Phishing email disguised as internal compliance notice leading to fake CAPTCHA and login pages used for AiTM token theft.

A large-scale phishing campaign has been uncovered using “code of conduct” themed emails to trick users into compromising their accounts. The attack targeted over 35,000 users across thousands of organizations, using realistic internal communication templates and urgent compliance warnings to pressure victims into action.

Multi-Stage Phishing Campaign Uses AiTM to Steal Authentication TokensMulti-Stage Phishing Campaign Uses AiTM to Steal Authentication Tokens

The campaign used a multi-step attack chain, including PDF attachments, fake CAPTCHA pages, and staged login prompts. Victims were eventually redirected to an adversary-in-the-middle (AiTM) phishing page, where attackers intercepted authentication sessions in real time and captured login tokens, bypassing traditional multi-factor authentication (MFA).

Security experts warn that AiTM attacks are more dangerous than standard phishing because they grant immediate account access without needing passwords. Organizations should strengthen email security, train users to detect advanced phishing lures, and deploy endpoint protection to prevent token theft and session hijacking.


 Don't trust a single layer. Upgrade to NPAV EPS — Because your Defender can't defend itself.