Q2 2026 Attack Techniques Trend Report
The Q2 2026 trend report from AhnLab ASEC documents a significant expansion of attack surfaces into AI stacks, identity infrastructure, and public-facing applications. CISA KEV listings rose 27% year-over-year to 75 entries, with ransomware-linked vulnerabilities nearly doubling. Notable developments include prompt injection-to-RCE chains in Microsoft Semantic Kernel, data exfiltration via M365 Copilot Enterprise (SearchLeak), three Microsoft Defender zero-days used for telemetry evasion, and continued AI supply chain attacks via malicious skills. The report recommends shifting from signature-based to behavior-based detection and implementing ITDR, conditional access, and AI-specific input validation controls.
Detection / Hunteropenrouter
What Happened
A security research team published a report summarizing the major cyberattack trends from April through June 2026. They found that hackers are increasingly targeting artificial intelligence (AI) systems, identity login systems, and publicly exposed software. The number of known exploited vulnerabilities catalogued by the US government's cybersecurity agency rose by 27% compared to the same period last year, and the share of those vulnerabilities tied to ransomware attacks nearly doubled. The report highlights new flaws in AI tools from Microsoft and others that could let attackers steal data or take control of systems by manipulating AI prompts. Organizations should prioritize patching systems listed in the government's Known Exploited Vulnerabilities catalog, strengthen login protections with multi-factor authentication and short-lived access tokens, and add safety checks to their AI systems such as validating inputs and limiting what AI tools are allowed to do.
Key Takeaways
- CISA KEV listings in Q2 2026 reached 75, a 27% increase year-over-year, with ransomware-associated listings nearly doubling from 8.5% to 16.0%.
- AI stack vulnerabilities emerged as a new attack surface: prompt injection in Microsoft Semantic Kernel led to RCE (CVE-2026-26030, CVE-2026-25592), and SearchLeak (CVE-2026-42824) enabled data exfiltration from M365 Copilot Enterprise.
- Identity-based attacks expanded through OAuth device code phishing targeting Microsoft Entra ID, AiTM attacks, and exploitation of stolen tokens and sessions, with PhaaS platform Kali365 noted.
- Three zero-day vulnerabilities in Microsoft Defender were listed in KEV, used by threat actors to block legitimate processes and telemetry for evasion.
- Supply chain attacks on AI ecosystems continued via malicious skills such as OpenClaw and ClawHub, targeting AI tool invocation chains.
Affected Systems
- SimpleHelp remote support software
- Check Point security gateways
- Ivanti Sentry
- Oracle PeopleSoft
- Cisco network and perimeter devices
- Splunk
- Microsoft Defender
- Microsoft Entra ID
- M365 Copilot Enterprise
- Microsoft Semantic Kernel
- BerriAI LiteLLM
Vulnerabilities (CVEs)
| CVE | Product | Severity | Description |
|---|---|---|---|
| CVE-2026-42824 | M365 Copilot Enterprise | SearchLeak data exfiltration vulnerability in M365 Copilot Enterprise allowing unauthorized data access. | |
| CVE-2026-26030 | Microsoft Semantic Kernel | Prompt injection vulnerability in Microsoft Semantic Kernel that can lead to remote code execution. | |
| CVE-2026-25592 | Microsoft Semantic Kernel | Prompt injection vulnerability in Microsoft Semantic Kernel that can lead to remote code execution. | |
| CVE-2026-42271 | BerriAI LiteLLM | Vulnerability in BerriAI LiteLLM that was actively exploited and listed in CISA KEV. |
Attack Chain
- Initial Access: Threat actors exploit public-facing applications and perimeter devices (SimpleHelp, Check Point, Ivanti Sentry, Cisco, Splunk) using T1190 techniques listed in CISA KEV
- Credential Access: OAuth device code phishing and AiTM attacks target Microsoft Entra ID to harvest credentials and session tokens
- Defense Evasion: Three Microsoft Defender zero-days are exploited to block legitimate security processes and disable telemetry
- Execution: Prompt injection vulnerabilities in Microsoft Semantic Kernel (CVE-2026-26030, CVE-2026-25592) are leveraged to achieve remote code execution
- Collection/Exfiltration: SearchLeak (CVE-2026-42824) in M365 Copilot Enterprise enables data exfiltration; AI supply chain attacks via malicious skills (OpenClaw, ClawHub) compromise AI tool chains
- Impact: Ransomware-associated vulnerabilities double year-over-year, indicating increased convergence of initial access vectors with ransomware operations
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules or queries. It recommends shifting from signature-based to Indicators of Behavior (IoA)-based detection and emphasizes monitoring for memory injection, security telemetry disconnection, abnormal authentication sessions, and abnormal token issuance.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | The article highlights that threat actors are actively disabling EDR telemetry via Microsoft Defender zero-days, which would degrade endpoint visibility. However, behaviors such as memory injection and abnormal process termination may still be partially visible depending on EDR vendor and configuration. |
| Network Visibility | Medium | OAuth device code phishing and AiTM attacks generate network traffic to legitimate Microsoft authentication endpoints, making them difficult to distinguish from normal usage without behavioral baselining. AI-related exfiltration via M365 Copilot may appear as legitimate API calls. |
| Detection Difficulty | Hard | Attacks abuse legitimate authentication mechanisms (OAuth, session tokens) and legitimate AI APIs, making signature-based detection ineffective. Evasion via Defender zero-days further reduces sensor coverage. Behavior-based detection requires robust baselining of authentication patterns and AI tool usage, which most organizations have not yet established. |
Required Log Sources
- Microsoft Entra ID sign-in logs and conditional access logs
- OAuth application consent and token issuance logs
- EDR process creation and telemetry health logs
- Microsoft Defender for Endpoint sensor health events
- AI platform API call logs (Semantic Kernel, LiteLLM, Copilot)
- Network proxy/forwarding logs for outbound authentication traffic
- CISA KEV and EPSS threat intelligence feeds
