Security Domain
Identity & Access Management
Authentication, authorization, access control models, identity federation, and MFA.
21 Articles
β All domainsVENOM Phishing Kit Targets Senior Microsoft 365 Executives via AiTM Session Interception
A new phishing-as-a-service platform named VENOM is specifically targeting C-suite and senior executive Microsoft 365 accounts using adversary-in-the-middle (AiTM) infrastructure to intercept authenticated sessions. Unlike generic phishing kits, VENOM's targeting logic filters for high-value accounts β CFOs, CEOs, legal counsel, and board-level contacts β and includes executive-tailored lures designed for low suspicion.
OpenAI Launches Advanced Account Security Programme with Mandatory Phishing-Resistant MFA
OpenAI has announced an opt-in Advanced Account Security programme for high-risk users β journalists, human rights advocates, executives, and researchers β offering phishing-resistant FIDO2 hardware key and passkey authentication, stricter account recovery controls, and session compromise mitigations. The programme, developed in partnership with Yubico, acknowledges that standard MFA is insufficient against sophisticated phishing and AiTM attacks targeting OpenAI accounts with access to sensitive workflows.
Ivanti EPMM CVE-2026-6973 β Remote Code Execution Added to CISA KEV, Patch Required
Ivanti has disclosed CVE-2026-6973, a remote code execution vulnerability in Endpoint Manager Mobile (EPMM, formerly MobileIron) that has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed limited exploitation. EPMM is a mobile device management platform used by government agencies and enterprises. Organisations should apply the available patch and audit administrator account activity. EPMM has a prior history of critical exploitation including the 2023 Norwegian government attack.
GoDaddy ManageWP Credentials Targeted by AiTM Phishing Campaign via Malicious Google Ads
A real-time adversary-in-the-middle phishing campaign is targeting GoDaddy ManageWP administrators through malicious Google search advertisements that appear above legitimate results for ManageWP login queries. The campaign steals session tokens via a real-time proxy, bypassing MFA, and uses Telegram for credential exfiltration. Each compromised ManageWP account typically controls hundreds of WordPress sites, making this a high-leverage credential theft campaign.
Cordial Spider and Snarky Spider Drive Multi-Sector SaaS Account Takeover via Vishing and SSO AiTM Attacks
Two newly-designated threat actor clusters β Cordial Spider (UNC6671) and Snarky Spider (UNC6661) β are conducting coordinated vishing and adversary-in-the-middle SSO phishing campaigns against enterprise organisations across finance, technology, and logistics sectors, bypassing MFA to harvest persistent OAuth tokens. Organisations should review SSO conditional access policies and verify help desk vishing verification procedures.
ConsentFix v3 Automates Azure OAuth Abuse at Scale β MFA-Bypassing Phishing Platform Circulating on Forums
The third iteration of the ConsentFix Azure OAuth phishing toolkit has been observed circulating on cybercriminal forums, adding Pipedream-powered automation to the consent flow abuse technique that allows attackers to gain persistent access to Microsoft 365 tenants without requiring MFA. Enterprise security teams should review conditional access policies governing OAuth app registrations and user consent.
Scattered Spider's 'Tylerb' Pleads Guilty β Senior Member Faces 20 Years for $8M SIM Swap and Enterprise Breaches
Tyler Robert Buchanan, 24, known online as 'Tylerb', has pleaded guilty to wire fraud conspiracy and aggravated identity theft for his role in Scattered Spider's 2022 SMS phishing and SIM-swapping campaign that breached Twilio, LastPass, DoorDash, Cloudflare, and at least 130 other organisations. The guilty plea represents a significant law enforcement milestone against the English-language cybercrime group responsible for the MGM and Caesars casino breaches.
Azure Arc Windows Agent CVE-2026-26117 Lets Low-Privilege Users Escalate to SYSTEM and Seize Cloud-Managed Identity
CVE-2026-26117, a local privilege escalation flaw in the Azure Arc Connected Machine Agent for Windows, allows any domain user on a managed host to escalate to SYSTEM and inherit the host's Azure managed identity β granting access to all Azure resources the machine identity can reach. Microsoft rated the flaw CVSS 7.8; patch immediately given Arc's growing enterprise footprint.
Microsoft Entra Agent ID Role Misconfiguration Enabled Full Tenant Takeover via Service Principal Hijack
A flaw in Microsoft Entra's Agent ID role assignment model allowed an attacker with low-level Entra access to hijack privileged service principals and achieve full tenant administrator rights. Microsoft silently patched the issue on April 9; organisations with agentic AI workloads or automation service accounts should audit role bindings immediately.
Microsoft Entra Passkeys Rolling Out to All Windows Devices β Phishing-Resistant MFA Now Generally Available
Microsoft has begun rolling out Entra passkey support to managed, unmanaged, and shared Windows devices, with general availability set for mid-June 2026. Passkeys close the credential-phishing gap that conventional passwords, SMS codes, and TOTP leave open, and enterprise deployment is now achievable at scale through existing Conditional Access policies.
