Delivery Technique
Microsoft reported a large code-of-conduct phishing campaign that used internal-compliance themes, PDF attachments, CAPTCHA gates, intermediate staging pages, and a final Microsoft sign-in flow tied to adversary-in-the-middle token theft. The campaign is a useful marker for where credential phishing is heading: more procedural, more layered, and less dependent on a single suspicious link.
Defensive Gaps
Classic triage often stops at sender reputation, attachment verdict, or destination URL. This style of campaign pushes the risky moment deeper into the flow. A PDF can look like a bland policy notice, the first site can present a CAPTCHA, and the final sign-in can use real identity infrastructure while an attacker proxies the session.
Control Design
Detection should chain weak signals across controls: unusual compliance subjects, PDF attachments with embedded review links, CAPTCHA pages after email clicks, newly seen domains, and identity-risk events shortly after the click. Browser, proxy, email, and Entra telemetry all matter because no single layer sees the full path.
Rollout Risks
Awareness messaging that says "look for bad grammar" will miss this pattern. The lure works because it is polished, uncomfortable, and time-bound. Users need a low-friction path to verify HR or compliance notices through a trusted internal channel without engaging the link or attachment.
Recommended Controls
Use Safe Links and attachment detonation where available, preserve click telemetry, and prioritize phishing-resistant MFA for privileged and sensitive roles. When an AiTM compromise is suspected, revoke sessions, review token activity, check for inbox rule changes, and hunt for follow-on access from unfamiliar infrastructure.