Why Phishing Crews Are Targeting Colorado Springs Medical Offices Right Now

Microsoft put out a warning on May 8 that should be on every medical office manager's desk along the Front Range. A coordinated phishing campaign tracked between April 14 and 16 hit more than 35,000 users across 13,000 organizations. The single most-targeted industry was healthcare and life sciences. About 92% of the targets were in the United States.

That is not a generic threat report. It is a sector callout. And small medical offices in Colorado Springs and Pueblo are firmly in the blast radius.

The lure is unremarkable. That's the point.

The crews used "code of conduct review" emails. Nothing dramatic. Nothing screaming "click me." A PDF attachment, a few CAPTCHA screens to slip past automated filters, and a Microsoft login page that looks exactly like the one your front-desk team uses every morning. The whole thing is designed to feel like routine HR compliance work, because routine work is what gets clicked.

The technical wrinkle is what makes this campaign worth talking about. The attackers used adversary-in-the-middle tooling, the kind sold on platforms with names like Tycoon 2FA. When your staffer types in their password and approves the MFA prompt, the attacker's server is sitting between the browser and Microsoft, copying the session token in real time. The login goes through. The phishing crew gets in. MFA did not save you.

That last sentence is the one that should sting. A lot of medical practices in our region added MFA after the Change Healthcare disaster and assumed they were covered. They are not, at least not with the version of MFA most offices are running.

Why healthcare. Why now.

Three things are converging on healthcare at once.

The first is the value of the data. A patient record sells for many times what a stolen credit card sells for. Names, dates of birth, insurance numbers, diagnosis codes, and Social Security numbers all in one place. Credit cards get cancelled in a day. A patient's date of birth does not.

The second is pressure. A medical office cannot run for a week with its scheduling system encrypted. Patients are sitting in the waiting room. Lab results are queued. Insurance claims have to go out within a window or the revenue evaporates. Ransomware crews know that healthcare pays faster than almost any other industry because the alternative is patient harm and reportable downtime.

The third is the supply chain hangover from 2024. The Change Healthcare attack pushed thousands of small practices into the kind of cash crunch the AMA warned would close some of them outright. The criminals watched that playbook work. They learned that hitting a small office, or a vendor connected to dozens of small offices, is high-leverage. They are running it again.

Microsoft tracked more than 35,000 targeted users in a 72-hour window, and healthcare was the most-hit sector. That is not an accident. That is targeting.

Has this hit Colorado already?

It has. AspenPointe, the Colorado Springs behavioral health provider, disclosed an attack a few years back that exposed the records of roughly 295,000 patients. Western Orthopaedics, a Colorado provider with multiple Front Range locations, confirmed unauthorized network access in September 2025. Those are the disclosures that crossed the 500-patient HHS reporting threshold. Smaller incidents, the kind that hit a two-doctor practice in Pueblo or a specialty clinic off North Academy, mostly never make the news. They are reported quietly, paid quietly, and recovered from quietly. Or they close.

The federal HHS dashboard tracked 605 healthcare breaches in 2025, affecting around 44 million Americans. Healthcare is now responsible for roughly 32% of all known ransomware incidents, more than twice the next industry on the list.

What actually stops this

Start with phishing-resistant MFA. This is the part most offices get wrong. App-based push notifications and SMS codes are not phishing-resistant. They are exactly what the adversary-in-the-middle campaigns are designed to defeat. The fix is hardware security keys (FIDO2) or device-bound passkeys, configured on every Microsoft 365 or Google Workspace account that touches patient data. This is a one-afternoon project for an office with ten staff. Most practices we walk into have not done it.

Next is email security that catches the lure before staff ever see it. The native Microsoft 365 spam filter is not enough against modern phishing-as-a-service kits. Practices need a layer that does link rewriting and detonation, attachment sandboxing, and impersonation detection. The same protection extends to inbound text messages to office cell phones, which is the new front door for smishing campaigns aimed at the same staff.

Then comes security awareness training that includes real consequences. Not the annual click-through video. Real simulated phishing, monthly, with measurable click rates. One industry survey found that 24% of health workers in the United States have never received cybersecurity awareness training of any kind. If a third of your team has never been trained to spot the lure described above, the math gets ugly fast. Our managed service plans roll this in as a default.

The fourth thing, the one nobody likes to talk about, is the assumption that breach response is a HIPAA-driven process. It is, but it is also a clinical-continuity process. If your EHR is encrypted on a Monday, you do not have until Friday to make a plan. Run the tabletop now, while you have the luxury.

A practical next step

If you run a medical practice in Colorado Springs, Pueblo, or anywhere along the Front Range, the honest first move is a thirty-minute look at three things. Whether your MFA is actually phishing-resistant. Whether your staff have been trained in the last six months. Whether your incident response plan names a person who picks up the phone after hours.

If any of those answers is "I am not sure," that is the conversation worth having. We do walkthroughs for medical offices in the region, no obligation, and the deliverable is a plain-English risk summary you can hand to your partners or your compliance officer.