# How AiTM Phishing Bypassed 2FA to Hit 35,000 Users: An Analysis > A sophisticated AiTM phishing campaign targeted 35,000 users in April 2026, bypassing 2FA by capturing session tokens after login. Here's how it worked and how to protect your organization. **URL:** https://www.ciptadusa.com/blog/multi-stage-aitm-phishing-campaign-35000-users **Type:** blog **Author:** Siswamedia Support **Category:** Application Security **Published:** 2026-06-02 **Cover:** https://www.ciptadusa.com/media/blog-covers/1780362224896-phishing-campaign-header.png ## Article ## What Was the AiTM Phishing Campaign? In April 2026, a sophisticated multi-stage phishing campaign targeted over **35,000 users** across **13,000+ organizations** in **26 countries** — primarily in the United States. Microsoft described it as *"one of the most sophisticated code-of-conduct-themed credential theft operations observed to date."* The attack used fake HR emails about a "code of conduct" issue to lure victims. Each stage was designed to appear legitimate, guiding users through multiple steps that built trust before stealing credentials. ## How the Attack Worked: 6 Stages ### Stage 1: Fake HR Email Victims received emails appearing to be from HR about a conduct issue. The message created urgency, prompting quick action without verification. ### Stage 2: PDF Attachment with Malicious Link The email included a PDF that looked official. Inside was a link to "review details" — and many users clicked without suspicion. ### Stage 3: CAPTCHA Page The link opened a CAPTCHA page, which served two purposes: blocking security bots AND making the process feel more trustworthy to the victim. ### Stage 4: Fake Portal Login Users were directed to a secure-looking internal portal page. The professional design reinforced legitimacy. ### Stage 5: Extra Verification Steps After entering credentials, users solved another CAPTCHA and re-entered their email. Each step built more trust. ### Stage 6: Fake Microsoft Login The final stage was a convincing Microsoft login page. Credentials were captured here, granting attackers access to real accounts. ## What Is AiTM and Why It Bypasses 2FA The attack used **Adversary-in-the-Middle (AiTM)** techniques. In this method, attackers position themselves between the victim and the legitimate website. When a user logs in, the attacker captures the session token — meaning they can access the account **without needing the password again**. This is why AiTM can bypass two-factor authentication (2FA). Even if a user enters a verification code, the attacker already has the session token after login. ## Why Traditional Security Fails Here - **CAPTCHA used against you**: CAPTCHAs blocked security bots but increased user trust — attackers weaponized a security tool as a social engineering mechanism. - **Progressive trust-building**: Each stage felt normal. Users didn't suspect danger because each step followed expected corporate processes. - **Legitimate services used**: Attackers hid behind legitimate security tools and corporate branding. ## Key Statistics | Metric | Value | |--------|-------| | Users targeted | 35,000+ | | Organizations affected | 13,000+ | | Countries involved | 26 | | Primary target region | United States | | Attack period | April 2026 | ## How to Protect Yourself 1. **Verify unexpected HR emails** — Contact HR through official channels before clicking any links. 2. **Check URLs carefully** — Hover over links to verify the destination before clicking. 3. **Avoid opening unexpected attachments** — Even professional-looking PDFs can contain malicious links. 4. **Use passkeys or hardware security keys** — These are resistant to AiTM session-stealing attacks. 5. **Pause before acting on urgency** — A short delay can be enough to recognize a phishing attempt. ## What This Means for Security Teams This campaign demonstrates the evolution of phishing: from simple fake login pages to multi-stage operations that exploit human trust and familiar corporate tools. Security awareness training needs to account for these sophisticated patterns. Organizations should also consider: - Deploying **phishing-resistant MFA** (FIDO2/passkeys) - Implementing **session timeout** policies - Monitoring for **anomalous login patterns** - Using **email authentication** (SPF, DKIM, DMARC) --- ## Sources - Microsoft Security Blog: *"Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise"* (May 4, 2026) - ENTECH Online: *"35,000 Hacked by Multi-Stage Phishing Campaign Trick"* (May 6, 2026) - Security Affairs: *"Microsoft warns of global campaign stealing auth tokens from 35K users"* - The Hacker News coverage (April 2026) --- *Markdown version of https://www.ciptadusa.com/blog/multi-stage-aitm-phishing-campaign-35000-users — generated for AI agents and LLM crawlers.*