The IT Nerd

Fortra Intelligence and Research Experts (FIRE) have identified a new phishing campaign that is expanding beyond traditional email, using calendar invites (.ics files) to introduce malicious content into trusted workflows. FIRE link the activity to the EvilTokens phishing kit, combining ConsentFix (device code phishing) with calendar‑based delivery to capture Microsoft session tokens through legitimate authentication prompts.

Most notable about this campaign is the shift in delivery and persistence: the calendar entry remains visible and active even if the original email is removed, extending the window for user interaction. If the attack is executed successfully, the impact can be significant. Compromised tokens can enable account takeover, unauthorized access to cloud systems, lateral movement, and follow‑on phishing or infrastructure disruption, particularly if privileged accounts are involved.

The full report was just published here: https://www.fortra.com/blog/new-calendar-invite-phishing-campaign-ics-abuse-and-post-delivery-persistence

By Tyler Reguly, Associate Director, Security R&D, Fortra

Microsoft decided to welcome May with 137 vulnerabilities (not to mention the 128 Edge CVEs) and the content couldn’t be more varied. We have all the usual suspects as well as a few rarely seen items like Microsoft Data Formulator and Data Deduplication, which I don’t believe I’ve ever seen mentioned before. I think, this month, the interesting thing to talk about is the numbers. AI related vulnerabilities are hard to ignore this month with 7 CVEs referencing Copilot plus Azure AI Foundry appearing as well, that is sure to get some attention. There are also 13 vulnerabilities that Microsoft is reporting as ‘no customer action required’, This means that they’ve already been mitigated and/or resolved by Microsoft and they’re raising them for informational purposes. Finally, we have 14 vulnerabilities (some overlap exists with the other two counts) that are in cloud or cloud adjacent applications. Depending on how heavily you rely on the Azure ecosystem, you may have a lot of digging around to do this month.

Interestingly, the CVEs that stood out to me the most are in the no customer action required bucket. CVEs like CVE-2026-33109, a remote code execution vulnerability in Azure Managed Instances for Apache Cassandra, and CVE-2026-33823, Microsoft Team Events Portal Information Disclosure Vulnerability. Since these have been both resolved by Microsoft, there’s no action to take, otherwise these would be the CVEs that I’d be discussing this month.

If I were the CSO and looking at this patch drop, there would be two questions on my mind.

1. Are we aware of all our uses of AI?
   1. ~6% of the CVEs this month were AI based and we know that number is only going to grow from here. What other instances of AI might be in use in your organization that are not backed by a company with a regular update schedule like Microsoft?
2. Do we use Confluence or Jira with SSO Integration?
   1. CVE-2026-41103 is an elevation of privilege in the Microsoft SSO Plugin for both Confluence and Jira. This is common software, deployed at a lot of organizations, and I suspect that most organizations have it tied to their Microsoft SSO.
   2. The interesting thing here is that the individuals responsible for Confluence and Jira may not be the same individuals responsible for Microsoft products, so the crossover that this vulnerability entails may cause it to be entirely overlooked, so definitely stay on top of your teams with this one.

Fortra today announced it is pursuing Federal Risk and Authorization Management Program (FedRAMP) High authorization for its data classification capabilities, which will further extend its support of U.S. public sector, federal, and defense organizations operating in critical cloud environments.

FedRAMP High, required for systems that process the government’s most sensitive unclassified data, is the U.S. government’s most stringent cloud security authorization. By pursuing this authorization, Fortra aims to enable secure discovery, classification, and movement of data across contested, classified, and disconnected operational environments.

Fortra is partnering with Coalfire, a leading cybersecurity advisory firm and accredited Third-Party Assessment Organization (3PAO), to support its FedRAMP High authorization activities. The effort includes significant internal investment in security engineering, compliance maturity, and operational rigor aligned with federal requirements.

Fortra’s commitment to FedRAMP demonstrates its broader strategy to deliver advanced security solutions to highly regulated and mission-driven sectors with integrated, resilient cybersecurity solutions.

Learn more at: https://www.fortra.com/industry/government

Fortra today announced the launch of its new Defense and Intelligence Unit (DIU), a dedicated business focused on delivering advanced, integrated cyber capabilities to critical infrastructure, defense, intelligence, and national security organizations around the world. Building on its strong momentum in this space, the DIU will operate with its own leadership and a dedicated operating model.  

Leading the new unit is John Grancarich, appointed EVP, Head of Defense and Intelligence. Grancarich most recently served as Fortra’s Chief Strategy Officer, where over the past year he worked closely with elite operators, global partners, and senior mission leaders to assess emerging needs across the defense and intelligence ecosystem. These insights have informed the DIU’s design, vision, and strategy.  

