Archive for Fortra

Advanced Fileless Malware Campaign Targets Large Enterprises with Five Layers of Obfuscation

Posted in Commentary with tags on July 16, 2026 by itnerd

Fortra Intelligence and Research Experts (FIRE) have uncovered a highly sophisticated fileless malware campaign that uses five layers of obfuscation to evade email, endpoint, and memory-based defenses. The campaign is targeting large enterprises, with techniques that significantly increase attacker dwell time, complicates investigations.

Victims are at risk of credential theft, data exfiltration, and ransomware deployment, which could lead to operational disruption, regulatory exposure, reputational damage and more. Unlike typical fileless threats, this attack also leaves virtually no disk artifacts, with the loader fragmenting its payload across hundreds of environment variables, useing uncommon CJK character encoding, and reconstructing a .NET payload entirely in memory.

The full analysis can be found here: https://www.fortra.com/blog/5-layers-obfuscation-sophisticated-fileless-malware-campaign

Fortra Recognized by U.S. News as a Best Company to Work For in Four Categories

Posted in Commentary with tags on June 30, 2026 by itnerd

Fortra has been named a 2026 U.S. News Best Company to Work For in four categories: Overall, Information Technology, Midwest, and Supporting Family Caregiving. The annual U.S. News Best Companies to Work For ratings recognize companies that best support employees’ day-to-day experience. For this year’s rankings, U.S. News evaluated nearly 1,100 privately held companies and nonprofits using publicly available data, including employee reviews, court records, financial strength, and governance information. Companies did not apply for consideration, submit data, or pay a fee to be evaluated. 

In the U.S. News evaluation, Fortra received perfect scores of 5 out of 5 for both work-life balance and flexibility, and physical and psychological safety. Additionally, the company was awarded strong scores for job and company stability, belongingness and esteem, and career opportunities and professional development. Together, they point to an environment in which employees are supported in their work, encouraged to grow, and given the flexibility to balance their professional and personal lives. 

Mirage2FA phish kit targeting M365 users with obfuscated HTML, stealing MFA codes 

Posted in Commentary with tags on June 25, 2026 by itnerd

Fortra Intelligence and Research Experts (FIRE) this morning published their analysis of Mirage2FA, a newly discovered Microsoft 365 phishing kit that tricks users into sharing login details and MFA codes. Targeted businesses could experience account takeover, fraudulent payment redirection, data theft, unauthorized access to sensitive documents, and more as a result of an attack.

Mirage2FA uses short-lived HTML smuggling and obfuscated Javascript-loaders in a single phishing workflow, helping it evade detection. It is yet another example of a growing number of phishing campaigns using multiple tactics to successfully bypass 2FA/MFA workflows.

Details here: https://www.fortra.com/blog/mirage2fa-obfuscated-html-loader-delivers-microsoft-365-mfa-phishing-kit

Threat Actors Targeting Orgs through Microsoft 365 Collaboration Features Says Fortra

Posted in Commentary with tags on June 22, 2026 by itnerd

Fortra Intelligence and Research Experts (FIRE) are tracking phishing activity embedded within Microsoft 365 collaboration features such as Outlook Groups, shared files, and calendars. Attackers are using these trusted workflows to introduce seemingly routine updates or meetings that lead users toward risky actions.

In the attacks, victims are targeted through repeated exposure. The user is not expected to take action with the initial email, but rather, see the tentative meeting, open the event, review the description, click a link, or open a referenced file, making it critical for security teams to monitor collaboration activity holistically. Organizations that fall victim could experience credential theft, data exposure, service disruption, and more. 

Read details from the FIRE team here: https://www.fortra.com/blog/phishing-through-collaboration

Active Phantom Stealer MaaS phishing campaign targeting financial institutions 

Posted in Commentary with tags on June 16, 2026 by itnerd

Fortra Intelligence and Research Experts (FIRE) are tracking an active phishing campaign delivering Phantom Stealer, a MaaS infostealer targeting financial organizations. The malware operates in-memory, evading traditional defenses while harvesting credentials, financial data, and browser session cookies.

Why it matters: a single compromised employee could enable access to customer data, internal systems, and lateral movement – potentially leading to large-scale fraud or ransomware.

