# Massive Phishing Operation Hits 35,000 Users in 26 Countries *Tuesday, May 5, 2026 at 8:04 AM UTC — Hamer Intelligence Services Desk* **Published**: 2026-05-05T08:04:02.374Z (3h ago) **Category**: cyber | **Region**: Global **Importance**: 7/10 **Sources**: OSINT **Permalink**: https://hamerintel.com/data/articles/2746.md **Source**: https://hamerintel.com/summaries --- **Deck**: In April 2026, a large‑scale phishing campaign targeted 35,000 users across 13,000 organizations in 26 countries, according to Microsoft’s public disclosure on 5 May 2026. Attackers used adversary‑in‑the‑middle techniques, CAPTCHA pages and trusted email services to steal credentials and bypass multi‑factor authentication. ## Key Takeaways - Microsoft reported on 5 May 2026 that an April phishing campaign targeted 35,000 users at 13,000 organizations in 26 countries. - Attackers used advanced adversary‑in‑the‑middle (AiTM) techniques, CAPTCHA cloaking and reputable email infrastructure to capture credentials and session tokens. - The campaign was explicitly designed to bypass multi‑factor authentication (MFA), undermining a key security control widely relied upon by enterprises. - The scale and sophistication highlight an accelerating threat trend towards industrial‑grade, highly automated credential theft operations. On 5 May 2026 at around 07:19–07:24 UTC, Microsoft publicly detailed a major phishing campaign that ran in April 2026, affecting tens of thousands of users worldwide. According to the company’s analysis, the campaign targeted approximately 35,000 individual users across 13,000 organizations spanning 26 countries, making it one of the more extensive credential theft operations disclosed this year. The attackers leveraged adversary‑in‑the‑middle (AiTM) phishing techniques. In this model, victims are lured to attacker‑controlled websites that proxy traffic between the user and legitimate login services. Rather than simply capturing usernames and passwords, the proxy setup allows the attackers to steal session cookies and authentication tokens, effectively hijacking active sessions. This method is particularly dangerous because it can bypass many forms of multi‑factor authentication, a widely adopted defence against traditional credential phishing. To increase success rates and evade basic security filters, the operators used several additional tactics. They deployed CAPTCHA‑protected landing pages to appear more legitimate and to thwart some automated scanning tools. They also sent phishing emails via reputable and trusted email services, reducing the likelihood that messages would be flagged as spam or malicious. These messages likely mimicked familiar notifications such as document shares, password resets or security alerts, though specific lures were not fully detailed. The breadth of targeting—13,000 organizations in 26 countries—suggests a highly automated, infrastructure‑rich operation rather than a small, bespoke campaign. Victim organizations likely included a mix of enterprises, public‑sector entities, and possibly smaller businesses that rely heavily on cloud‑based identity providers. Once attackers gain access to cloud accounts, they can pivot laterally across email, file storage, and application environments, exfiltrating data or deploying further malware. This disclosure comes amid broader concern in the security community about the increasing operational tempo and capability of attackers leveraging AI‑assisted tooling. In a separate but related development, industry experts recently highlighted proof‑of‑concept AI agents capable of autonomously conducting full corporate network compromises in a fraction of the time required by human operators. Together, these trends point to a threat landscape where both phishing at scale and post‑compromise actions will become faster, more adaptive and more difficult to detect. ## Outlook & Way Forward The April 2026 campaign underscores that multi‑factor authentication, while essential, is no longer sufficient on its own to prevent account takeover. Enterprises and public institutions should assume that AiTM‑capable actors are active in their sectors and adjust their defences accordingly. This means prioritising phishing‑resistant authentication methods—such as FIDO2 security keys, WebAuthn, or platform authenticators that bind credentials to physical devices and prevent token theft—over legacy MFA based on SMS or one‑time codes. In the short term, organizations should conduct targeted reviews of sign‑in logs for anomalous locations, impossible travel patterns, and unusual device fingerprints, particularly during and after the April timeframe highlighted in the disclosure. Conditional access policies that restrict access based on device health, network context and risk scores can limit the usefulness of stolen session tokens. Security operations centres should update detection content to identify AiTM infrastructure patterns, including TLS certificate anomalies, domain look‑alikes, and characteristic proxy behaviours. Strategically, defenders need to prepare for a world in which phishing campaigns like this become routine and increasingly integrated with automated post‑exploitation tools. Investments in user training remain important but must be complemented by technical controls that assume some users will be successfully deceived. Continuous authentication, stronger device identity, and integration of identity protection signals into access decisions will be critical. At the policy level, regulators and industry bodies may respond by updating security baselines and compliance frameworks to specifically address AiTM threats and to encourage adoption of phishing‑resistant MFA methods. Over the next 6–12 months, expect more disclosures of similar campaigns and a growing emphasis from cloud providers on built‑in mitigations—such as token binding and enhanced anomaly detection—to blunt the impact of large‑scale credential theft operations.