The DIU will invest in several strategic areas, including:  

• Unified data discovery, classification and protection compliant with advanced defense industry requirements  
• Secure data movement across contested, classified, and disconnected networks  
• AI-driven infrastructure testing and exposure assessments for high-risk‑ operational environments  
• Mission-tailored architectures, including deployable and enclave-ready solutions  
• Deep partnerships with global systems integrators, mission support organizations, and technology providers  
• Cleared facilities and talent in North America and Europe  

The launch of the DIU marks a significant milestone in Fortra’s broader strategy to support regulated, high-risk, and mission-critical sectors. The unit will play an essential role in Fortra’s long-term growth while advancing global cyber resilience in partnership with allied nations and organizations.  

Learn more here: https://www.fortra.com/industry/government

By Tyler Reguly, Associate Director, Security R&D, Fortra

With 165 Microsoft CVEs and another 82 non-Microsoft CVEs combining for a total of 247 CVEs, I can’t help but wonder who angered Microsoft this month. Here’s hoping that admins everywhere are well hydrated with snacks available because I feel like this mess will take a few days to fully detangle.

There are two vulnerabilities that Microsoft has called out as either exploited or disclosed. The first, CVE-2026-32201, is a spoofing vulnerability in Microsoft SharePoint that is seeing active exploitation. SharePoint can definitely be one of the harder systems to patch and maintain, so admins are going to want to pay close attention to this one. The second is CVE-2026-33825, an elevation of privilege vulnerability in Microsoft Defender, which Microsoft has listed as publicly disclosed. This appears to be the BlueHammer vulnerability that everyone was talking about, which Fortra has written about in detail.

Two things caught my attention this month.

The first is that there are 19 vulnerabilities listed as Exploitation More Likely. In the first quarter of the year, we saw 20 vulnerabilities listed as Exploitation More Likely and now, in a single month, we’re seeing only one less than that total. That is something to pay attention to, especially given the nature of the services affected.

The second is a pair of TCP/IP vulnerabilities. It is rare that you see a truly remote TCP/IP vulnerability these days and that’s exactly what CVE-2026-33827 is… unauthorized, network-based code execution against IPv6. The attack complexity is listed as high because the vulnerability is based on a race condition as well as “additional actions”, as Microsoft calls it, but it is still impressive to see these vulnerabilities identified in 2026.

Based on acknowledgements, the team that found the TCP/IP vulnerability, WARP & MORSE team at Microsoft, also found this month’s only CVSS 9.8 vulnerability. Microsoft has labeled it as Exploitation Less Likely, but it is the infamous network remote code execution vulnerability. In this case, Internet Key Exchange (IKE) v2 is impacted and a remote attacker could trigger remote code execution. Importantly here, we’re not talking about the fake remote code execution that Microsoft uses for Office documents and similar, we’re talking about a legitimate, over the network remote code execution.

For CISOs this month, I’d be more worried about the sheer quantity of items that admins are having to review. There are a lot of CVEs and a lot of one-offs that we don’t normally see. While Windows update and automatic updates for some applications will take care of a lot of the heavy lifting here, there’s still testing that is required before deploying updates this large. Additionally, with the likes of .NET, SharePoint, and SQL Server, there’s always the potential for difficult patches and/or version incompatibility that may crop up during testing.

Patience is going to be a keyword this month, followed very quickly by resourcing. Massive patch drops like this and the conversation around next-gen LLMs means that we need to be aware of the pressure on our teams and the amount of work they are expected to complete. If you still see your security teams as a cost centre, it is time to start rethinking that and looking at the value they bring to protecting your data and your systems. Large patch drops mean that you really need to review your teams to ensure they are adequately resourced.

Fortra Intelligence and Research Experts (FIRE) are tracking a previously unseen threat campaign abusing Datto’s legitimate RMM platform as a stealthy command‑and‑control channel. By routing attacker traffic through the legitimate Datto infrastructure, threat actors gain full, persistent remote access to victim systems while evading standard network and endpoint defenses.

For businesses, the impact could be severe: undetected access enables data theft, lateral movement, and ransomware staging, all masked as normal IT activity. The campaign is actively maintained, uses weekly‑recompiled malware, and underscores a growing risk – attackers weaponizing trusted enterprise tools to make compromise effectively invisible.

