{ "Event": { "analysis": "1", "date": "2026-05-04", "extends_uuid": "", "info": "[Threat Intel] Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise", "protected": false, "publish_timestamp": "1779546402", "published": true, "threat_level_id": "3", "timestamp": "1779546402", "uuid": "8175eed5-358d-4fa1-8078-eb1ffbbb5bf9", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#96f4f6", "local": false, "name": "misp-galaxy:producer=\"Microsoft\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e96364", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Adversary-in-the-Middle - T1557\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Vulnerabilities - T1588.006\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#db2044", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1598.003\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#db4abe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Botnet - T1583.005\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#82eae0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domains - T1583.001\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#76434a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Link Target - T1608.005\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#a0d02a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing for Information - T1598\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#37c019", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Accounts - T1078.004\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#55e7ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777978815", "to_ids": false, "type": "link", "uuid": "6fe12c95-4527-4d1b-92cd-debf6d94fb19", "value": "https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777978815", "to_ids": false, "type": "text", "uuid": "ef1a2f8e-7d61-4eb1-89ac-8a7c2659878d", "value": "A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777978815", "to_ids": false, "type": "text", "uuid": "879a7738-13fd-49c3-b346-a14636da5c4a", "value": "Name: Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise\nAuthor: AlienVault\nAdversary: \nTags: [\"authentication token\", \"credential theft\", \"captcha filtering\", \"token compromise\", \"aitm\", \"multi-stage attack\", \"social engineering\"]\nTgtd countries: [\"United States of America\"]\nMlwr families: []\nAttack_ids: [\"T1557\", \"T1539\", \"T1204.002\", \"T1588.006\", \"T1566.002\", \"T1598.003\", \"T1566.001\", \"T1583.005\", \"T1071\", \"T1583.001\", \"T1557.001\", \"T1090\", \"T1608.005\", \"T1204\", \"T1566\", \"T1078\", \"T1027\", \"T1598\", \"T1071.001\", \"T1078.004\"]\nIndustries: [\"Healthcare\", \"Finance\", \"Technology\", \"Government\", \"Manufacturing\", \"Retail\", \"Telecommunications\", \"Transportation\", \"Education\", \"Media\", \"Energy\", \"Aerospace\", \"Construction\", \"Hospitality\", \"Defense\"]" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777978815", "to_ids": false, "type": "vulnerability", "uuid": "43238d1d-1043-4966-bc6f-56576fc94df8", "value": "CVE-2026-31431" }, { "category": "Payload delivery", "comment": "PDF attachment No sample in VT\r\nLast check:13/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546402", "to_ids": true, "type": "sha256", "uuid": "c4114716-19ea-40fa-af3f-f83e07e05985", "value": "11420d6d693bf8b19195e6b98fedd03b9bcbc770b6988bc64cb788bfabe1a49d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Domain hosting malicious campaign content", "deleted": false, "disable_correlation": false, "timestamp": "1778626832", "to_ids": true, "type": "domain", "uuid": "b0df3e76-31f2-431a-80db-8a6ee6c3761f", "value": "acceptable-use-policy-calendly.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Domain hosting sender email address", "deleted": false, "disable_correlation": false, "timestamp": "1778626854", "to_ids": true, "type": "domain", "uuid": "e08d0793-4601-4fe3-ac83-525278df78d1", "value": "cocinternal.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Domain hosting malicious campaign content", "deleted": false, "disable_correlation": false, "timestamp": "1778626875", "to_ids": true, "type": "domain", "uuid": "89b5bacd-ea95-42a3-a13d-0cfd755c6957", "value": "compliance-protectionoutlook.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778626896", "to_ids": true, "type": "hostname", "uuid": "34e3eceb-6bfd-45e7-9beb-8eb9861d4dfb", "value": "na.businesshellosign.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Domain hosting sender email address", "deleted": false, "disable_correlation": false, "timestamp": "1778626917", "to_ids": true, "type": "domain", "uuid": "67dfcd19-9479-47a7-8336-79375535fedd", "value": "gadellinet.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Domain hosting sender email address", "deleted": false, "disable_correlation": false, "timestamp": "1778626939", "to_ids": true, "type": "domain", "uuid": "b2169971-03db-4425-8220-0181e1b1b314", "value": "harteprn.