Microsoft Entra ID Entitlement Management SSRF (CVE-2026-35431, CVSS 10.0) β Cloud IAM Attack Surface Disclosed Before Silent Server-Side Fix
A perfect-score SSRF vulnerability in Microsoft Entra ID Entitlement Management allowed unauthenticated network-accessible exploitation of Microsoft's cloud identity governance platform. Microsoft patched it server-side with no customer action required, but the disclosure surfaces a structural question enterprise security teams need to answer: how do you monitor for exploitation of a vulnerability in infrastructure you don't control?
BeigeBurrow: New Go-Based Covert C2 Agent Deployed via Active Directory RCE CVE-2026-33826
A previously undocumented post-exploitation tool named BeigeBurrow has been observed in at least two enterprise intrusions following exploitation of the Windows Active Directory RCE CVE-2026-33826. The Go-based agent uses HashiCorp's Yamux library to multiplex covert relay channels over port 443, blending into encrypted enterprise traffic. CVE-2026-33826 was patched in April Patch Tuesday; organisations that have not yet applied the patch should treat it as urgent.
CISA Confirms Active Exploitation of Windows Task Host Privilege Escalation CVE-2025-60710 β Four Public Exploits Available
A link-following flaw in the Windows Host Process for Tasks allows any local user to escalate to SYSTEM privileges. Patched in November 2025, CVE-2025-60710 has been confirmed as actively exploited β CISA added it to the Known Exploited Vulnerabilities catalogue on 13 April with a 27 April federal deadline. Four public proof-of-concept exploits are now freely available on GitHub.
CVE-2026-33826: Windows Active Directory RCE via Crafted RPC Calls β Patch Now
A critical remote code execution flaw in Windows Active Directory allows any authenticated domain user to execute arbitrary code on domain controllers and other AD-joined servers by sending specially crafted RPC calls. Rated CVSS 8.0 and assessed by Microsoft as 'Exploitation More Likely', CVE-2026-33826 poses a serious lateral-movement and domain-compromise risk for every Windows Server environment. The April 2026 Patch Tuesday update provides the only full remediation.
Microsoft Closes APT29's Favourite Phishing Door With New RDP File Protections
The April 2026 Windows update introduces mandatory security warnings and redirections-blocked-by-default for RDP connection files, directly countering the technique used by APT29 and other threat actors to silently redirect local drives and harvest credentials. Organisations using Windows 10 and 11 should confirm the KB is deployed.
FBI and Indonesian Police Dismantle W3LL Phishing Platform Behind $20M in MFA-Bypass Fraud
The FBI Atlanta Field Office and Indonesia's National Police have dismantled the W3LL phishing-as-a-service platform, arresting its alleged developer and seizing domains used in a global credential-theft and MFA-bypass operation. W3LL targeted over 17,000 victims in Microsoft 365 environments, capturing not just passwords but session tokens that allowed attackers to bypass multi-factor authentication.
AI-Powered Device Code Phishing Bypasses MFA at Hundreds of Organisations
A sophisticated phishing campaign is abusing the OAuth device authorisation flow to hijack Microsoft 365 access tokens while victims complete entirely genuine MFA challenges. Hundreds of organisations have been compromised. FIDO2 passkeys block this attack; push notifications, TOTP, and SMS codes do not. Organisations should block the device code grant in Conditional Access immediately.
Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited β Apply Emergency Hotfix Now
A critical pre-authentication API bypass in Fortinet FortiClient EMS (CVSS 9.1) is being actively exploited in the wild, with CISA adding the vulnerability to its Known Exploited Vulnerabilities catalogue on 6 April. Organisations running FortiClient EMS 7.4.5 or 7.4.6 must apply the emergency hotfix immediately β FCEB agencies faced a remediation deadline of 9 April.
April Windows Update Enforces AES-Only Kerberos β RC4 Fallback Blocked Across Active Directory
Microsoft's April 2026 cumulative update moves Windows domain controllers into AES-only Kerberos enforcement mode, permanently blocking RC4-HMAC as an authentication fallback under CVE-2026-20833. Organisations with legacy service accounts or unmanaged devices that have not set the msDS-SupportedEncryptionTypes attribute will begin seeing Kerberos authentication failures when the update is deployed.
Windows Kerberos Security Feature Bypass CVE-2026-24297 β Race Condition Enables Unauthenticated Network Attack
CVE-2026-24297 is a security feature bypass in the Windows Kerberos implementation caused by a race condition that can be triggered remotely without credentials or user interaction. Patched in the March 2026 Patch Tuesday, the vulnerability allows an attacker with network access to a Kerberos-speaking service to bypass security validation in the authentication flow. No active exploitation has been confirmed but the attack vector requires no credentials, increasing urgency.
Active Directory Privilege Escalation CVE-2026-25177 Added to CISA KEV β Domain Admin Risk via SPN Abuse
CVE-2026-25177, a privilege escalation vulnerability in Active Directory Domain Services patched in March's Patch Tuesday, has been added to CISA's Known Exploited Vulnerabilities catalogue. An authenticated attacker with low-privileged domain credentials can exploit improper SPN and UPN name validation to escalate to domain administrator level. The KEV addition confirms in-the-wild exploitation approximately three weeks after patching was available.