Microsoft

Threat actors are leveraging Microsoft's ClickOnce technology, designed for simplified application deployment, as an attractive vector to spread malware, allowing for easy distribution, minimal user interaction, and installation without elevated privileges on Windows systems.

Threat actors are actively abusing Microsoft's ClickOnce technology, specifically targeting the `.application` and `.appref-ms` file types, to achieve stealthy initial access, execute malicious payloads within legitimate Microsoft processes like rundll32.exe and dfsvc.exe, and establish persistence through its built-in update mechanism, effectively bypassing traditional endpoint security controls.

Threat actors are actively leveraging Microsoft's ClickOnce technology, a legitimate application deployment mechanism, to distribute and execute malware by exploiting its user-friendly deployment process that bypasses administrative privilege requirements.

A critical missing authorization vulnerability, CVE-2026-48582, in Microsoft Exchange Online allows an already authenticated attacker to elevate their privileges over the network, potentially leading to unauthorized access to sensitive data or configuration changes within affected organizations.

A critical improper authentication vulnerability, CVE-2026-45480, in Microsoft Azure Active Directory allows an unauthorized attacker to bypass authentication mechanisms and elevate privileges over a network, potentially leading to full administrative control of Azure AD and associated resources.

Adversaries can abuse the Azure VM Managed Run Command feature (MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE) to achieve code execution as System or root and establish persistence on Azure Virtual Machines or Virtual Machine Scale Sets by an unusual identity, potentially evading detections focused solely on action-based Run Commands.

Threat actors are performing create, read, update, or delete (CRUD) operations against Azure VM or VM Scale Set extensions (e.g., CustomScript, DSC) from an anomalous source Autonomous System (AS) number, enabling high-privilege code execution and persistence on guest operating systems (SYSTEM on Windows, root on Linux) by abusing compromised Azure identities.

The CrowdStrike 2026 Technology Threat Landscape Report highlights the pervasive targeting of the technology sector by China-nexus and eCrime adversaries, employing tactics like password spraying, vulnerability exploitation, supply chain compromises (e.g., Axios npm package, GitHub repositories), and malware distribution (macOS info stealers via OpenClaw lures) to achieve intelligence collection, intellectual property theft, and financial extortion.

Threat actors can abuse Microsoft's ClickOnce technology, which allows for simplified application distribution and installation with minimal user interaction and no administrative privileges, to easily spread malware and bypass traditional security controls through a 'click once' deployment.

CVE-2026-47647 describes a critical improper access control vulnerability in Microsoft Dynamics 365 that allows an authorized attacker to elevate privileges over a network, potentially leading to full compromise of the affected system.

Adversaries with privileged Azure RBAC roles are exploiting the Azure VM Serial Console to gain SYSTEM/root access on virtual machines, bypassing network controls like NSGs and JIT policies, with detections focusing on unusual user and source network combinations.

Adversaries are modifying OAuth application redirect URIs (ReplyUrls) in Microsoft Entra ID to intercept OAuth authorization codes and steal tokens, granting unauthorized access without new application registration or user consent.

A sophisticated threat actor, having compromised an existing guest account in Microsoft Entra ID, can establish persistent access and elevate privileges by performing a Guest-to-Member account conversion, which grants full directory read access and bypasses Conditional Access restrictions, enabling stealthy long-term access and reconnaissance.

An attacker with elevated privileges abuses the Microsoft Entra ID Temporary Access Pass (TAP) feature to bypass multi-factor authentication (MFA), gain unauthorized access to target user accounts, and establish persistence by registering new authentication methods.

Attackers are actively exploiting the OAuth device code flow in Microsoft 365 to bypass multi-factor authentication (MFA) and gain initial access, leveraging phishing kits like Kali365 and tradecraft similar to Storm-2372 to harvest MFA-satisfied tokens from non-compliant or attacker-controlled devices, and subsequently establishing persistence through device registration.

An unknown threat actor gained continuous administrative access to a senior finance executive's Microsoft Outlook mailbox at a global stock exchange for at least five months, deploying custom infostealers via scheduled tasks and exfiltrating sensitive emails through a Dropbox-based command and control channel after an initial lateral movement event.

Multiple vulnerabilities, including CVE-2026-10883, CVE-2026-10892, and others, have been discovered in Microsoft Edge versions prior to 149.0.4022.53, enabling an attacker to bypass security policies and potentially cause other unspecified security issues within the browser environment.

Multiple vulnerabilities, CVE-2026-45491 and CVE-2026-45591, have been discovered in Microsoft .Net and ASP.NET Core versions, allowing a remote attacker to cause a denial of service and compromise data integrity across Windows, Linux, and macOS platforms.

CERT-FR has disclosed 31 vulnerabilities in various Microsoft Office products, including CVE-2026-44803 and CVE-2026-47635, which could allow remote code execution, privilege escalation, and data confidentiality compromise.

Multiple vulnerabilities in NetApp products, including CVE-2023-0482, CVE-2023-20863, CVE-2024-22257, CVE-2025-23367, CVE-2025-48976, CVE-2025-53816, and CVE-2025-53817, could lead to remote denial of service, data confidentiality breaches, and data integrity breaches.

This rule detects the abuse of Azure Virtual Machine Run Command to execute scripts remotely, correlating Azure Activity Log events with endpoint process starts, identifying instances where adversaries use Run Command to run scripts as SYSTEM or root.

This rule identifies suspicious process start events where the parent process matches Azure Virtual Machine Run Command execution patterns on Windows (PowerShell with `-ExecutionPolicy Unrestricted` and `script?.ps1`) or Linux (waagent running `script.sh` under `/var/lib/waagent/run-command/`), exposing on-guest payloads.

This rule detects Linux process executions that access high-value Kubernetes service-account material, kubeconfig or node PKI paths, or common cloud files, potentially indicating credential theft within in-cluster and hybrid environments.

CVE-2025-23167 describes a request smuggling vulnerability in Node.js 20's HTTP parser due to improper header termination, allowing attackers to bypass proxy access controls.

