TL;DR: Between April 14 and 16, 2026, a single coordinated credential theft campaign hit more than 35,000 users across 13,000+ organizations in 26 countries, with 92% of targets located in the United States. The campaign concentrated on healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology (11%). For NC small businesses, the message is direct: traditional username/password and even basic SMS MFA are no longer enough. Phishing-resistant identity is now the floor.
Critical takeaway: Stolen credentials remain the #1 initial access vector in the Verizon 2026 DBIR at 22% of all breaches. When attackers can hit 35,000 users in 72 hours, the answer is not "stronger passwords." It is phishing-resistant MFA, conditional access, EDR, and dark web monitoring run as a system.
Need help hardening identity for your business? Contact Preferred Data Corporation at (336) 886-3282. Serving NC SMBs since 1987 across High Point, Greensboro, Charlotte, Raleigh, and the Piedmont Triad.
What Was the April 2026 Credential Theft Campaign?
The April 14-16, 2026 campaign was a coordinated phishing wave that targeted more than 35,000 individual users across over 13,000 organizations in 26 countries. United States targets accounted for 92% of victims. Industry distribution skewed sharply toward sectors holding sensitive data and high-value financial workflows:
| Industry Targeted | Share of Phishing Emails |
|---|---|
| Healthcare and life sciences | ~19% |
| Financial services | ~18% |
| Professional services (legal, accounting, consulting) | ~11% |
| Technology and software | ~11% |
| Other industries (combined) | ~41% |
Public reporting points to large-scale credential harvesting infrastructure typical of Adversary-in-the-Middle (AiTM) phishing kits. These kits sit between the victim and the legitimate login page, harvest the password, intercept the MFA code, and steal the resulting session token, all in real time. The result: even users who completed an MFA prompt can have their session hijacked and their account compromised.
For NC small and mid-sized businesses, four of the top targeted sectors are heavily represented in our local economy: healthcare practices in the Triangle and Triad, financial services and accounting firms across the state, professional services firms (legal, consulting, engineering), and the technology/SaaS cluster around Raleigh-Durham.
Why Are Username + Password + SMS MFA No Longer Enough?
Traditional MFA was designed against an attacker model that no longer dominates. When MFA was widely deployed, attackers were mostly stealing static passwords. Today, the most active credential-theft tooling targets the entire authentication session, not just the password.
Three modern attack patterns defeat older MFA:
- AiTM phishing kits (e.g., Evilginx-class). Real-time reverse proxy that captures username, password, MFA code, and the resulting session cookie. The attacker logs in immediately as the victim
- MFA fatigue / push bombing. Repeated push notifications to a user's phone until they tap "approve" out of annoyance or confusion
- Token theft via infostealer malware. Browser-resident session tokens harvested from infected workstations and replayed from the attacker's machine, bypassing MFA entirely
Microsoft research still shows MFA blocks 99.9% of automated credential attacks, and it remains essential. The point is that the form of MFA matters now. Push and SMS are below the waterline; phishing-resistant MFA is above it.
What Is Phishing-Resistant MFA and Who Needs It?
Phishing-resistant MFA uses cryptographic methods that cannot be replayed by an AiTM proxy. The two dominant standards:
- FIDO2 / WebAuthn, including hardware security keys (YubiKey, Feitian) and platform authenticators (Windows Hello for Business, Apple Passkeys)
- Certificate-based authentication with smart cards or device certificates
Because the cryptographic challenge is bound to the legitimate domain and the user's device, an AiTM proxy on a different domain simply cannot complete the handshake. The phishing kit collapses.
Roles that should be on phishing-resistant MFA today, not next quarter:
- All IT and admin accounts (Microsoft 365 Global Admin, network admins, domain admins, MSP shared accounts)
- All finance and accounting roles with payment authority
- All executives with email signing authority
- Anyone with access to PHI, CUI, cardholder data, or large customer datasets
- Any account that can change MFA settings, conditional access policies, or DNS/email configuration
For everyone else, modern app-based MFA with number matching and geographic checks is acceptable as a baseline, with conditional access doing the heavy lifting.
What Is Conditional Access and Why Does It Matter Here?
Conditional access is the policy engine that decides, at every login, whether to allow, block, or prompt for additional verification based on signals: user, device, location, app, risk, and session age. For NC businesses on Microsoft 365 or Google Workspace, conditional access is the difference between "MFA is on" and "the account is actually defended."
Practical conditional access policies that disrupted the April 2026 campaign for organizations that had them in place:
- Block legacy authentication. No POP3/IMAP/SMTP basic auth, period
- Require phishing-resistant MFA for admins and high-risk users
- Require compliant or hybrid-joined device for access to sensitive apps
- Block sign-in from countries you do not do business in (geo-fencing)
- Block impossible-travel sign-ins (e.g., NC at 9 a.m., Vietnam at 9:30 a.m.)
- Require re-authentication on session risk, not "stay signed in for 90 days"
- Block downloads of sensitive files from unmanaged devices
- Block consent to high-risk OAuth apps by non-admin users
Microsoft Entra Conditional Access and Google Context-Aware Access both deliver these capabilities at SMB-friendly licensing levels.
How Should NC SMBs Respond to the April 2026 Campaign This Week?