The full report can be found here: https://www.fortra.com/blog/phishing-campaign-targets-banks-fileless-phantom-stealer-malware  

New CalPhishing Campaign tied to EvilTokens uses ConsentFix

Posted in Commentary with tags on May 14, 2026 by itnerd

Fortra Intelligence and Research Experts (FIRE) have identified a new phishing campaign that is expanding beyond traditional email, using calendar invites (.ics files) to introduce malicious content into trusted workflows. FIRE link the activity to the EvilTokens phishing kit, combining ConsentFix (device code phishing) with calendar‑based delivery to capture Microsoft session tokens through legitimate authentication prompts.

Most notable about this campaign is the shift in delivery and persistence: the calendar entry remains visible and active even if the original email is removed, extending the window for user interaction. If the attack is executed successfully, the impact can be significant. Compromised tokens can enable account takeover, unauthorized access to cloud systems, lateral movement, and follow‑on phishing or infrastructure disruption, particularly if privileged accounts are involved.

The full report was just published here: https://www.fortra.com/blog/new-calendar-invite-phishing-campaign-ics-abuse-and-post-delivery-persistence

May Patch Tuesday Commentary From Fortra

Posted in Commentary with tags on May 12, 2026 by itnerd

By Tyler Reguly, Associate Director, Security R&D, Fortra

Microsoft decided to welcome May with 137 vulnerabilities (not to mention the 128 Edge CVEs) and the content couldn’t be more varied. We have all the usual suspects as well as a few rarely seen items like Microsoft Data Formulator and Data Deduplication, which I don’t believe I’ve ever seen mentioned before. I think, this month, the interesting thing to talk about is the numbers. AI related vulnerabilities are hard to ignore this month with 7 CVEs referencing Copilot plus Azure AI Foundry appearing as well, that is sure to get some attention. There are also 13 vulnerabilities that Microsoft is reporting as ‘no customer action required’, This means that they’ve already been mitigated and/or resolved by Microsoft and they’re raising them for informational purposes. Finally, we have 14 vulnerabilities (some overlap exists with the other two counts) that are in cloud or cloud adjacent applications. Depending on how heavily you rely on the Azure ecosystem, you may have a lot of digging around to do this month.

Interestingly, the CVEs that stood out to me the most are in the no customer action required bucket. CVEs like CVE-2026-33109, a remote code execution vulnerability in Azure Managed Instances for Apache Cassandra, and CVE-2026-33823, Microsoft Team Events Portal Information Disclosure Vulnerability. Since these have been both resolved by Microsoft, there’s no action to take, otherwise these would be the CVEs that I’d be discussing this month.

If I were the CSO and looking at this patch drop, there would be two questions on my mind.

  1. Are we aware of all our uses of AI?
    1. ~6% of the CVEs this month were AI based and we know that number is only going to grow from here. What other instances of AI might be in use in your organization that are not backed by a company with a regular update schedule like Microsoft?
  2. Do we use Confluence or Jira with SSO Integration?
    1. CVE-2026-41103 is an elevation of privilege in the Microsoft SSO Plugin for both Confluence and Jira. This is common software, deployed at a lot of organizations, and I suspect that most organizations have it tied to their Microsoft SSO.
    2. The interesting thing here is that the individuals responsible for Confluence and Jira may not be the same individuals responsible for Microsoft products, so the crossover that this vulnerability entails may cause it to be entirely overlooked, so definitely stay on top of your teams with this one.

Fortra Pursues FedRAMP High Authorization for Data Classification Capabilities

Posted in Commentary with tags on May 7, 2026 by itnerd

Fortra today announced it is pursuing Federal Risk and Authorization Management Program (FedRAMP) High authorization for its data classification capabilities, which will further extend its support of U.S. public sector, federal, and defense organizations operating in critical cloud environments.

FedRAMP High, required for systems that process the government’s most sensitive unclassified data, is the U.S. government’s most stringent cloud security authorization. By pursuing this authorization, Fortra aims to enable secure discovery, classification, and movement of data across contested, classified, and disconnected operational environments.