CVE-2026-21711 allows code running under the Node.js permission model without network access to create and expose local IPC endpoints via Unix Domain Sockets, bypassing intended network restrictions and enabling inter-process communication.

CVE-2026-21717 is a vulnerability in V8's string hashing mechanism within Node.js that allows attackers to cause hash collisions via predictable integer-like strings in JSON input, leading to denial-of-service by degrading the performance of the Node.js process.

CVE-2026-42015 is a memory corruption vulnerability due to an off-by-one error in PKCS#12 bag handling in GnuTLS.

CVE-2026-42790 is a vulnerability in Microsoft products related to name constraints DNS bypass via subject CommonName fallback in public_key hostname verification.

CVE-2026-41184 is a ServiceAccount token disclosure vulnerability in container logs addressed by a Microsoft security update.

GitHub CLI versions 2.92.0 and earlier incorrectly include authorization headers in API requests to TUF repository mirrors and external hosts when using the `gh attestation`, `gh release verify`, and `gh release verify-asset` commands, potentially exposing sensitive tokens.

This rule detects the creation of new inbox forwarding rules in Microsoft 365, which can be abused by attackers to intercept and exfiltrate email data to external addresses.

Microsoft released a security update on May 28, 2026, to address vulnerabilities in Microsoft Edge Stable Channel versions prior to 148.0.3967.96, advising users to apply the necessary updates.

Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker authenticates using a non-standard user agent, inconsistent with common browser, mobile, or Windows platforms, potentially indicating adversary-in-the-middle or OAuth phishing attacks.

Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker requests the Device Registration Service from a suspicious ASN, indicating potential OAuth phishing or adversary-in-the-middle device registration.

This rule detects when a Microsoft Exchange inbox rule is created or modified with a name composed only of special characters, which adversaries may use to evade detection and hide malicious forwarding or deletion rules.

Successful deployment of a high-risk Azure Virtual Machine extension by an interactive user principal can lead to arbitrary code execution, backdoor account creation, credential harvesting, and persistence on Azure-hosted virtual machines.

CVE-2026-46174 describes a vulnerability in AMD Zen2 processors related to improper isolation of shared resources within the operation cache, potentially leading to information disclosure or other security impacts.

CVE-2026-46185 is an out-of-bounds read vulnerability in the SMB client component within the symlink_data() function, potentially leading to information disclosure or denial of service.

Microsoft published information regarding CVE-2026-46153, a vulnerability in 8021q that allows deleting cleared egress QoS mappings.

CVE-2026-46155 describes an out-of-bounds read vulnerability within the smb2_compound_op() function of the SMB client, requiring a security update from Microsoft to address the issue.

CVE-2026-46107 is a reported vulnerability in dm-thin, leading to a metadata refcount underflow.

CVE-2026-42250 is an off-by-one vulnerability leading to an out-of-bounds write in bzip2, for which Microsoft has released information.

CVE-2026-46163 is a vulnerability in the b43legacy WiFi driver related to a missing bounds check on the firmware key index in the RX path, potentially leading to memory corruption.

CVE-2026-46172 is a vulnerability related to ipv6: xfrm6: release dst on error in xfrm6_rcv_encap(), potentially leading to a denial-of-service condition.

The likely Russian-aligned GreyVibe group is targeting Ukrainian organizations with AI-generated lures delivered via spear-phishing and malicious websites, deploying custom malware such as PhantomRelay, LegionRelay, and FallSpy to exfiltrate sensitive data.

The analytic detects ACL deletion on the domain root object in Active Directory by monitoring Windows Event Log Security event ID 5136, identifying significant AD changes with potentially high impact.

Detection of changes to the xp_cmdshell configuration in SQL Server, a feature often abused by attackers for privilege escalation and lateral movement by enabling execution of operating system commands.

Modification of critical SQL Server configuration options, such as 'Ad Hoc Distributed Queries', 'external scripts enabled', 'Ole Automation Procedures', 'clr enabled', and 'clr strict security', can enable attackers to perform Active Directory reconnaissance and execute arbitrary code, potentially leading to code execution or reconnaissance activities.

Detection of expand.exe being used to extract Microsoft Cabinet (CAB) archives, specifically when extracting to C:\ProgramData or similar staging locations, potentially indicating ingress tool transfer and payload staging by threat actors like APT37.

Detection of the Microsoft Software Licensing User Interface Tool (`slui.exe`) being executed with elevated privileges using the `-verb runas` parameter, indicating a potential privilege escalation attempt.

This analytic detects the issuance of a suspicious certificate with a Subject Alternative Name (SAN) using Active Directory Certificate Services (AD CS) and its immediate use for authentication, indicating potential exploitation of improperly configured certificate templates for privilege escalation.

This Splunk analytic detects the addition of a Service Principal Name (SPN) to a domain account by monitoring Windows Event Code 5136 and changes to the servicePrincipalName attribute, potentially indicating Kerberoasting attempts leading to unauthorized access.

This analytic detects changes to the sIDHistory attribute of user or computer objects within the same domain using Windows Security Event Codes 4738 and 4742, which can be abused by adversaries to gain unauthorized access, maintain persistence, or escalate privileges by inheriting permissions from another account.

This Splunk search detects when the owner of an Active Directory object is updated, potentially granting full control privileges and enabling object hiding, focusing on Windows Event Log ID 5136, and includes lookups for SID resolution.

Modification of Access Control Lists (ACLs) on the Active Directory domain root object can grant attackers persistent and escalated privileges.

This analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set, leveraging Windows Security Event Log 5136 to identify when these permissions are granted, which indicates potential preparation for replicating AD objects and exfiltrating sensitive data.

This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack by modifying permissions on the domainDNS object.

Detection of Active Directory user object ACL modifications that grant dangerous permissions, such as full control or the ability to modify permissions, potentially indicating privilege escalation or malicious activity.

