{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/cloudflare/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender for Office 365"],"_cs_severities":["high"],"_cs_tags":["phishing","credential-theft","AiTM","token-compromise"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cloudflare","Paubox"],"content_html":"\u003cp\u003eBetween April 14 and 16, 2026, Microsoft Defender Research observed a sophisticated, large-scale phishing campaign targeting over 35,000 users across more than 13,000 organizations in 26 countries, predominantly in the United States (92%). The campaign, which did not focus on a single vertical, impacted a range of industries, with Healthcare \u0026amp; life sciences (19%), Financial services (18%), Professional services (11%), and Technology \u0026amp; software (11%) being the most affected. Attackers employed code of conduct-themed lures delivered via emails that appeared as internal compliance or regulatory communications. The campaign utilized a multi-step attack chain, including CAPTCHA challenges and intermediate staging pages, to reinforce legitimacy and filter out automated defenses, ultimately leading to an adversary-in-the-middle (AiTM) phishing flow.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with phishing emails posing as internal compliance communications, using subjects like \u0026ldquo;Internal case log issued under conduct policy\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe emails contain a PDF attachment (e.g., \u0026ldquo;Awareness Case Log File – Tuesday 14th, April 2026.pdf\u0026rdquo;) that claims a \u0026ldquo;code of conduct review\u0026rdquo; has been initiated.\u003c/li\u003e\n\u003cli\u003eRecipients are instructed to click a “Review Case Materials” link within the PDF.\u003c/li\u003e\n\u003cli\u003eClicking the link redirects the user to one of the attacker-controlled domains (e.g., acceptable-use-policy-calendly[.]de).\u003c/li\u003e\n\u003cli\u003eThe landing page displays a Cloudflare CAPTCHA to validate the user and impede automated analysis.\u003c/li\u003e\n\u003cli\u003eAfter CAPTCHA completion, the user is redirected to an intermediate site that informs them the requested documentation is encrypted and requires account authentication.\u003c/li\u003e\n\u003cli\u003eThe user is presented with a legitimate-looking sign-in experience, part of an AiTM phishing flow.\u003c/li\u003e\n\u003cli\u003eThe attackers proxy the authentication session in real time and capture authentication tokens, granting immediate account access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign resulted in the compromise of authentication tokens, enabling attackers to gain unauthorized access to user accounts and bypass multifactor authentication. With more than 35,000 users targeted across over 13,000 organizations, the potential for widespread data breaches, financial fraud, and further malicious activities is significant. The targeting of sectors like Healthcare and Financial Services indicates a focus on high-value targets with sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEducate users about phishing lures, especially those using social engineering tactics and enterprise-style HTML templates.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious PDF Opening via Uncommon Applications\u0026rdquo; to identify unusual PDF execution paths, based on the \u0026lsquo;file_event\u0026rsquo; log source.\u003c/li\u003e\n\u003cli\u003eConfigure email security settings in Microsoft Defender for Office 365 to filter out phishing emails effectively.\u003c/li\u003e\n\u003cli\u003eEnable network protection to leverage SmartScreen as a host-based web proxy.\u003c/li\u003e\n\u003cli\u003eBlock access to the attacker-controlled domains, such as acceptable-use-policy-calendly[.]de, at the DNS resolver level.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T15:00:00Z","date_published":"2026-05-04T15:00:00Z","id":"/briefs/2026-05-aitm-phishing/","summary":"A widespread phishing campaign utilized 'code of conduct' lures, a multi-step attack chain, and legitimate email services to distribute authenticated messages from attacker-controlled domains, ultimately leading to adversary-in-the-middle (AiTM) token compromise, primarily targeting US-based organizations.","title":"Multi-Stage 'Code of Conduct' Phishing Campaign Leads to AiTM Token Compromise","url":"https://feed.craftedsignal.io/briefs/2026-05-aitm-phishing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["mckenziearts/livewire-markdown-editor (\u003c 1.3)","DigitalOcean Spaces","Cloudflare R2","Scaleway Object