https://feed.craftedsignal.io/vendors/cloudflare/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 15:00:00 +0000https://feed.craftedsignal.io/briefs/2026-05-aitm-phishing/Mon, 04 May 2026 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-aitm-phishing/A widespread phishing campaign utilized 'code of conduct' lures, a multi-step attack chain, and legitimate email services to distribute authenticated messages from attacker-controlled domains, ultimately leading to adversary-in-the-middle (AiTM) token compromise, primarily targeting US-based organizations.Between April 14 and 16, 2026, Microsoft Defender Research observed a sophisticated, large-scale phishing campaign targeting over 35,000 users across more than 13,000 organizations in 26 countries, predominantly in the United States (92%). The campaign, which did not focus on a single vertical, impacted a range of industries, with Healthcare & life sciences (19%), Financial services (18%), Professional services (11%), and Technology & software (11%) being the most affected. Attackers employed code of conduct-themed lures delivered via emails that appeared as internal compliance or regulatory communications. The campaign utilized a multi-step attack chain, including CAPTCHA challenges and intermediate staging pages, to reinforce legitimacy and filter out automated defenses, ultimately leading to an adversary-in-the-middle (AiTM) phishing flow.

Attack Chain

1. The attack begins with phishing emails posing as internal compliance communications, using subjects like “Internal case log issued under conduct policy”.
2. The emails contain a PDF attachment (e.g., “Awareness Case Log File – Tuesday 14th, April 2026.pdf”) that claims a “code of conduct review” has been initiated.
3. Recipients are instructed to click a “Review Case Materials” link within the PDF.
4. Clicking the link redirects the user to one of the attacker-controlled domains (e.g., acceptable-use-policy-calendly[.]de).
5. The landing page displays a Cloudflare CAPTCHA to validate the user and impede automated analysis.
6. After CAPTCHA completion, the user is redirected to an intermediate site that informs them the requested documentation is encrypted and requires account authentication.
7. The user is presented with a legitimate-looking sign-in experience, part of an AiTM phishing flow.
8. The attackers proxy the authentication session in real time and capture authentication tokens, granting immediate account access.

Impact

This campaign resulted in the compromise of authentication tokens, enabling attackers to gain unauthorized access to user accounts and bypass multifactor authentication. With more than 35,000 users targeted across over 13,000 organizations, the potential for widespread data breaches, financial fraud, and further malicious activities is significant. The targeting of sectors like Healthcare and Financial Services indicates a focus on high-value targets with sensitive data.

Recommendation

• Educate users about phishing lures, especially those using social engineering tactics and enterprise-style HTML templates.
• Deploy the Sigma rule “Detect Suspicious PDF Opening via Uncommon Applications” to identify unusual PDF execution paths, based on the ‘file_event’ log source.
• Configure email security settings in Microsoft Defender for Office 365 to filter out phishing emails effectively.
• Enable network protection to leverage SmartScreen as a host-based web proxy.
• Block access to the attacker-controlled domains, such as acceptable-use-policy-calendly[.]de, at the DNS resolver level.

]]>highadvisoryphishingcredential-theftAiTMtoken-compromisehttps://feed.craftedsignal.io/briefs/2024-01-02-livewire-markdown-editor-upload/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-livewire-markdown-editor-upload/The livewire-markdown-editor versions before v1.3 contain an arbitrary file upload vulnerability in the MarkdownEditor::updatedAttachments() Livewire handler, allowing authenticated users to upload any file type, potentially leading to stored XSS, phishing, malware distribution, and markdown injection.Versions of mckenziearts/livewire-markdown-editor prior to v1.3 are vulnerable to arbitrary file upload via the MarkdownEditor::updatedAttachments() Livewire handler. This handler lacks server-side validation for file types, extensions, and content. An authenticated user with access to a page embedding the markdown editor can upload malicious files (e.g., .html, .svg, .js) to the disk configured by livewire-markdown-editor.disk. If this disk is a public cloud storage bucket (S3, DigitalOcean Spaces, Cloudflare R2, Scaleway Object Storage), the uploaded files are publicly accessible with a guessed Content-Type header. This vulnerability allows attackers to perform stored XSS, host phishing pages, distribute malware, and inject malicious markdown. A real-world exploitation was observed in production.

Attack Chain

1. An attacker gains access to an application using a vulnerable version of mckenziearts/livewire-markdown-editor.
2. The attacker navigates to a page embedding the <livewire:markdown-editor> component.
3. The attacker uses the file upload functionality of the editor to upload a malicious file, such as a .html or .svg file containing XSS payloads.
4. The MarkdownEditor::updatedAttachments() Livewire handler processes the uploaded file without proper validation.
5. The handler stores the file on the disk configured by livewire-markdown-editor.disk (e.g., a public cloud bucket like S3, DigitalOcean Spaces, Cloudflare R2, Scaleway Object Storage).
6. The uploaded file becomes publicly accessible on the storage domain.
7. A user visits the URL of the uploaded malicious file, triggering the XSS payload or accessing the phishing page.
8. The attacker achieves their objective, such as stealing user credentials, redirecting users to malicious websites, or compromising the application’s integrity.

Impact

Successful exploitation of this vulnerability can lead to several critical impacts. Stored XSS on the storage domain can allow attackers to steal user credentials or perform other malicious actions in the context of the application. Phishing pages hosted on the application’s storage domain can trick users into revealing sensitive information. Malware distribution from a domain users trust can lead to widespread infections. Additionally, markdown injection via crafted filenames can compromise the integrity of the editor’s output. A real-world exploitation of this vulnerability was observed in production on a community platform using this package.

Recommendation

• Upgrade to mckenziearts/livewire-markdown-editor v1.3 or later to patch the vulnerability.
• If immediate upgrading is not feasible, disable the upload UI on every instance of the editor by passing :show-upload="false". This prevents the vulnerable code path from being reached.
• Monitor web server logs (category webserver, product linux) for requests to the storage domain for unusual file extensions like .html, .svg, .js, .php, or .exe, which could indicate attempted exploitation.
• Implement the file upload detection rule to identify potentially malicious file uploads to the storage domain.

]]>highadvisoryarbitrary-file-uploadstored-xssvulnerability