Cisco Talos identified ARToken, a phishing-as-a-service platform linked to EvilTokens, that abuses Microsoft's OAuth 2.0 Device Authorization Grant to bypass MFA and capture victim tokens. The platform provides affiliates with a comprehensive post-compromise toolkit including PRT-based persistence surviving password resets, BEC email operations, inbox rule manipulation, and SharePoint exfiltration. ARToken deploys a sophisticated seven-layer client-side anti-analysis system and abuses legitimate sharepoint.com URLs from attacker-controlled Microsoft 365 workspaces to evade security scanners.
This threat intelligence report highlights recent data breaches involving third-party vendors, emerging AI threat vectors such as prompt injection and WebSocket abuse, and active exploitation of critical vulnerabilities in Fortinet, Cisco, and Splunk products. Additionally, seasonal phishing campaigns targeting travelers and Amazon Prime members are surging alongside a cross-platform Rust-based crypto clipboard hijacker.
Varonis Threat Labs discovered SearchLeak, a critical vulnerability chain in Microsoft 365 Copilot Enterprise Search (CVE-2026-42824). By chaining Parameter-to-Prompt (P2P) injection, an HTML rendering race condition, and a Server-Side Request Forgery (SSRF) via Bing's image search, attackers could exfiltrate sensitive organizational data via a single malicious link.
Microsoft's June 2026 Patch Tuesday addresses 206 vulnerabilities, including 32 critical flaws primarily involving Remote Code Execution (RCE). Four critical vulnerabilities affecting the Remote Desktop Client, HTTP Protocol Stack, and Windows Graphics component are highlighted as more likely to be exploited, prompting immediate patching and the deployment of updated network intrusion rules.
Session Hijacking and Developer Tool Poisoning Collapse Authentication Trust
This week, attackers proved that multi-factor authentication is no longer a reliable gatekeeper. Campaigns like Tycoon 2FA and Chinese-language PhaaS platforms intercept one-time passwords in real time and steal session tokens to maintain persistent access, while infostealers like EKZ Infostealer harvest browser cookies to bypass authentication entirely. Even when victims reset passwords and revoke sessions, attackers retain access through hidden device registrations — meaning standard incident response playbooks are now incomplete.
Developers remain the preferred entry point for supply chain compromise. The Glassworm botnet was disrupted after hiding malware in VSCode extensions and npm packages, while the Megalodon campaign poisoned GitHub Actions workflows across 5,500 repositories. A malicious Sicoob.Sdk NuGet package stole banking certificates from Brazilian developers, and North Korea's Lazarus group compromised the widely used axios npm library — a single attack touching millions of downstream applications.
Organizations must move beyond password-and-MFA reliance: adopt hardware security keys, shorten session lifetimes, delete attacker-registered devices before resetting credentials, and audit developer toolchains and CI/CD pipelines for tampering.
Modern social engineering attacks have evolved to closely mimic legitimate business workflows, utilizing techniques like ClickFix, OAuth device code abuse, and in-browser blob phishing. These tactics bypass traditional security controls and create "gray-zone" alerts that require deep behavioral analysis to determine the true scope of compromise, such as credential theft, token abuse, or RMM deployment.
UNC6671, operating under the BlackFile brand, conducts sophisticated vishing and Adversary-in-the-Middle (AiTM) attacks to bypass MFA and compromise SSO platforms like Microsoft 365 and Okta. Once inside, the group uses automated Python and PowerShell scripts to rapidly exfiltrate sensitive data via APIs, often masking their activity as routine file access events, before launching aggressive extortion campaigns.
Microsoft's May 2026 Patch Tuesday release addresses 132 CVEs, including 29 Critical vulnerabilities and 14 with a CVSS score of 9.0 or higher. Key threats include a critical authentication bypass in the Microsoft SSO Plugin for Jira & Confluence, unauthorized RCEs in Windows Netlogon and DNS Client, and multiple Office RCEs exploitable via the Preview Pane.