The following analytic identifies modifications to the SourceAnchor (ImmutableId) attribute for an Azure Active Directory user, which is a step in setting up an Azure AD identity federation backdoor that allows an attacker to impersonate any user and bypass MFA.

This analytic detects the creation of suspicious mailbox rules in Office 365, a common technique used in Business Email Compromise (BEC) to hide emails by identifying rules with short or nonsensical names, marking emails as read, or moving them to specific folders.

The Gentlemen ransomware, operated by Storm-2697 as a RaaS, employs a combination of strong per-file encryption with aggressive self-propagation to achieve broad network compromise, targeting Windows environments and using double extortion tactics.

CVE-2023-22102 describes a vulnerability in NetApp Active IQ Unified Manager and OnCommand Insight that allows a remote attacker to execute arbitrary code.

The 2026 FIFA World Cup faces significant cyber threats from ransomware groups, state-aligned entities like Iran-nexus Handala Hack Team and Russia-nexus NoName057(16), and financially motivated cybercriminals, anticipating disruptive intrusions, large-scale criminal fraud, and politically driven DDoS and hack-and-leak operations targeting fans, hospitality services, and tournament infrastructure.

CVE-2026-46099 describes a vulnerability in the IPv6 network stack related to NOREF dst use in seg6 and rpl lwtunnels, requiring a security update to address potential exploitation.

CVE-2026-46072 is a buffer boundary check vulnerability in ntfs3 affecting an unspecified Microsoft product, requiring further investigation upon patch application to understand exploitation vectors and develop detections.

CVE-2026-45842 is an unspecified vulnerability affecting Microsoft products, requiring further investigation to determine the specific attack vector, impact, and affected systems.

CVE-2026-44899 is a CSS Injection vulnerability in the Mistune Image Directive, potentially allowing for malicious CSS injection if user-supplied content is not properly sanitized.

Microsoft published CVE-2025-71305, addressing a vulnerability related to insufficient protection against zero VCPI values in DisplayPort Multi-Stream Transport (MST), although specifics on exploitation and impact are not detailed in the provided source.

CVE-2026-45843 is a Microsoft vulnerability with unspecified details at the time of this brief.

CVE-2026-44844 is a denial-of-service vulnerability in Microsoft's eml_parser due to recursion in nested message/rfc822 attachments, potentially causing a service outage.

CVE-2026-45932 is a vulnerability affecting the bpf component, related to tcx/netkit detach permissions when the prog fd isn't given, requiring a security update from Microsoft.

CVE-2026-45991 is a security vulnerability affecting a Microsoft product, related to UDF partition descriptor append bookkeeping.

CVE-2026-46084 is a vulnerability related to RDMA/mana_ib that requires disabling RX steering on RSS QP destroy, potentially leading to denial of service or privilege escalation.

A cryptojacking campaign targets systems with high-performance GPUs using SEO poisoning and manipulated AI chatbot recommendations, distributing malware disguised as legitimate software utilities to establish persistence and evade detection before deploying GPU mining programs.

This brief detects the use of the Kali365 user agent, a phishing-as-a-service platform, within Entra ID or Microsoft 365 logs, indicating potential account compromise through stolen tokens.

The rule identifies command-line executions that attempt to access cloud service provider's Instance Metadata Service (IMDS) API endpoints, potentially retrieving sensitive instance information and temporary security credentials, ultimately leading to credential access and privilege escalation within the cloud environment.

CVE-2026-39832 describes a vulnerability where agent constraints are dropped when forwarding keys in golang.org/x/crypto/ssh/agent, potentially leading to unauthorized access.

An active cryptojacking campaign uses SEO poisoning, AI chatbot interactions, and ScreenConnect abuse to target high-performance PCs, aiming to maximize GPU mining yield and establish persistent remote access for potential data theft or ransomware attacks.

The Red Canary Intelligence Insights report for May 2026 highlights the rise of ClearFake, ACR Stealer, and GraphRunner, with ClearFake using JavaScript injection to deliver malware like ACR Stealer, and GraphRunner being abused for reconnaissance and data exfiltration via the Microsoft Graph API.

CVE-2026-47280 is an improper authentication vulnerability in Azure Resource Manager (ARM) that allows an unauthorized attacker to elevate privileges over a network.

CVE-2026-42901 is an origin validation error in Microsoft Entra ID that allows an unauthorized attacker to elevate privileges over a network, potentially granting them unauthorized access and control.

CVE-2026-41104 is a critical vulnerability in Microsoft Planetary Computer Pro that allows an unauthorized attacker to disclose information over a network by deserializing untrusted data.

CVE-2026-41090 is a command injection vulnerability in Microsoft Copilot, allowing an unauthorized attacker to perform tampering over a network.

CVE-2026-40412 is a critical vulnerability in Azure Orbital Spatio that allows an unauthenticated attacker to execute arbitrary code over a network by uploading a file with a dangerous type.

CVE-2026-40411 describes an improper input validation vulnerability in Azure Virtual Network Gateway that allows an authorized attacker to execute code over a network.

CVE-2026-33843 allows an unauthorized attacker to elevate privileges over a network in Microsoft Azure Active Directory B2C due to an authentication bypass using an alternate path or channel.

CVE-2026-23652 is a critical command injection vulnerability in Microsoft Power Pages, allowing an unauthorized attacker to execute arbitrary code over the network by injecting commands.

CVE-2026-35430 allows an authorized attacker to elevate privileges over a network in Azure Privileged Identity Management (PIM) through a user-controlled key.

CVE-2026-26147 is an improper input validation vulnerability in Azure Compute Gallery that allows an authorized attacker to disclose information over a network.

CVE-2026-23663 is a privilege escalation vulnerability in Azure Entra ID that allows an unauthorized attacker to elevate privileges over a network.

An authenticated remote attacker can exploit a vulnerability in Microsoft SharePoint Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint to execute arbitrary code.

A remote, anonymous attacker can exploit multiple vulnerabilities in Microsoft 365 Copilot to execute arbitrary program code and disclose confidential information.

