Microsoft Disrupts Major Malware-Signing Service; Critical Cisco Flaw and Defender Bugs Under Active Exploitation

New reports indicate a significant escalation in AI-powered phishing, leveraging Generative AI to craft flawless, highly personalized spear-phishing emails. A critical development is the emergence of 'device code phishing,' used by groups like TA4903, which effectively bypasses Multi-Factor Authentication (MFA). This technique tricks users into authorizing malicious applications via the legitimate Microsoft Device Code flow, granting attackers persistent access tokens. Phishing-as-a-Service (PhaaS) kits such as EvilTokens and Tycoon are democratizing these advanced MFA-bypass capabilities, making sophisticated account takeovers more widespread. Organizations are advised to implement Conditional Access Policies and transition to phishing-resistant MFA.

New analysis from Rapid7 details the authentication bypass mechanism, involving a crafted handshake sequence that tricks the controller into incorrect authentication. Cisco Talos has officially attributed the active exploitation to UAT-8616, confirming their post-exploitation activities include adding SSH keys for persistence and escalating privileges to root. The CISA KEV mandate requires patching by May 17, 2026. Crucially, the update provides new sections on 'Cyber Observables,' 'Detection Methods,' and 'Remediation Steps,' offering defenders actionable intelligence for identifying and mitigating the threat.

A new report from May 21, 2026, broadens the understanding of state-sponsored ransomware, identifying Russia, China, and North Korea alongside Iran as key actors. These nations are increasingly leveraging ransomware not only for disruption and plausible deniability but also as a strategic smokescreen to conceal intelligence-gathering operations and establish long-term persistence. The use of dual-purpose malware, capable of both espionage and destruction, is also noted, further complicating attribution and response efforts for critical infrastructure targets.

The Trump administration is set to sign an Executive Order on AI Cybersecurity, establishing a program for voluntary government testing of advanced 'frontier' AI models. This initiative aims to proactively identify vulnerabilities in U.S. critical infrastructure and federal networks. The order also seeks to modernize existing cybersecurity information-sharing frameworks to better integrate AI companies. This policy is a direct response to the growing recognition of AI's dual-use potential, exemplified by Anthropic's Mythos model, and represents a significant step in national AI governance.

New information reveals the Fox Tempest MSaaS takedown was a joint effort by Microsoft, the FBI, and Europol. The service, signspace.cloud, was found to have facilitated attacks by additional ransomware groups, specifically Qilin and Akira, alongside Rhysida. The scope of victims is now understood to include thousands of organizations worldwide, with a significant impact on critical infrastructure, hospitals, and schools. This broader law enforcement collaboration and the expanded list of affected sectors and ransomware families highlight the increased severity and wider implications of this cybercrime operation.