The 'Code of Conduct' Phishing Campaign: What MSPs Need to Know Right Now
Barracuda Networks Blog, Thursday, May 7th, 2026
A sophisticated AiTM phishing campaign targeted 35,000+ users across 13,000 organizations using compliance lures and legitimate infrastructure to bypass MFA.
Barracuda Networks researchers analyzed a multi-stage phishing campaign that affected over 35,000 users across 13,000 organizations in 26 countries, with 92% of targets in the United States.
The campaign uses fake HR and compliance communications as lures, employing adversary-in-the-middle (AiTM) techniques to defeat multifactor authentication in real time. What makes this campaign particularly dangerous is its use of clean, commercially available infrastructure - ncluding legitimate email delivery services, cloud VMs, and phishing-as-a-service kits - rather than botnets, allowing it to bypass traditional security signals.
The attackers registered spoofed domains mimicking trusted brands, sent properly authenticated emails with PDF attachments describing fictional conduct violations, and used CAPTCHA gates to evade automated analysis before capturing credentials and session tokens. This approach is highly scalable and affordable, costing attackers only a few hundred dollars to set up, making it a significant threat that organizations must address through limiting blast radius rather than perfect prevention.