CVE-2026-1502 is a critical vulnerability in Microsoft HTTP client proxy tunnel header validation, potentially allowing for CR/LF injection attacks.

CVE-2025-51480 is a path traversal vulnerability in ONNX 1.17.0 that allows attackers to overwrite arbitrary files by supplying crafted external_data.location paths containing traversal sequences.

CVE-2025-14575 describes an uncontrolled search path element vulnerability in the Qt Network OpenSSL TLS backend, allowing for the loading of rogue CA certificates, potentially leading to man-in-the-middle attacks.

This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication using rundll32.exe.

This rule correlates Entra-ID or Microsoft 365 mail successful sign-in events with network security alerts by source address, indicating potential initial access via compromised credentials.

Microsoft released a security update on May 21, 2026, to address vulnerabilities in Microsoft Edge Stable Channel versions prior to 148.0.3967.83, urging users to apply the update.

Nimbus Manticore, an Iranian IRGC-affiliated threat actor, resurfaced during Operation Epic Fury, employing AppDomain Hijacking, SEO poisoning, and a new MiniFast backdoor while targeting the aviation and software sectors.

The Iranian APT group Screening Serpens targeted the tech and defense sectors in the U.S., Israel, and the UAE between February and April 2026, deploying six new RAT variants from the MiniUpdate and MiniJunk V2 malware families, using tailored social engineering lures and AppDomainManager hijacking.

An anonymous, remote attacker can exploit multiple unspecified vulnerabilities in Microsoft Entra ID and Microsoft Azure Resource Manager to escalate privileges.

This rule detects potential session hijacking or token replay in Microsoft Entra ID, identifying cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID, which may indicate a successful OAuth phishing attack, session hijacking, or token replay attack.

This rule correlates Entra-ID or Microsoft 365 mail successful sign-in events with network security alerts by source address, indicating potential initial access by adversaries triggering network security alerts before accessing cloud resources.

A GitHub employee's device was compromised via a malicious VS Code extension, leading to the theft of approximately 3,800 internal repositories by threat actor TeamPCP (UNC6780), who then offered the data for sale.

CVE-2026-45736 is an uninitialized memory disclosure vulnerability affecting Microsoft products, potentially allowing an attacker to read sensitive information from process memory.

CVE-2026-44390 is a denial-of-service vulnerability in Microsoft products due to unbounded name compression.

Microsoft disclosed CVE-2026-42944, a heap overflow vulnerability related to the processing of multiple NSID, COOKIE, and PADDING EDNS options in an unspecified product.

CVE-2026-47783 is a timing side channel vulnerability in memcached before 1.6.42, affecting SASL password database authentication due to premature loop exit upon finding a valid username, potentially leading to information disclosure.

The Webworm APT group is using updated tactics, techniques, and procedures, including new backdoors using Discord and Microsoft Graph API for command and control, custom proxy tools, and GitHub for malware staging, shifting focus to European governmental organizations.

Microsoft disrupted SignSpaceCloud, a Russian cybercrime service providing code signing certificates to malware and ransomware operators, while European governments are shifting from Signal and WhatsApp due to phishing and data sovereignty risks, and the Fast16 malware targeted Iran's nuclear program.

Ransomware-as-a-service (RaaS) attacks leverage affiliates for initial access, persistence, and exfiltration, using varied techniques like compromised RDP, vulnerable VPNs, and rogue RMM tools, impacting multiple organizations in a single campaign.

CVE-2026-45498 is a denial-of-service vulnerability in Microsoft Defender that could disrupt endpoint protection capabilities, requiring timely mitigation per vendor instructions.

CVE-2026-41091 is a link following vulnerability in Microsoft Defender that allows an authorized attacker to escalate privileges locally.

CVE-2010-0806 is a use-after-free vulnerability in Microsoft Internet Explorer that allows remote attackers to execute arbitrary code by accessing an invalid pointer after object deletion; mitigations should be applied or product utilization discontinued.

Microsoft DirectX contains a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter (quartz.dll) in DirectShow, potentially allowing remote attackers to execute arbitrary code via a crafted QuickTime media file.

CVE-2008-4250 is a buffer overflow vulnerability in the Microsoft Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request during path canonicalization.

Microsoft Internet Explorer is vulnerable to a use-after-free vulnerability (CVE-2010-0249) that allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object.

CVE-2026-45584 is a heap-based buffer overflow vulnerability in Microsoft Defender that allows an unauthorized attacker to execute arbitrary code over a network.

A local attacker can exploit a vulnerability in Microsoft Azure Portal Windows Admin Center to gain administrator rights, potentially leading to unauthorized access and control over Azure resources.

Multiple vulnerabilities in Microsoft Defender and Microsoft Malware Protection Engine could allow an attacker to elevate privileges, execute arbitrary code, and cause a denial of service condition.

CVE-2026-43492 is an integer underflow vulnerability in the mpi_read_raw_from_sgl function within the lib/crypto component that could lead to unexpected behavior or denial-of-service.

CVE-2026-45585 is a security feature bypass vulnerability in Windows BitLocker, known as 'YellowKey', for which a public proof of concept exists, prompting Microsoft to release mitigation guidance prior to a security update.

Microsoft disrupted a malware-signing-as-a-service (MSaaS) operation run by Fox Tempest that abused the Azure Artifact Signing service to generate fraudulent code-signing certificates, enabling malware to bypass security controls.

Coder is vulnerable to a PKCS#7 signature bypass in Azure instance identity (CVE-2026-46354), allowing unauthenticated agent token theft via a forged vmId, enabling access to Git SSH private keys, OAuth access tokens, and workspace secrets.

The SHub Reaper stealer combines credential theft, wallet hijacking, and document exfiltration with persistent backdoor access on macOS, distributed through fake WeChat and Miro installers while spoofing Apple, Google, and Microsoft to evade detection.