Microsoft's April 2026 Patch Tuesday addresses 163 CVEs across 17 product families, including 8 Critical vulnerabilities and one actively exploited zero-day (CVE-2026-32201 in SharePoint). Organizations should prioritize patching the exploited SharePoint flaw, the publicly disclosed Defender bug (CVE-2026-33825), and a highly critical 9.8 CVSS RCE in Windows IKE (CVE-2026-33824).
BlobPhish is an evasive credential-phishing campaign that generates fake authentication forms directly in the victim's browser memory using Blob objects. By avoiding traditional HTTP requests and disk writes, it bypasses standard network and file-based detection mechanisms to steal high-value financial and cloud service credentials.
CISA has added two actively exploited vulnerabilities, CVE-2009-0238 (Microsoft Office RCE) and CVE-2026-32201 (Microsoft SharePoint Server Improper Input Validation), to its Known Exploited Vulnerabilities (KEV) Catalog. Organizations are strongly urged to prioritize timely remediation of these vulnerabilities to reduce their exposure to cyberattacks.
The rapid adoption of AI agents like OpenClaw has introduced a new identity threat surface in Microsoft cloud environments. These applications are often granted sweeping tenant-wide permissions, effectively acting as highly privileged service principals that bypass traditional endpoint defenses and could allow attackers to inherit administrative control if the agent is compromised.
Security researchers discovered a pre-authenticated Remote Code Execution (RCE) chain in Progress ShareFile Storage Zone Controller. By chaining an Execution After Redirect (EAR) authentication bypass (CVE-2026-2699) with an arbitrary file upload vulnerability (CVE-2026-2701), attackers can reconfigure the storage repository to the webroot and extract an ASPX webshell, achieving full system compromise.
CERT-EU issued an urgent security advisory regarding CVE-2026-20963, a critical unauthenticated remote code execution vulnerability in Microsoft SharePoint caused by the deserialization of untrusted data. The flaw is actively being exploited in the wild, prompting strong recommendations to immediately patch internet-facing servers, enable AMSI, and rotate ASP.NET machine keys.
Threat actors are leveraging the EvilTokens Phishing-as-a-Service platform hosted on Railway.com to conduct large-scale device code phishing campaigns against Microsoft 365 users. By abusing legitimate cloud infrastructure and multi-hop redirect chains, attackers successfully bypass email filtering and MFA to harvest persistent OAuth tokens.
Following a major law enforcement takedown of its infrastructure on March 4, 2026, the Tycoon2FA Phishing-as-a-Service (PhaaS) platform has quickly reconstituted its operations. The platform continues to enable cybercriminals to bypass multifactor authentication (MFA) using Adversary-in-the-Middle (AiTM) techniques, leading to cloud account takeovers and Business Email Compromise (BEC).
Threat actors exploited an exposed Spring Boot Actuator endpoint and plaintext credentials found in a spreadsheet to authenticate via the legacy ROPC flow. This allowed them to bypass MFA, obtain a Microsoft Graph access token, and exfiltrate sensitive data from SharePoint Online without deploying malware.
The Warlock ransomware group (Water Manaul) has enhanced its attack chain by exploiting Microsoft SharePoint servers for initial access and deploying a sophisticated post-exploitation toolkit. The group leverages BYOVD techniques via the NSecKrnl.sys driver to disable security tools, establishes redundant C&C channels using legitimate tools like Velociraptor and Cloudflare Tunnels, and automates ransomware deployment domain-wide using Group Policy Objects (GPO).
Tycoon2FA is a widespread Adversary-in-the-Middle (AiTM) Phishing-as-a-Service platform operated by the threat actor Storm-1747. It enables cybercriminals to bypass standard multifactor authentication (MFA) at scale by intercepting session cookies and credentials using spoofed sign-in pages, custom CAPTCHAs, and complex redirect chains.