microsoft

CISA Warns Microsoft Windows Shell 0-Click Vulnerability Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical zero-day vulnerability in the Microsoft Windows Shell, tracked as CVE-2026-32202, which is actively being exploited. This vulnerability allows attackers to perform network spoofing, potentially intercepting sensitive data and bypassing access controls, prompting CISA to mandate immediate patching by May 12, 2026, particularly for federal agencies, while strongly urging all organizations to apply mitigations to protect their networks.

https://cybersecuritynews.com/windows-shell-0-click-vulnerability/

Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202

Microsoft has confirmed active exploitation of a high-severity Windows Shell vulnerability (CVE-2026-32202) that allows unauthorized attackers to perform spoofing and access sensitive information. This zero-click exploit, linked to an incomplete patch for CVE-2026-21510 and used by the Russian state-sponsored group APT28, enables credential theft through automatic network authentication when victims open malicious Windows Shortcut files, highlighting ongoing risks despite recent patches.

https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html

Exploits Turn Windows Defender Into Attacker Tool

Threat actors are exploiting three publicly available proof-of-concept vulnerabilities—BlueHammer, RedSun, and UnDefend—to turn Microsoft Defender's built-in security functions against the systems it is meant to protect, enabling SYSTEM-level access and disrupting update mechanisms. While Microsoft has patched BlueHammer, the other two remain unpatched, and these exploits are actively used in targeted attacks that highlight systemic validation weaknesses in Defender’s privileged workflows, underscoring the need for updated defenses and multi-factor authentication for remote access.

https://www.darkreading.com/cyberattacks-data-breaches/exploits-turn-windows-defender-attacker-tool

Hundreds of Orgs Compromised Daily in Microsoft Device Code Phishing Attacks

A widespread Microsoft device-code phishing campaign has been compromising hundreds of organizations daily since mid-March 2026, using AI and automation to bypass multi-factor authentication and gain access to corporate Microsoft 365 accounts. The attackers generate dynamic device codes to trick victims into authorizing access, enabling them to steal sensitive financial emails and data, with the phishing infrastructure leveraging legitimate cloud services to evade detection. Microsoft recommends limiting the use of device code authentication and training employees to recognize phishing attempts to mitigate such attacks.

https://www.theregister.com/2026/04/07/microsoft_device_code_phishing/

New VENOM Phishing Attacks Steal Senior Executives’ Microsoft Logins

Threat actors using a new phishing-as-a-service platform called VENOM have been targeting Microsoft logins of senior executives since at least last November. The attacks impersonate Microsoft SharePoint notifications with highly personalized emails and QR codes leading victims to sophisticated credential-harvesting pages that bypass traditional protections like MFA, highlighting the need for stronger authentication measures such as FIDO2 and stricter access policies.

https://www.bleepingcomputer.com/news/security/new-venom-phishing-attacks-steal-senior-executives-microsoft-logins/

New Alert: Hackers Hijack Corporate M365 Accounts With OAuth Device Codes

A recent surge in phishing attacks abuses Microsoft's OAuth Device Code flow, allowing hackers to hijack corporate Microsoft 365 accounts without stealing passwords by tricking victims into authenticating on legitimate Microsoft login pages. This token-based technique is difficult to detect with traditional tools and enables attackers to access sensitive corporate data, but solutions like ANY.RUN’s SSL decryption and interactive sandbox analysis provide earlier visibility and help security teams respond faster to these sophisticated threats.

https://cyberpress.org/new-alert-hackers-hijack-corporate-m365-accounts-with-oauth-device-codes/

Stryker Attack Wiped Tens of Thousands of Devices, No Malware Needed

Last week's cyberattack on medical technology company Stryker involved the remote wiping of nearly 80,000 employee devices by exploiting Microsoft Intune administrative privileges, but no malware was deployed and no medical devices were affected. The incident, attributed to the Handala group linked to Iran, disrupted internal corporate systems and electronic ordering, with restoration efforts ongoing to resume normal operations.

https://www.bleepingcomputer.com/news/security/stryker-attack-wiped-tens-of-thousands-of-devices-no-malware-needed/

The Who, What, and Why of the Attack That Has Shut Down Stryker’s Windows Network