TeamPCP compromised the PyPi package durabletask (versions 1.4.1, 1.4.2, and 1.4.3), stealing credentials for AWS, Azure, GCP, K8s, and Vault, brute-forcing passwords from password managers, and exfiltrating shell history before propagating to up to 5 targets via AWS SSM and Kubernetes.

Microsoft disrupted Fox Tempest, a threat actor running a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to generate short-lived code-signing certificates used to sign malware disguised as legitimate software, delivering ransomware and various information stealers to victims across multiple sectors.

The WantToCry ransomware exploits exposed SMB services via brute-force for initial access, then exfiltrates files for remote encryption, rewriting the encrypted files to the original locations, demanding ransom payments from $400 to $1,800.

Microsoft published information regarding CVE-2026-7168, a cross-proxy Digest authentication state leak.

Microsoft published information about CVE-2026-5773, a vulnerability related to the incorrect reuse of SMB connections.

CVE-2026-6429 is a credential leak vulnerability affecting Microsoft products.

CVE-2026-31704 is a vulnerability in ksmbd related to the use of check_add_overflow() to prevent a u16 DACL size overflow, potentially leading to denial of service or privilege escalation.

Storm-2949 compromised cloud identities through social engineering and abused the Self-Service Password Reset (SSPR) process to bypass MFA and gain persistent access, enabling lateral movement and data exfiltration from Microsoft 365 and Azure environments.

A new variant of the 'SHub' macOS infostealer, dubbed Reaper, uses AppleScript to display a fake security update message and install a backdoor, ultimately stealing browser data, financial documents, and cryptocurrency wallet information while bypassing Terminal-based mitigations in macOS.

A tampering vulnerability exists in .NET 8.0, .NET 9.0, and .NET 10.0 due to improper handling of specially crafted files, potentially allowing an attacker to write arbitrary files and directories to specific locations on a vulnerable system with limited control over the destination.

Threat actors are actively disabling antivirus and EDR solutions through abusing Windows Firewall rules, uninstalling agents, and exploiting vulnerable drivers (BYOVD) to establish persistence, move laterally, and deploy ransomware undetected.

CVE-2026-42822 is an elevation of privilege vulnerability in Azure Local Disconnected Operations (ALDO) due to improper authentication, allowing unauthorized network attackers to escalate privileges.

A phishing campaign impersonates Zoom to trick users into downloading and installing ConnectWise ScreenConnect, a legitimate remote monitoring and management tool, allowing attackers to gain persistent remote access, harvest credentials, and deploy secondary malware such as ransomware.

This rule detects suspicious Finder Sync plugin registrations on macOS, where adversaries abuse the pluginkit process to establish persistence by repeatedly executing malicious payloads.

Multiple vulnerabilities in Microsoft Edge prior to version 148.0.3967.70 allow a remote attacker to execute arbitrary code and bypass security policies.

Detects suspicious Microsoft Entra ID audit events for device registration where details indicate an Azure AD join and the user agent is not a standard registration client, potentially indicating scripted registration, third-party tooling, or malicious device registration for persistence or token abuse.

Detects successful Microsoft Entra ID sign-ins using the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources, indicative of adversary-in-the-middle (AiTM) phishing attacks such as Tycoon 2FA.

Detects successful Microsoft Entra ID sign-ins where the client application is the Microsoft Authentication Broker (MAB) and the requested resource identifier is outside a short list of commonly observed first-party targets, potentially indicating abuse to obtain tokens for unexpected APIs or enterprise applications.

This rule detects Microsoft 365 audit events indicative of Tycoon 2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity, identifying UserLoggedIn events where the Microsoft Authentication Broker requests access to Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents, bypassing MFA by relaying authentication and capturing session material.

Detects Microsoft Entra ID sign-ins consistent with Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity targeting Microsoft 365 and Gmail, where the Microsoft Authentication Broker requests tokens for Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents (node, axios, undici).

The rule detects Microsoft Graph activity from delegated user tokens where a single user session and source IP rapidly touches multiple high-value Graph paths indicative of reconnaissance, suggesting a broad enumeration playbook.

The Tycoon2FA phishing kit now supports device-code phishing attacks targeting Microsoft 365 accounts, abusing Trustifi click-tracking URLs, redirecting victims through Cloudflare Workers to a fake Microsoft CAPTCHA page, tricking them into entering a device code, and granting attackers OAuth tokens and access to their Microsoft 365 accounts.

The Russian hacker group Secret Blizzard has evolved the Kazuar backdoor into a modular P2P botnet designed for persistence, stealth, and data collection, utilizing kernel, bridge, and worker modules for command and control and data exfiltration.

Microsoft published information about CVE-2026-43490, a vulnerability in ksmbd related to the validation of inherited ACE SID length.

CVE-2026-44662 is a critical heap buffer overflow vulnerability in rust-openssl during encryption with AES key-wrap-with-padding, potentially leading to arbitrary code execution or denial of service.

CVE-2026-44673 describes an integer overflow in the lyb_read_string() function of the libyang library that can lead to a heap buffer overflow, potentially allowing for arbitrary code execution.

A vulnerability in Microsoft Exchange Server allows for arbitrary code execution, potentially enabling attackers to execute malicious JavaScript within a user's browser context to steal data or install malware.

Detection of handle requests to the LSASS process with specific access masks commonly used by tools to dump memory, indicating potential credential access attempts.

A machine learning job combination has identified a user with one or more suspicious Windows processes exhibiting unusually high malicious probability scores, potentially involving LOLbins for defense evasion.

Hackers injected credential-stealing malware into newly published versions of the node-ipc npm package in a supply chain attack, collecting cloud credentials, SSH keys, CI/CD secrets, and other sensitive data, exfiltrating it through DNS TXT queries.

UNC6671, operating under the "BlackFile" brand, conducts a sophisticated extortion campaign targeting organizations through voice phishing (vishing) and single sign-on (SSO) compromise, using adversary-in-the-middle (AiTM) techniques to bypass MFA and exfiltrate sensitive corporate data.

