional, non-phishing-resistant Multi-Factor Authentication (MFA).
- The campaign uses device-specific redirection, sending mobile and desktop users to different malicious domains.
Affected Systems
- Microsoft 365 accounts
- Microsoft Entra ID
- Accounts relying on non-phishing-resistant MFA
Attack Chain
The attack begins with a phishing email posing as an internal 'code of conduct' review, sent via legitimate email services. The email contains a PDF attachment that directs the user to an attacker-controlled domain protected by a Cloudflare CAPTCHA. After passing the CAPTCHA and an intermediate staging page requiring an email address and a second CAPTCHA, the user is redirected to a device-specific AiTM phishing page. Here, the user is prompted to 'Sign in with Microsoft', allowing the attacker to proxy the authentication session, steal the resulting session token, and bypass MFA.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: Yes
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Microsoft Defender XDR
The article provides a KQL advanced hunting query for Microsoft Defender XDR to identify campaign emails based on known malicious sender addresses.
Detection Engineering Assessment
EDR Visibility: Low — This is primarily an identity and email-based attack. EDR on the endpoint will only see standard browser execution, as the malicious activity (token theft) occurs on the attacker's infrastructure. Network Visibility: Medium — Network logs can capture connections to the malicious domains, but the traffic is encrypted (HTTPS), limiting deep packet inspection. Detection Difficulty: Moderate — Detecting AiTM requires correlating email clicks with anomalous identity behaviors (like impossible travel or unfamiliar sign-in properties), which can be complex to tune without high false positive rates.
Required Log Sources
- Email Gateway Logs
- Identity Provider Logs (Microsoft Entra ID)
- Web Proxy / Secure Web Gateway Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Users clicking links in emails with HR or 'code of conduct' themes followed shortly by anomalous token usage or unfamiliar sign-in properties in Entra ID. | Email Gateway Logs, Entra ID Sign-in Logs | Credential Access | Medium |
| Inbound emails originating from external domains but utilizing display names mimicking internal compliance or HR departments. | Email Gateway Logs | Initial Access | Low |
Control Gaps
- Non-phishing-resistant MFA (e.g., SMS, voice, standard push notifications)
Key Behavioral Indicators
- Anomalous Token alerts in Entra ID
- Impossible travel activity
- Unfamiliar sign-in properties for session cookies
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block the identified malicious domains and sender email addresses at the email gateway and web proxy.
- Use Threat Explorer or Zero-hour auto purge (ZAP) to find and delete delivered phishing emails from user mailboxes.
- Revoke active sessions for any users suspected of interacting with the phishing links.
Infrastructure Hardening
- Enable phishing-resistant MFA methods such as FIDO2 keys, Windows Hello, or certificate-based authentication.
- Configure Conditional Access policies to strengthen privileged accounts with phishing-resistant MFA.
- Enable network protection in Microsoft Defender for Endpoint to block access to malicious sites.
User Protection
- Encourage the use of web browsers that support SmartScreen or similar anti-phishing technologies.
- Configure automatic attack disruption in Microsoft Defender XDR to contain attacks in progress.
Security Awareness
- Conduct phishing simulations using 'code of conduct' or HR-themed lures to train employees.
- Educate users on the risks of AiTM attacks and how to verify the legitimacy of authentication prompts and URLs.
MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment
- T1566.002 - Phishing: Spearphishing Link
- T1556 - Modify Authentication Process
- T1550.004 - Use Alternate Authentication Material: Web Session Cookie
- T1036 - Masquerading
Additional IOCs
- Domains:
cocinternal[.]com- Attacker-controlled sender domain.gadellinet[.]com- Attacker-controlled sender domain.harteprn[.]com- Attacker-controlled sender domain.na[.]businesshellosign[.]de- Attacker-controlled sender domain.
- Urls:
hxxps://login[.]managedservice365[.]blueprivacer[[.]]com/qnDaNmPM- Full URL for the mobile AiTM phishing page.hxxps://login[.]managedservices365[.]assumetrend[[.]]org/yvFYpxLL- Full URL for the desktop AiTM phishing page.
- Other:
Awareness Case Log File – Tuesday 14th, April 2026.pdf- Malicious PDF attachment filename.Disciplinary Action – Employee Device Handling Case.pdf- Malicious PDF attachment filename.nationaladmin@gadellinet.com- Malicious sender email address.nationalintegrity@harteprn.com- Malicious sender email address.m365premiumcommunications@cocinternal.com- Malicious sender email address.documentviewer@na.businesshellosign.de- Malicious sender email address.