You can read the details here: https://www.fortra.com/blog/fortra-discovers-datto-living-land-binary

Fortra announced today the acquisition of Zero-Point Security, a specialized cybersecurity training firm based in Warrington, UK. This will expand Fortra’s offensive security education capabilities, bringing additional training expertise in red team operations, adversary emulation, and penetration testing. Zero‑Point Security is widely recognized for its trusted red team operations training and has built a strong reputation delivering its high-demand, self-paced courses to individuals and businesses seeking advanced offensive operations skills.

Zero-Point Security’s well-known courses include Red Team Operations I and II, which meet the high standards to be certified by the Council of Registered Ethical Security Testers (CREST). Successful completion of these programs helps participants achieve Certified Red Team Operator (CRTO) status, an industry-respected credential that validates expertise in offensive security techniques.

Further details and timelines will follow.

Browser extensions have quietly become one of the more dangerous and overlooked attack surfaces within the enterprise. Fortra Intelligence and Research Experts (FIRE) have released a new Browser Extension Threat Guide that breaks down why this risk is escalating and what security teams need to do now to close the gap.

This in‑depth guide covers:

• A deep forensic analysis of the GhostPoster campaign, including staged payloads, obfuscation techniques, and real-world impact.
• How modern extension malware evades EDR by hiding inside legitimate browser processes and abusing trusted APIs.
• Actionable detection and threat hunting playbooks focused on manifest analysis, sideloading identification, and high‑risk behaviors.
• Clear mitigation strategies, including extension governance, default‑deny controls, and browser-layer security recommendations.

If extensions aren’t already on your threat model, this guide will show you why they need to be. You can access it here: https://www.fortra.com/resources/guides/browser-extension-threat-guide

By Tyler Reguly, Associate Director, Security R&D, Fortra

I’m sure that everyone will be talking about CVE-2026-26118 today. After all, it contains those magical three letters MCP – Must Create Panic! The old adage has changed a little these days to become, “AI sells,”, so that’s what everyone needs to talk about. The reality is that there’s an update available, this was never publicly disclosed, and Microsoft lists exploitation as less likely. So, instead of trying to create panic, I’m going to keep a level head and say that this is a great reminder for all CSOs to make sure they know how AI is being used within their organization. Instead of worrying about a single CVE that we don’t really need to talk about, look at your organizations AI policy, look at your tooling, and look at how your data is flowing. If you know that, you’re fine. If not, shadow AI might be the actual reason that you need to panic and that’s not a Patch Tuesday thing, that’s just an everyday thing.

Let’s agree to call this the month of no 0-days. I’m sure some people will try to call the two publicly disclosed vulnerabilities 0-days, but they’re wrong… and let’s just leave it at that. Instead, let’s talk about how even the publicly disclosed vulnerabilities are pretty much nothingburgers this month. We have CVE-2026-21262, which is a privilege escalation in SQL Server, but you have to already be an authenticated SQL user to exploit this. The other, CVE-2026-26127, is a .NET denial of service. Neither of these are very important. Neither of them should stress anybody out.

In total this month, we have 83 Microsoft CVEs and 10 non-Microsoft CVEs and I don’t see a lot of reasons for people to stress. The only CVE above an 8.8 is CVE-2026-21536, a 9.8 in Microsoft Devices Pricing Program, a vulnerability that is marked as no customer action required because it is already updated. The messaging this month should be, “Apply your patches after you finish your testing cycles.” There’s nothing that requires rushing patches, nothing that requires panic… this is just a nice, quiet Patch Tuesday (and I definitely won’t regret using the Q-word).

The only thing that people may want to pay close attention to is the Azure vulnerabilities. As I’ve mentioned before, the cloud ecosystem doesn’t really handle patching well… it’s a relatively immature process and the way that Microsoft handles these products really demonstrates that. The CVE impacting Azure Linux Virtual Machines (CVE-2026-23665) or the multiple CVEs impacting Azure IoT Explorer require pretty non-standard patching mechanisms and those may require a little additional effort from IT teams. CSOs should ensure that they have solid asset inventories around the deployment of cloud related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this.

The Fortra Intelligence and Research Experts (FIRE) team have uncovered a new phishing tactic that abuses legitimate GitHub notification emails to deliver vishing scams. The research shows how attackers are using trusted infrastructure to get malicious messages into inboxes.

Key findings:

• Attackers hide vishing lures in GitHub commit messages, which generate legitimate notification emails from noreply@github.com.
• Researchers say this is the first observed use of GitHub commit messages to distribute vishing scams.
• Notifications are forwarded through Microsoft 365, helping the messages pass authentication checks and evade filters.
• The lures impersonate brands such as PayPal and Norton and urge victims to call fake support numbers.

The report is published here: https://www.fortra.com/blog/threat-actors-abuse-github-notifications-to-deliver-vishing-attacks