A local exploit has been published for Windows Snipping Tool (CVE-2026-33829), enabling NTLMv2 Hash Hijacking by forcing authentication to a remote SMB server via a crafted ms-screensketch:edit URI, potentially leading to credential theft and lateral movement.

The FrostyNeighbor threat actor is targeting Ukrainian governmental organizations with spearphishing emails containing malicious PDFs that deliver a JavaScript dropper (PicassoLoader) and ultimately a Cobalt Strike beacon.

Multiple vulnerabilities exist in Microsoft Windows products, enabling attackers to execute arbitrary code, escalate privileges, perform denial-of-service attacks, disclose information, or bypass security measures.

A malspam campaign is leveraging the Tiflux RMM to gain remote access and persistence on victim machines, abusing legitimate remote management software for stealthy access and persistence.

The EvilTokens phishing-as-a-service (PhaaS) platform sold on Telegram is capable of launching device code phishing attacks at scale, leveraging AI to generate convincing and personalized lures, enabling aspiring cybercriminals to bypass traditional security measures, including MFA.

CVE-2026-41615 describes a vulnerability in Microsoft Authenticator where sensitive information exposure to an unauthorized actor could lead to information disclosure over a network.

CVE-2026-42897 is a cross-site scripting (XSS) vulnerability in Microsoft Exchange Server that allows an attacker to perform spoofing attacks by injecting malicious scripts into web pages.

AI applications deployed on Kubernetes with exposed UIs and weak authentication can lead to remote code execution, credential theft, and access to sensitive data, as observed in MCP servers, Mage AI, and kagent deployments.

A vulnerability in Fleet versions prior to 4.82.0 allows authentication tokens from any Azure AD tenant to be accepted, enabling unauthorized device enrollment and MDM API access due to improper JWT signature validation, tracked as CVE-2026-24899.

The Atomic macOS Stealer (AMOS) is a prevalent malware-as-a-service targeting macOS, distributed via social engineering techniques like ClickFix ruses and fake installers, designed to steal sensitive data such as credentials and cryptocurrency wallets, leading to potential account compromise and further attacks.

Kimsuky, a North Korean APT group, is actively targeting organizations, primarily in South Korea, with evolving tactics and tools, leveraging spear-phishing emails and messenger contacts to deploy malware such as PebbleDash and AppleSeed for establishing backdoors and stealing information.

Threat actors are increasingly using device code phishing, often via Phishing-as-a-Service platforms, to compromise user accounts by abusing the OAuth 2.0 device authorization grant flow and capturing authentication tokens, enabling account takeover, data theft, and business email compromise.

A remote, authenticated attacker can exploit a vulnerability in Microsoft SQL Server 2017, 2019, 2016 and 2022 to execute arbitrary code and gain administrator privileges.

Multiple vulnerabilities in Microsoft developer tools and platforms could allow an attacker to achieve arbitrary code execution, data manipulation, privilege escalation, bypassing security measures, information disclosure, and denial of service.

Multiple vulnerabilities in Microsoft Azure and Windows Admin Center allow an attacker to escalate privileges, spoof information, and bypass security measures.

Microsoft's May 2026 Security Updates address vulnerabilities that could allow remote attackers to execute arbitrary code on affected systems.

This rule identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory by detecting specific API calls (OpenProcess, OpenThread, ReadProcessMemory) targeting the 'lsass.exe' process.

Identifies the creation of a Windows service by an unusual client process, which can be leveraged to escalate privileges from administrator to SYSTEM by exploiting misconfigurations or vulnerabilities in the service creation process.

This rule detects the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary, which adversaries may leverage to escalate privileges and bypass access controls through token theft.

Detects attempts to bypass User Account Control (UAC) by masquerading as a trusted Microsoft Windows directory, abusing a trailing-space in the path to execute code with elevated privileges.

Detects User Account Control (UAC) bypass attempts using eventvwr.exe to execute code with elevated permissions by identifying child processes of eventvwr.exe, excluding mmc.exe and WerFault.exe, which may indicate unauthorized privilege escalation.

Detects User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface, where attackers may attempt to stealthily execute code with elevated permissions, potentially leading to privilege escalation.

This rule detects potential privilege escalation attempts by exploiting CVE-2021-42278, which involves spoofing the samAccountName attribute to impersonate a domain controller and elevate privileges from a standard domain user to a domain administrator by identifying suspicious computer account name rename events where a machine account name is renamed to a user-like account name.

A privilege escalation attempt is detected through modification of the Windows directory (Windir) environment variable, a technique often combined with other vulnerabilities to elevate privileges by redirecting system processes.

Adversaries may escalate privileges by abusing named pipe impersonation, a technique often used with tools like Metasploit's meterpreter getsystem command, where a process writes to a named pipe to facilitate a SYSTEM-token handoff.

This rule detects potential exploitation of the InstallerTakeOver vulnerability (CVE-2021-41379), where successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.

Detects modifications to Group Policy Object Attributes that grant privileges to user accounts or add users as local administrators, indicating potential privilege escalation attempts.

Detection of modifications to the msDS-ManagedAccountPrecededByLink attribute of a delegated managed service account (dMSA) by an unusual subject account, which attackers can abuse to inherit permissions and elevate privileges in Active Directory.

The rule identifies the use of Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence by detecting registry changes made by WmiPrvSe.exe in specific registry paths.

CVE-2026-40410 is a use-after-free vulnerability in the Windows SMB Client that allows an authorized attacker to elevate privileges locally.

CVE-2026-42899 describes an infinite loop vulnerability in ASP.NET Core that allows an unauthorized attacker to perform a denial of service attack over a network.

CVE-2026-42896 describes an integer overflow vulnerability in the Windows DWM Core Library, allowing an authorized local attacker to elevate privileges.

CVE-2026-42893 is a command injection vulnerability in M365 Copilot that allows an unauthorized attacker to perform tampering over a network.