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for OAuth device code authentication flows originating from unusual geographic locations or IP ranges, as these may indicate device code phishing against Entra ID. | Microsoft Entra ID sign-in logs filtered for device code flow authentication events | Credential Access | Medium — legitimate device code flows are common for IoT devices, CLI tools, and environments without interactive browsers; correlate with user baseline and threat intel. |
| Consider hunting for processes that attempt to stop or disable Microsoft Defender services or sensor components, which may indicate exploitation of the reported Defender zero-days. | EDR sensor health events, Windows Event Log service control events (Event ID 7036, 7045), and Microsoft Defender operational logs | Defense Evasion | Low — security tool tampering is rarely legitimate; investigate all hits but verify against known IT maintenance windows. |
| Consider hunting for anomalous token issuance patterns, such as tokens with unusually long lifespans or tokens issued outside of conditional access policy expectations, which may indicate stolen token abuse. | Entra ID token issuance logs, conditional access policy evaluation logs, and ADFS/STS audit logs | Defense Evasion | Medium — legacy applications and service accounts may use long-lived tokens by design; filter by application type and sensitivity. |
| Consider hunting for AI platform API calls that include prompt injection patterns or unexpected tool invocations, which may indicate exploitation of Semantic Kernel or LiteLLM vulnerabilities. | AI platform API gateway logs, Semantic Kernel telemetry, LiteLLM proxy logs | Execution | High — legitimate AI usage varies widely and prompt patterns are diverse; focus on unexpected outbound network connections or process spawns from AI services. |
| Consider hunting for newly installed AI skills or plugins from unverified sources, which may indicate supply chain attacks similar to OpenClaw or ClawHub campaigns. | AI platform plugin/skill installation logs, package manager logs for AI dependencies, MCP server configuration changes | Persistence | Medium — development environments frequently install new AI packages; correlate with change management records and verify publisher reputation. |
Control Gaps
- Signature-based AV/EDR would not detect OAuth device code phishing or AiTM attacks since they abuse legitimate authentication endpoints.
- Network-based detection would struggle to distinguish AI prompt injection attacks from normal API usage without deep payload inspection.
- Traditional SIEM correlation rules may not cover AI platform logs or MCP/dependency supply chain integrity checks.
- EDR telemetry could be fully blinded if Microsoft Defender zero-days are successfully exploited before detection.
- Conditional access policies that do not enforce token binding or session controls would not prevent stolen token replay attacks.
Key Behavioral Indicators
- Security sensor telemetry disconnection or unexpected Defender service termination events
- OAuth device code flow authentication requests from atypical locations or user populations
- Abnormal token issuance patterns including long-lived tokens or tokens bypassing conditional access
- AI platform API calls resulting in unexpected child process creation or outbound network connections
- New AI skill or plugin installations from unverified publishers or outside change management processes
- Memory injection attempts in processes associated with security tooling or AI services
False Positive Assessment
Medium — The behavioral indicators described (abnormal authentication sessions, telemetry disconnection, AI API anomalies) overlap with legitimate administrative activities, legacy application behavior, and normal AI usage patterns. Effective detection requires behavioral baselining and context-aware correlation rather than simple threshold alerts.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider prioritizing patching for all systems listed in CISA KEV, especially SimpleHelp, Check Point, Ivanti Sentry, Oracle PeopleSoft, Cisco, and Splunk products referenced in this report.
- If your organization uses M365 Copilot Enterprise, Microsoft Semantic Kernel, or BerriAI LiteLLM, evaluate whether patches for CVE-2026-42824, CVE-2026-26030, CVE-2026-25592, and CVE-2026-42271 are available and apply them as a priority.
- Consider reviewing Entra ID logs for recent OAuth device code authentication flows and anomalous token issuance to identify potential compromise.
- If your EDR supports it, consider enabling tamper protection and alerting on any attempts to disable Microsoft Defender services or sensor components.
Infrastructure Hardening
- Consider implementing conditional access policies with session token binding and short-lived token lifetimes for Microsoft Entra ID to limit the impact of stolen token abuse.
- Evaluate whether gateway MFA and ITDR (Identity Threat Detection and Response) solutions can be deployed to add behavioral monitoring to identity infrastructure.
- For AI systems, consider implementing input/output validation and sanitization, least-privilege access controls, and restrictions on tool invocation scope.
- Consider implementing human-in-the-loop approval workflows for high-risk AI operations and verifying the integrity of MCPs and AI dependency supply chains.
- Evaluate whether your public-facing applications and perimeter devices are assessed and prioritized based on CISA KEV and EPSS scoring.
User Protection
- Consider deploying phishing-resistant MFA methods (e.g., FIDO2 hardware keys) for high-privilege accounts to mitigate OAuth device code phishing and AiTM attacks.
- If supported by your endpoint tooling, consider enabling enhanced telemetry collection on endpoints to compensate for potential Defender evasion techniques.
- Consider evaluating the ATT&CK coverage of existing EDR/XDR solutions and checking the log-to-alert conversion rate to identify detection blind spots.
Security Awareness
- Consider incorporating OAuth device code phishing awareness into existing security training programs, emphasizing that legitimate services will never prompt users to authenticate via a separate device code flow initiated by an attacker.
- Consider training AI system users and developers on prompt injection risks and safe AI interaction practices.
- Consider rolling out guidance for development teams on verifying AI skill and plugin provenance before installation, similar to existing package security practices.