Microsoft has uncovered a large-scale phishing campaign that ran from April 14–16, 2026, using fake code-of-conduct emails and legitimate email platforms to redirect tens of thousands of users to attacker-controlled sites and steal their authentication tokens, hitting more than 35,000 victims across 13,000 organizations in 26 countries.