CVE-2026-42832 is an improper access control vulnerability in Microsoft Office that allows an unauthorized attacker to perform local spoofing.

CVE-2026-42831 is a heap-based buffer overflow vulnerability in Microsoft Office, allowing a local attacker to execute arbitrary code with a CVSS score of 7.8.

CVE-2026-42825 is a use-after-free vulnerability in the Windows Telephony Service that allows an authorized, local attacker to elevate privileges.

CVE-2026-41613 is a session fixation vulnerability in Visual Studio Code that allows an unauthorized attacker to elevate privileges over a network.

CVE-2026-41611 is a cross-site scripting (XSS) vulnerability in Visual Studio Code that allows an attacker to execute code locally due to improper neutralization of script-related HTML tags.

CVE-2026-41109 describes an improper neutralization of special elements in output used by a downstream component ('injection') vulnerability in GitHub Copilot and Visual Studio, allowing an unauthorized attacker to bypass a security feature over a network.

CVE-2026-41102 is an improper access control vulnerability in Microsoft Office PowerPoint that allows an authorized attacker to perform spoofing locally.

CVE-2026-41101 is a vulnerability in Microsoft Office Word due to improper access control, which allows an authorized attacker to perform spoofing locally, with a CVSS v3.1 base score of 7.1.

CVE-2026-41095 is a use-after-free vulnerability in the Data Deduplication component of Windows that allows an authenticated attacker to elevate privileges locally.

CVE-2026-41094 is a code injection vulnerability in Microsoft Data Formulator, allowing an unauthorized attacker to execute arbitrary code over a network.

CVE-2026-41088 is a vulnerability in Windows Ancillary Function Driver for WinSock that allows an authorized attacker to elevate privileges locally due to external control of file name or path.

CVE-2026-41086 describes an improper access control vulnerability in Windows Admin Center, allowing an authorized attacker to elevate privileges over a network.

CVE-2026-40420 is an improper access control vulnerability in Microsoft Office Click-To-Run allowing an authorized attacker to elevate privileges locally.

CVE-2026-40419 is a use-after-free vulnerability in Microsoft Office that allows an authenticated, local attacker to elevate privileges.

CVE-2026-40418 is a use-after-free vulnerability in Microsoft Office Click-To-Run that allows an authorized attacker to elevate privileges locally.

CVE-2026-40417 is a privilege escalation vulnerability affecting Microsoft Dynamics Business Central due to weak authentication, allowing an authorized attacker to elevate privileges locally.

CVE-2026-40415 is a use-after-free vulnerability in Windows TCP/IP that allows an unauthorized attacker to execute code over a network.

A null pointer dereference vulnerability exists in Windows TCP/IP, allowing an unauthorized attacker on an adjacent network to cause a denial-of-service condition.

CVE-2026-40413 is a null pointer dereference vulnerability in Windows TCP/IP that allows an unauthenticated attacker on an adjacent network to cause a denial-of-service condition.

CVE-2026-40408 is a use-after-free vulnerability in Windows Kernel-Mode Drivers, enabling a locally authenticated attacker to elevate privileges.

CVE-2026-40407 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) Driver, enabling a locally authenticated attacker to escalate privileges on the system.

CVE-2026-40406 is a use-after-free vulnerability in Windows TCP/IP that allows an unauthorized attacker to disclose sensitive information over a network.

CVE-2026-40405 describes a null pointer dereference vulnerability in Windows TCP/IP, allowing an unauthenticated attacker to cause a denial of service over a network.

CVE-2026-40403 is a heap-based buffer overflow vulnerability in Windows Win32K - GRFX that allows an authorized local attacker to execute arbitrary code, potentially leading to privilege escalation and code execution.

CVE-2026-40401 is a null pointer dereference vulnerability in Windows TCP/IP that allows a local, unauthorized attacker to cause a denial of service.

CVE-2026-40399 is a stack-based buffer overflow vulnerability in the Windows TCP/IP stack, allowing an authenticated local attacker to elevate privileges.

CVE-2026-40398 is a heap-based buffer overflow vulnerability in Windows Remote Desktop that allows an authorized attacker to elevate privileges locally.

CVE-2026-40397 is an integer underflow vulnerability in the Windows Common Log File System (CLFS) driver that allows an authenticated attacker to escalate privileges locally.

CVE-2026-40382 is a use-after-free vulnerability in the Windows Telephony Service that allows an authorized attacker to elevate privileges locally.

CVE-2026-40381 is a vulnerability in the Azure Connected Machine Agent that allows an authorized attacker to elevate privileges locally due to improper access control.

CVE-2026-40377 is a heap-based buffer overflow vulnerability in Windows Cryptographic Services, allowing an authorized local attacker to elevate privileges.

CVE-2026-40370 allows an authorized attacker with control over file names or paths to execute code over a network in Microsoft SQL Server.

CVE-2026-40368 is a deserialization of untrusted data vulnerability in Microsoft Office SharePoint, allowing an authorized attacker to execute code over a network.

CVE-2026-40367 is an untrusted pointer dereference vulnerability in Microsoft Office Word that allows an unauthorized attacker to execute code locally with a CVSS v3.1 base score of 8.4.

CVE-2026-40366 is a use-after-free vulnerability in Microsoft Office Word allowing local code execution by an unauthorized attacker.

CVE-2026-42898 is a code injection vulnerability in Microsoft Dynamics 365 (on-premises) that allows an authorized attacker to execute arbitrary code over a network.

CVE-2026-42833 is a critical vulnerability in Microsoft Dynamics 365 (on-premises) allowing an authorized attacker with high privileges to execute arbitrary code over the network due to execution with unnecessary privileges.

CVE-2026-42823 is a critical vulnerability in Azure Logic Apps that allows an authorized attacker to elevate privileges over a network due to improper access control.

CVE-2026-41103 describes an incorrect implementation of the authentication algorithm in Microsoft SSO Plugin for Jira & Confluence, allowing an unauthorized attacker to elevate privileges over a network.