Stryker, a major multinational medical device supplier, confirmed a cyberattack that disrupted much of its Microsoft network, with a hacking group called Handala Hack—linked to the Iranian government—claiming responsibility. The attack, suspected to have involved remote wiping of devices via Microsoft’s InTune tool rather than typical malware, followed recent US and Israeli airstrikes on Iran, suggesting retaliation through cyber means. Despite the disruption, Stryker’s critical medical devices remain operational, though the company has not yet provided a timeline for full recovery.

https://arstechnica.com/security/2026/03/whats-known-about-wiper-attack-on-stryker-a-major-supplier-of-lifesaving-devices/

Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker

Iran-linked hacktivist group Handala claims responsibility for a data-wiping attack on Stryker, a major medical technology company. The attack forced the shutdown of Stryker's global operations, impacting over 200,000 devices and disrupting supply chains for healthcare providers. The group stated the action was retaliation for a missile strike in Iran that killed many civilians. The incident has raised concerns about cybersecurity in the healthcare sector, as hospitals consider disconnecting from Stryker's services amid the attack.

https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer

Microsoft revealed a new phishing campaign, ClickFix, using Windows Terminal to deploy Lumma Stealer malware. The campaign tricks users into executing commands via a trusted app, bypassing detection methods aimed at the Run dialog. It executes a multi-stage attack: downloading and extracting malicious scripts, collecting credentials from browsers, and establishing persistence. The malware targets sensitive data, emphasizing the risks of social engineering tactics in cybersecurity.

https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html

Inside Tycoon2FA: How a Leading AiTM Phishing Kit Operated at Scale

The article analyzes Tycoon2FA, a phishing-as-a-service platform that enabled large-scale adversary-in-the-middle (AiTM) attacks capable of bypassing multifactor authentication. It explains how the service intercepted login credentials and session cookies through proxy phishing pages that mimicked services such as Microsoft 365 and Gmail. The platform included evasion techniques and user-friendly infrastructure, enabling less-skilled attackers to run campaigns that reached hundreds of thousands of organizations each month. The article concludes with guidance on layered defenses, including improved authentication methods, phishing detection, and coordinated disruption efforts. 

https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/

Hackers Target Microsoft Entra Accounts in Device Code Vishing Attacks

Hackers are targeting Microsoft Entra accounts using device code phishing and voice vishing, compromising accounts through legitimate Microsoft OAuth flows without needing traditional phishing methods. This allows attackers to gain valid authentication tokens and access victims' accounts, enabling corporate data theft. The ShinyHunters gang is suspected to be behind these attacks, with recommendations for organizations to monitor OAuth apps, revoke suspicious consents, and consider disabling device code flows when unnecessary.

https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/

Microsoft Says Bug Causes Copilot to Summarize Confidential Emails

Microsoft 365 Copilot bug since January causes AI to incorrectly summarize confidential emails, bypassing DLP policies. A code error allows emails marked with confidentiality labels to be processed, prompting Microsoft to initiate a fix. As of mid-February, they continue monitoring the situation but have not disclosed the full impact or timeline for resolution.

https://www.bleepingcomputer.com/news/microsoft/microsoft-says-bug-causes-copilot-to-summarize-confidential-emails/

Flaws in Popular VSCode Extensions Expose Developers to Attacks

Flaws in popular VSCode extensions allow attackers to steal files and execute code. Vulnerabilities affect extensions like Code Runner and Markdown Preview Enhanced, with over 128 million total downloads. Discovered by Ox Security, the issues pose risks such as data exfiltration and system takeover. Developers are advised against using untrusted configurations and to only install reputable extensions.

https://www.bleepingcomputer.com/news/security/flaws-in-popular-vscode-extensions-expose-developers-to-attacks/

CyberheistNews Vol 16 #07 Uncovering the Sophisticated Phishing Campaign Bypassing M365 MFA

Phishing campaign bypassing M365 MFA detected, compromising accounts by exploiting OAuth 2.0 flows. Attackers trick users into authenticating on legitimate Microsoft domains, stealing access tokens for persistent access to data. Key sectors targeted include tech, manufacturing, and finance. Immediate mitigation requires auditing OAuth apps and reviewing email logs. Additionally, there’s discussion on automation in incident response, AI-driven email security, and the evolution of romance scams using deepfake technology. New voice phishing kits enable real-time control over attacks, raising concerns over email security gaps in organizations.

https://blog.knowbe4.com/cyberheistnews-vol-16-07-uncovering-the-sophisticated-phishing-campaign-bypassing-m365-mfa

Scroll to Top