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Email address used to send campaign emails", "deleted": false, "disable_correlation": false, "timestamp": "1778620640", "to_ids": true, "type": "email-src", "uuid": "510fa50b-673a-47bb-a032-aaf54d959a11", "value": "cocpostmaster@cocinternal.com" }, { "category": "Payload delivery", "comment": "Email address used to send campaign emails", "deleted": false, "disable_correlation": false, "timestamp": "1778620640", "to_ids": true, "type": "email-src", "uuid": "d10fc86d-146a-4c81-99cd-ad0ad1a5dd2a", "value": "nationaladmin@gadellinet.com" }, { "category": "Payload delivery", "comment": "Email address used to send campaign emails", "deleted": false, "disable_correlation": false, "timestamp": "1778620640", "to_ids": true, "type": "email-src", "uuid": "63391196-92b0-4031-970f-76c5a7a3c595", "value": "nationalintegrity@harteprn.com" }, { "category": "Payload delivery", "comment": "Email address used to send campaign emails", "deleted": false, "disable_correlation": false, "timestamp": "1778620640", "to_ids": true, "type": "email-src", "uuid": "e19fd204-8534-458b-879f-d12335c2d977", "value": "m365premiumcommunications@cocinternal.com" }, { "category": "Payload delivery", "comment": "Email address used to send campaign emails", "deleted": false, "disable_correlation": false, "timestamp": "1778620640", "to_ids": true, "type": "email-src", "uuid": "d7b69643-1357-4370-8e55-9b87670a378b", "value": "documentviewer@na.businesshellosign.de" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546397", "uuid": "6a340917-4b4b-4d76-92ba-7a57cdf75037", "Attribute": [ { "category": "Payload delivery", "comment": "PDF attachment", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546397", "to_ids": true, "type": "md5", "uuid": "2e84520f-8081-416a-bc6c-6cf699c3f616", "value": "467f4c566f8a49fa9bc5d36f50f89568", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PDF attachment", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546397", "to_ids": true, "type": "sha1", "uuid": "3d24d112-9d2e-4d46-a0f1-36eb25e22e4b", "value": "7d509d135292020a317b0f7a2f444b665396e891", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PDF attachment", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546397", "to_ids": true, "type": "sha256", "uuid": "34be4b10-eb35-4c1a-be45-813bea2f8a0c", "value": "5db1ecbbb2c90c51d81bda138d4300b90ea5eb2885cce1bd921d692214aecbc6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778622292", "to_ids": true, "type": "ssdeep", "uuid": "66c06951-00ef-49b7-b25c-0b8d7b14fc12", "value": "49152:YP0QSMuTELv3DZy9jNqjRyyisWyTZXHp+7XtYfpgBtOGoD:YZSMFfDE9jNqjRybsjTZXIjU2eGoD" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778622292", "to_ids": false, "type": "size-in-bytes", "uuid": "4fed1956-dce5-4f55-987e-acd05ad2bf76", "value": "1874494" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778622292", "to_ids": true, "type": "vhash", "uuid": "6654a333-79ea-4c62-b159-c5e245b8b991", "value": "9ca929e9a50f56ffa5a666f4120526019" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778622292", "to_ids": true, "type": "filename", "uuid": "4fec0ecc-cc27-4b75-874f-ed03d21f7cf2", "value": "Awareness Case Log File - Tuesday 14th, April 2026.pdf" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 10/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778622292", "to_ids": false, "type": "text", "uuid": "dcc06fc2-4938-43a9-88c2-528f055e1f26", "value": "PDF attachment\r\nType Description: PDF\nMicrosoft: Trojan:Win32/Malgent\nVT Total Detection:24/64\nFirst Submission:2026-04-14T12:34:50.000000+00:00\nLast Submission:2026-04-16T15:46:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546400", "uuid": "3d44d828-af50-4ba4-9d4e-2c23cce1d51f", "Attribute": [ { "category": "Payload delivery", "comment": "PDF attachment", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546399", "to_ids": true, "type": "md5", "uuid": "7beb6e38-614b-412b-9984-23fbad401c12", "value": "99ce8ecb93b9a43c5697bfa9cbd13b7b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PDF attachment", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546400", "to_ids": true, "type": "sha1", "uuid": "3448fbc4-0ced-461e-a063-2ba3e7e3a71f", "value": "f5d0ee4f6eb348d10ccaa4f24cae392782b9bfa3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PDF attachment", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546400", "to_ids": true, "type": "sha256", "uuid": "f8ead0da-2fc8-4902-a33c-c3cf13933f35", "value": "b5a3346082ac566b4494e6175f1cd9873b64abe6c902db49bd4e8088876c9ead", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778622314", "to_ids": true, "type": "ssdeep", "uuid": "5b3f8f7a-88bd-4774-8369-914540f4d974", "value": "49152:xP0QSMuTELv3DZy9jNqjRyyisWyTZXHp+7XtYfpgBtOGoss:xZSMFfDE9jNqjRybsjTZXIjU2eGoss" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778622314", "to_ids": false, "type": "size-in-bytes", "uuid": "a149bf99-b0b0-46e6-b8dc-f7f69194b277", "value": "1897864" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778622314", "to_ids": true, "type": "vhash", "uuid": "ae5101c4-b502-4727-b664-7c7b4a76a9cd", "value": "925100e470fe03ede4a0c049fcaad2a19" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778622314", "to_ids": true, "type": "filename", "uuid": "43c5f962-863c-4087-b82e-c5d02b1a127f", "value": "Awareness Case Log File - Wednesday 15th, April 2026.pdf" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 09/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778622314", "to_ids": false, "type": "text", "uuid": "ba666a36-bf4e-4626-94cb-8d731ec8595b", "value": "PDF attachment\r\nType Description: PDF\nMicrosoft: Trojan:Win32/Malgent\nVT Total Detection:24/63\nFirst Submission:2026-04-15T17:26:49.000000+00:00\nLast Submission:2026-04-15T19:25:06.000000+00:00" } ] } ] } }