A phishing campaign targeting more than 35,000 users across 13,000 organizations has been identified by the Microsoft Defender Research team. The large-scale credential theft campaign used fake internal compliance or regulatory communications as lures for the campaign. The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications. The campaign ran between April 15 and 16, 2026, and primarily targeted US firms, but was identified in organizations across 26 countries total. According to Microsoft’s findings, the messages contained concerning accusations and repeated time-bound action prompts. This gave the campaign a sense of urgency and pressure for victims to act. For example, subject lines included “Internal case log issued under conduct policy” and the messages claimed that a “code of conduct review” had been initiated, and referenced organization-specific names embedded within the text. The emails instructed recipients to “open the personalized attachment” to review case materials. The attached PDF encouraged recipients to click the “Review Case Materials” link, this is what initiated the credential harvesting flow. The attackers designed the message to appear legitimate by claiming it came from an authorized internal channel and that all links and attachments had been securely reviewed. A green banner claiming the message had been encrypted using Paubox, a legitimate service associated with HIPAA-compliant communications, further reinforced credibility.