Indonesian Political, Business & Finance News

New-Style Account Hacking Spreads to 26 Countries: Know the Modus Operandi

| Source: CNBC Translated from Indonesian | Technology
New-Style Account Hacking Spreads to 26 Countries: Know the Modus Operandi
Image: CNBC

Jakarta - Microsoft has disclosed a massive digital identity theft effort targeting 13,000 institutions in 26 countries. The majority of the targeted companies are headquartered in the United States.

The operation, which aimed at 35,000 users, took place between 14 and 16 April 2026. Cybercriminals used emails disguised as “warnings” from email services to entice users to visit websites they controlled, subsequently stealing authentication tokens.

These emails were distributed to companies across various industries, including healthcare, finance, professional services, and technology.

“The bait in this operation uses corporate-style HTML templates with structured layouts and authentication statements, making it appear more credible than typical phishing emails and resembling internal office communications,” stated the Microsoft Defender Security Research Team and Microsoft Threat Intelligence. “Because the messages contain accusations and urgings to take action within a specific timeframe, this campaign creates pressure to act immediately.”

The fraudulent emails used sender names such as “Internal Rules Enforcement”, “Employee Communications”, and “Team Behaviour Report”. The email subjects featured themes like “Internal case regarding behaviour policy” and “Alert: Employee has opened a complaint case”.

“At the top of each email, there is a notice that the email was sent through an official internal channel and that links and attachments have been reviewed and approved for safe access,” Microsoft said.

The emails were sent using official email services accompanied by PDFs purportedly containing additional information on violation reviews. These PDFs were included to encourage recipients to download or click them.

Users were then directed to a webpage equipped with a CAPTCHA to give the impression of legitimacy, while also serving to protect the site from automated corporate defence software.

Subsequently, victims were prompted to sign in, infiltrated by adversary-in-the-middle (AITM) phishing tactics to steal Microsoft identities and tokens. The stolen credentials allowed cybercriminals to bypass multi-factor authentication (MFA) security systems.

Microsoft had previously revealed that phishing activities using QR codes were the fastest-growing cyber attack method between January and March 2026, followed by CAPTCHA-disguised phishing. There were approximately 8.3 billion phishing emails during that period.

Around 80 per cent of the hacking attempts using phishing involved HTML links and ZIP files.

View JSON | Print