Storage"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-upload","stored-xss","vulnerability"],"_cs_type":"advisory","_cs_vendors":["DigitalOcean","Cloudflare","Scaleway"],"content_html":"\u003cp\u003eVersions of \u003ccode\u003emckenziearts/livewire-markdown-editor\u003c/code\u003e prior to v1.3 are vulnerable to arbitrary file upload via the \u003ccode\u003eMarkdownEditor::updatedAttachments()\u003c/code\u003e Livewire handler. This handler lacks server-side validation for file types, extensions, and content. An authenticated user with access to a page embedding the markdown editor can upload malicious files (e.g., \u003ccode\u003e.html\u003c/code\u003e, \u003ccode\u003e.svg\u003c/code\u003e, \u003ccode\u003e.js\u003c/code\u003e) to the disk configured by \u003ccode\u003elivewire-markdown-editor.disk\u003c/code\u003e. If this disk is a public cloud storage bucket (S3, DigitalOcean Spaces, Cloudflare R2, Scaleway Object Storage), the uploaded files are publicly accessible with a guessed \u003ccode\u003eContent-Type\u003c/code\u003e header. This vulnerability allows attackers to perform stored XSS, host phishing pages, distribute malware, and inject malicious markdown. A real-world exploitation was observed in production.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an application using a vulnerable version of \u003ccode\u003emckenziearts/livewire-markdown-editor\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a page embedding the \u003ccode\u003e\u0026lt;livewire:markdown-editor\u0026gt;\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the file upload functionality of the editor to upload a malicious file, such as a \u003ccode\u003e.html\u003c/code\u003e or \u003ccode\u003e.svg\u003c/code\u003e file containing XSS payloads.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eMarkdownEditor::updatedAttachments()\u003c/code\u003e Livewire handler processes the uploaded file without proper validation.\u003c/li\u003e\n\u003cli\u003eThe handler stores the file on the disk configured by \u003ccode\u003elivewire-markdown-editor.disk\u003c/code\u003e (e.g., a public cloud bucket like S3, DigitalOcean Spaces, Cloudflare R2, Scaleway Object Storage).\u003c/li\u003e\n\u003cli\u003eThe uploaded file becomes publicly accessible on the storage domain.\u003c/li\u003e\n\u003cli\u003eA user visits the URL of the uploaded malicious file, triggering the XSS payload or accessing the phishing page.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing user credentials, redirecting users to malicious websites, or compromising the application\u0026rsquo;s integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical impacts. Stored XSS on the storage domain can allow attackers to steal user credentials or perform other malicious actions in the context of the application. Phishing pages hosted on the application\u0026rsquo;s storage domain can trick users into revealing sensitive information. Malware distribution from a domain users trust can lead to widespread infections. Additionally, markdown injection via crafted filenames can compromise the integrity of the editor\u0026rsquo;s output. A real-world exploitation of this vulnerability was observed in production on a community platform using this package.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003emckenziearts/livewire-markdown-editor\u003c/code\u003e v1.3 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrading is not feasible, disable the upload UI on every instance of the editor by passing \u003ccode\u003e:show-upload=\u0026quot;false\u0026quot;\u003c/code\u003e. This prevents the vulnerable code path from being reached.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for requests to the storage domain for unusual file extensions like \u003ccode\u003e.html\u003c/code\u003e, \u003ccode\u003e.svg\u003c/code\u003e, \u003ccode\u003e.js\u003c/code\u003e, \u003ccode\u003e.php\u003c/code\u003e, or \u003ccode\u003e.exe\u003c/code\u003e, which could indicate attempted exploitation.\u003c/li\u003e\n\u003cli\u003eImplement the file upload detection rule to identify potentially malicious file uploads to the storage domain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-livewire-markdown-editor-upload/","summary":"The livewire-markdown-editor versions before v1.3 contain an arbitrary file upload vulnerability in the MarkdownEditor::updatedAttachments() Livewire handler, allowing authenticated users to upload any file type, potentially leading to stored XSS, phishing, malware distribution, and markdown injection.","title":"livewire-markdown-editor Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-livewire-markdown-editor-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — Cloudflare","version":"https://jsonfeed.org/version/1.1"}