CVE-2026-41096 is a critical heap-based buffer overflow vulnerability in Microsoft Windows DNS that allows an unauthenticated attacker to achieve remote code execution over a network.

CVE-2026-41089 is a stack-based buffer overflow vulnerability in Windows Netlogon that allows an unauthorized attacker to execute arbitrary code over a network.

CVE-2026-40402 is a use-after-free vulnerability in Windows Hyper-V, enabling an unauthorized local attacker to escalate privileges.

The rule detects the hijack of the Microsoft Compatibility Appraiser scheduled task to establish persistence with system integrity level, by monitoring CompatTelRunner.exe process execution and detecting unexpected child processes.

This rule detects a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key, evading detection from system utilities.

Detection of suspicious ImagePath values written to the registry, indicating potential persistence or privilege escalation via abnormal service creation involving command interpreters or named pipes.

Modification of the dsHeuristics attribute to exclude groups from SDProp in Active Directory can allow attackers to maintain persistent access to privileged accounts.

Adversaries may modify or replace Windows accessibility binaries (e.g., sethc.exe, utilman.exe) to execute malicious commands or establish persistence mechanisms before a user logs in, potentially leading to elevated privileges and unauthorized access.

This rule detects attempts to establish persistence on Windows endpoints by abusing Microsoft Office add-ins through the creation of malicious files in Office startup directories.

Detects suspicious modifications to the Windows Startup shell folder, a technique used to bypass detections monitoring file creation in the Windows Startup folder.

Detects the creation of a hidden local user account by appending a dollar sign ($) to the account name, a technique used by attackers to persist on a system and evade standard account listing methods.

Detects modifications to the AdminSDHolder object in Active Directory, which attackers can abuse via the SDProp process to implement a persistent backdoor by manipulating permissions on protected accounts and groups to regain administrative privileges.

Microsoft Office Word is vulnerable to CVE-2026-40364, a type confusion vulnerability that allows an unauthorized attacker to execute code locally.

A heap-based buffer overflow vulnerability in Microsoft Office allows an unauthenticated, local attacker to execute arbitrary code.

A heap-based buffer overflow vulnerability, identified as CVE-2026-40362, exists in Microsoft Office Excel, allowing an unauthenticated attacker with local access to execute arbitrary code.

CVE-2026-40361 is a use-after-free vulnerability in Microsoft Office Word that allows an unauthorized attacker to execute code locally.

CVE-2026-40360 is an out-of-bounds read vulnerability in Microsoft Office Excel that allows an unauthorized attacker to disclose sensitive information locally.

CVE-2026-40359 is a use-after-free vulnerability in Microsoft Office Excel that allows a local attacker to execute arbitrary code by exploiting memory corruption.

CVE-2026-40358 describes a use-after-free vulnerability in Microsoft Office that could allow an unauthorized local attacker to execute code with elevated privileges.

CVE-2026-35438 is a missing authorization vulnerability in Windows Admin Center that allows an authorized attacker to elevate privileges over a network.

CVE-2026-35436 is a privilege escalation vulnerability in Microsoft Office Click-To-Run due to insufficient granularity of access control, allowing an authorized attacker to elevate privileges locally.

CVE-2026-35433 is a local privilege escalation vulnerability in .NET due to improper input validation, allowing an unauthorized attacker to elevate privileges.

CVE-2026-35424 is a denial-of-service vulnerability in the Windows Internet Key Exchange (IKE) Protocol caused by a missing release of memory after its effective lifetime, allowing an unauthenticated remote attacker to trigger a denial of service over a network.

CVE-2026-35421 is a heap-based buffer overflow vulnerability in Windows Graphics Device Interface (GDI) that allows an unauthorized attacker to execute arbitrary code locally with elevated privileges.

CVE-2026-35420 is a heap-based buffer overflow vulnerability in the Windows Kernel that allows an authorized local attacker to elevate privileges.

CVE-2026-35418 is a use-after-free vulnerability in the Windows Cloud Files Mini Filter Driver that allows an authorized local attacker to elevate privileges.

CVE-2026-35417 is a type confusion vulnerability in Windows Win32K - ICOMP that allows an authorized attacker to elevate privileges locally.

CVE-2026-35416 is a use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock, enabling a locally authorized attacker to escalate privileges.

CVE-2026-34351 is a race condition vulnerability in Windows TCP/IP that allows an authorized attacker to elevate privileges locally.

CVE-2026-34347 is a use-after-free vulnerability in Windows Win32K - GRFX that allows an authorized local attacker to elevate privileges.

CVE-2026-34345 describes a race condition vulnerability in Windows Ancillary Function Driver for WinSock, allowing an authorized attacker to elevate privileges locally.

CVE-2026-34344 is a type confusion vulnerability in the Windows Ancillary Function Driver for WinSock, allowing an authorized local attacker to elevate privileges.

CVE-2026-34343 is a heap-based buffer overflow vulnerability in the Windows Application Identity (AppID) Subsystem that allows an authorized attacker to elevate privileges locally.

CVE-2026-34342 is a race condition vulnerability in Windows Print Spooler Components that allows an authorized attacker to elevate privileges locally.

CVE-2026-34341 is a double free vulnerability in the Windows Link-Layer Discovery Protocol (LLDP) that allows an authorized attacker to elevate privileges locally with a CVSS v3.1 score of 7.0.

CVE-2026-34340 is a use-after-free vulnerability in the Windows Projected File System that allows an authorized attacker to elevate privileges locally.

CVE-2026-34337 is a use-after-free vulnerability in the Windows Cloud Files Mini Filter Driver, allowing a locally authorized attacker to escalate privileges.

CVE-2026-34336 is a buffer over-read vulnerability in the Windows DWM Core Library, allowing a local, authenticated attacker to disclose sensitive information.

CVE-2026-34334 describes a race condition vulnerability within Windows TCP/IP, enabling a locally authorized attacker to escalate privileges.