If you have not reviewed your identity posture since the April 14-16 wave, treat the next 7 days as an emergency identity review. The actions worth running this week:
- Force password rotation for any user whose mailbox showed unusual activity in mid-April
- Revoke all active sessions for high-privilege accounts via Microsoft Entra or Google Workspace admin
- Audit OAuth apps and consent grants added in April; revoke any unfamiliar entries
- Audit inbox rules in Microsoft 365 and Google Workspace for forwarding, auto-delete, or "move to RSS Feeds" rules typical of BEC takeover
- Confirm all admins are on phishing-resistant MFA, not push or SMS
- Confirm conditional access is enforcing block-legacy-auth, geo-fencing, and device compliance
- Search the dark web and credential-leak feeds for your domain via a managed dark web monitoring service
- Run an EDR scan for infostealer malware (RedLine, Lumma, Vidar, Raccoon are common 2025-2026 strains)
- Notify employees of the campaign and remind them how to report a suspicious email
- Review cyber insurance policy requirements to confirm you remain compliant with MFA and identity controls
For a structured walkthrough, see our guides on MFA in the AI age, passwordless authentication, and phishing prevention.
Want help running this checklist? Take our free cybersecurity assessment or call (336) 886-3282.
Industry-Specific Risk Notes for NC
Each of the heavily targeted industries from the April 2026 campaign maps to specific NC business profiles:
- Healthcare and life sciences (19%). Triangle research firms, Triad medical practices, and rural NC hospitals. PHI exposure adds HIPAA breach notification on top of NC G.S. 75-65
- Financial services (18%). Local credit unions, community banks, accounting firms, RIAs, mortgage brokers. GLBA, Reg S-P, FTC Safeguards Rule, and state requirements stack
- Professional services (11%). Law firms, consulting, engineering, architecture across Raleigh-Durham and the Triad. Privileged client communications make BEC takeover catastrophic
- Technology and software (11%). Triangle SaaS companies; their compromise becomes a supply chain attack on every customer
Manufacturers and construction firms are not in the top four targeted sectors of this specific campaign, but the Verizon 2026 DBIR and FBI IC3 2025 report confirm both sectors face heavy ransomware and BEC pressure independently. The defensive controls overlap entirely.
How Is Preferred Data Helping NC SMBs Stay Ahead of Credential Theft Campaigns?
Preferred Data Corporation has been protecting North Carolina businesses since 1987. Our managed cybersecurity services include identity threat detection, conditional access design, FIDO2 rollout, dark web monitoring, and 24/7 SOC monitoring of suspicious sign-in activity. Our managed IT services handle the underlying Microsoft 365 / Google Workspace configuration, MFA enforcement, and OAuth app governance. Our Microsoft 365 security service configures conditional access and Entra ID Protection so the controls described above are actually enforced, not just licensed.
For healthcare practices, financial services firms, professional services firms, manufacturers, and construction firms across High Point, Greensboro, Charlotte, Raleigh, Winston-Salem, Durham, and the Piedmont Triad, we deliver identity hardening tuned to the specific compliance and operational realities of each industry. With BBB A+ accreditation, an average client tenure of over 20 years, and on-site response within 200 miles of High Point, we are the partner NC business owners trust when an identity event lands on a Friday afternoon.
Stay ahead of the next campaign. Contact Preferred Data at (336) 886-3282 or visit our contact page for an identity posture review.
Frequently Asked Questions
What was the April 2026 credential theft campaign?
A coordinated phishing campaign observed April 14-16, 2026 that targeted more than 35,000 users across over 13,000 organizations in 26 countries, with 92% of victims in the United States. Healthcare/life sciences, financial services, professional services, and technology were the top targeted sectors.
How does AiTM (Adversary-in-the-Middle) phishing defeat MFA?
AiTM kits sit between the victim and the legitimate login page in real time. They capture the password, the MFA code, and the resulting session cookie, then immediately log in as the user. Phishing-resistant MFA (FIDO2/WebAuthn) blocks AiTM because the cryptographic challenge is bound to the legitimate domain.
Is SMS MFA still useful?
SMS MFA is better than nothing and still blocks most automated attacks, but it is below the modern standard for any account that matters. Move to app-based MFA with number matching as a minimum, and to FIDO2/WebAuthn for admins, finance, and high-risk users.
What is phishing-resistant MFA?
Phishing-resistant MFA uses cryptographic methods (FIDO2/WebAuthn or certificate-based) that cannot be replayed by an AiTM proxy. Hardware keys, Windows Hello for Business, and Passkeys are common implementations.
How do we know if our credentials have already been stolen?
Use a dark web monitoring service to search credential-leak feeds for your domain. Review Microsoft Entra ID Protection or Google Workspace alerts for suspicious sign-ins. Check for unauthorized OAuth app consent and unusual inbox rules. A managed cybersecurity provider can run this discovery in days.
Should small businesses block sign-ins from foreign countries?
For most NC SMBs, yes. If your business does not regularly serve customers or have employees outside the U.S. (or a small set of named countries), conditional access geo-fencing materially reduces attack surface with minimal user impact.
How fast must we revoke a compromised session?
Within minutes of detection. Active session tokens stolen via AiTM remain valid until revoked or expired, often hours or days. Use Microsoft Entra "revoke sessions" or Google "sign out user" the moment compromise is suspected.
Does Preferred Data offer identity hardening services?
Yes. Our managed cybersecurity services include identity threat detection, FIDO2 rollout, conditional access design, dark web monitoring, and 24/7 SOC monitoring. Call (336) 886-3282 for a tailored engagement.