35,000 Users. One Email. What the Microsoft Phishing Campaign Means for Your Business

Microsoft just flagged a massive credential theft campaign hitting over 35,000 users across 13,000 organizations. Here's what your team needs to know — and do — right now.

NSI Tech

Phishing isn’t new. But the scale of what Microsoft uncovered in mid-May 2026 should make every business owner stop and pay attention.

Between April 14–16, threat actors ran a credential theft campaign targeting over 35,000 users across 13,000 organizations in 26 countries. Ninety-two percent of targets were in the United States. The lure? Emails themed around “code of conduct” — something every employee recognizes and is likely to open without thinking twice.

The attackers didn’t just trick people into handing over passwords. They used legitimate email services to bypass spam filters and steal authentication tokens directly. That’s a different level of trouble. Tokens let them maintain access even after passwords get changed.

This Isn’t a Big-Corporation Problem

SMBs often think attackers only go after enterprise giants. That’s wrong. Criminals automate these campaigns — they blast everyone and let the hooks do the sorting. A 50-person business is just as likely to get hit as a 5,000-person one, sometimes more, because smaller teams tend to have less sophisticated email filtering and fewer people trained to spot the signs.

And it gets worse. Verizon’s latest report shows 67% of employees are now using non-corporate AI accounts on company devices. That’s shadow AI — tools your IT team doesn’t manage, don’t have visibility into, and can’t secure. Every unsanctioned ChatGPT or Claude session is a potential entry point.

What You Can Do Today

  1. Pause on “code of conduct” emails. If you or your team received something recently, do not click any links. Report it to your IT team.
  2. Audit your AI tool usage. Know what’s running on company devices. If you don’t have a managed IT partner helping you do this — that’s a gap.
  3. Audit your email defenses. Token-stealing campaigns bypass traditional password-based security. You need modern threat protection, not just a spam filter.
  4. Enforce MFA everywhere. If authentication tokens get stolen, MFA is your last line of defense. Make sure it’s on all critical accounts.

The Bottom Line

One well-crafted email can compromise an entire organization. That’s not fear-mongering — that’s the threat landscape in 2026. The good news: businesses with managed IT support, proactive monitoring, and proper security controls survive these campaigns. The rest don’t.

Talk to NSI Tech → — We’ll audit your current setup and help you close the gaps before the next campaign lands.

Need help with any of this? NSI Tech has you covered.

Talk to us