Microsoft Warns: AI-Powered Phishing Hits 13,000 Companies — MFA Is No Longer Enough

Published: May 8, 2026

Source: CYFORi Research — Analysis of the Microsoft-identified multi-stage Adversary-in-the-Middle (AiTM) phishing campaign dubbed "Code of Conduct."

Key References: Microsoft Security Blog, Microsoft threat intelligence reporting on AiTM phishing.

What Microsoft Found

Microsoft released alarming warnings this week about a multi-stage AiTM phishing campaign that hit 13,000 companies worldwide, with significant targets in healthcare and life sciences. The campaign, tracked as the "Code of Conduct" operation, affected 35,000+ users across 26 countries.

Here's what made this campaign different:

• The lure: "Code of Conduct" — an email framing a company policy update, designed to feel urgent and official
• The mechanism: Adversary-in-the-Middle (AiTM) proxy — not just a fake login page, but a live proxy that sits between the victim and the real authentication service
• The bypass: Real-time token theft — the proxy captures authentication tokens as they're generated, completely bypassing MFA
• The scale: 13,000 organizations, 35,000 users, 26 countries

Here's the critical takeaway: MFA is not a silver bullet. An AiTM proxy doesn't trick you into giving your password and code. It sits between you and the authentication service, captures the session token the moment MFA is successfully completed, and uses that token to log in as you — with MFA fully satisfied from the service's perspective.

Why This Is a Game-Changer for SMBs

Most Texas SMBs consider MFA their "final layer" of defense. If MFA can be bypassed — and it can, via AiTM proxies, MFA fatigue attacks, and token theft — that layer becomes theater. The attacker doesn't need to break your MFA. They just need you to successfully complete it, then steal the token that proves it.

For SMBs that rely on Microsoft 365, Google Workspace, or any cloud service with MFA: this isn't theoretical. It's happening right now to businesses just like yours.

What Every Texas SMB Should Do

Immediate

1. Switch to phishing-resistant MFA: If you're using SMS or app-based TOTP, move to FIDO2 / WebAuthn / passkeys immediately. These cannot be bypassed by AiTM proxies because they use public-key cryptography, not shared secrets
2. Enable token protection: Microsoft's Conditional Access policies can detect and block tokens from suspicious locations or devices. Set these up now
3. Review sign-in logs: Look for signs of token replay — logins from unusual locations, unusual devices, or unusual times that don't match normal user behavior

This Week

1. Evaluate your MFA strategy: Are you using phishing-resistant methods? If not, you're still vulnerable
2. Implement conditional access policies: Require specific device compliance for accessing sensitive applications
3. Train your team: AiTM phishing still requires an initial click. Security awareness training that addresses the "code of conduct" and similar social engineering lures matters

The CYFORi Takeaway

The "Code of Conduct" campaign proves what CYFORi has been telling SMBs for years: MFA alone is not security. You need a layered defense that includes phishing-resistant authentication, conditional access, endpoint protection, and security awareness. No single control is enough.

If your cybersecurity strategy is "we have MFA," it's time for an upgrade.