Fortra is partnering with Coalfire, a leading cybersecurity advisory firm and accredited Third-Party Assessment Organization (3PAO), to support its FedRAMP High authorization activities. The effort includes significant internal investment in security engineering, compliance maturity, and operational rigor aligned with federal requirements.

Fortra’s commitment to FedRAMP demonstrates its broader strategy to deliver advanced security solutions to highly regulated and mission-driven sectors with integrated, resilient cybersecurity solutions.

Learn more at: https://www.fortra.com/industry/government

Fortra Launches Defense Tech Unit

Posted in Commentary with tags on April 16, 2026 by itnerd

Fortra today announced the launch of its new Defense and Intelligence Unit (DIU), a dedicated business focused on delivering advanced, integrated cyber capabilities to critical infrastructure, defense, intelligence, and national security organizations around the world. Building on its strong momentum in this space, the DIU will operate with its own leadership and a dedicated operating model.  

Leading the new unit is John Grancarich, appointed EVP, Head of Defense and Intelligence. Grancarich most recently served as Fortra’s Chief Strategy Officer, where over the past year he worked closely with elite operators, global partners, and senior mission leaders to assess emerging needs across the defense and intelligence ecosystem. These insights have informed the DIU’s design, vision, and strategy.  

The DIU will invest in several strategic areas, including:  

  • Unified data discovery, classification and protection compliant with advanced defense industry requirements  
  • Secure data movement across contested, classified, and disconnected networks  
  • AI-driven infrastructure testing and exposure assessments for high-risk‑ operational environments  
  • Mission-tailored architectures, including deployable and enclave-ready solutions  
  • Deep partnerships with global systems integrators, mission support organizations, and technology providers  
  • Cleared facilities and talent in North America and Europe  

The launch of the DIU marks a significant milestone in Fortra’s broader strategy to support regulated, high-risk, and mission-critical sectors. The unit will play an essential role in Fortra’s long-term growth while advancing global cyber resilience in partnership with allied nations and organizations.  

Learn more here: https://www.fortra.com/industry/government

April Patch Tuesday Commentary From Fortra

Posted in Commentary with tags on April 14, 2026 by itnerd

By Tyler Reguly, Associate Director, Security R&D, Fortra

With 165 Microsoft CVEs and another 82 non-Microsoft CVEs combining for a total of 247 CVEs, I can’t help but wonder who angered Microsoft this month. Here’s hoping that admins everywhere are well hydrated with snacks available because I feel like this mess will take a few days to fully detangle.

There are two vulnerabilities that Microsoft has called out as either exploited or disclosed. The first, CVE-2026-32201, is a spoofing vulnerability in Microsoft SharePoint that is seeing active exploitation. SharePoint can definitely be one of the harder systems to patch and maintain, so admins are going to want to pay close attention to this one. The second is CVE-2026-33825, an elevation of privilege vulnerability in Microsoft Defender, which Microsoft has listed as publicly disclosed. This appears to be the BlueHammer vulnerability that everyone was talking about, which Fortra has written about in detail.

Two things caught my attention this month.

The first is that there are 19 vulnerabilities listed as Exploitation More Likely. In the first quarter of the year, we saw 20 vulnerabilities listed as Exploitation More Likely and now, in a single month, we’re seeing only one less than that total. That is something to pay attention to, especially given the nature of the services affected.

The second is a pair of TCP/IP vulnerabilities. It is rare that you see a truly remote TCP/IP vulnerability these days and that’s exactly what CVE-2026-33827 is… unauthorized, network-based code execution against IPv6. The attack complexity is listed as high because the vulnerability is based on a race condition as well as “additional actions”, as Microsoft calls it, but it is still impressive to see these vulnerabilities identified in 2026.

Based on acknowledgements, the team that found the TCP/IP vulnerability, WARP & MORSE team at Microsoft, also found this month’s only CVSS 9.8 vulnerability. Microsoft has labeled it as Exploitation Less Likely, but it is the infamous network remote code execution vulnerability. In this case, Internet Key Exchange (IKE) v2 is impacted and a remote attacker could trigger remote code execution. Importantly here, we’re not talking about the fake remote code execution that Microsoft uses for Office documents and similar, we’re talking about a legitimate, over the network remote code execution.

For CISOs this month, I’d be more worried about the sheer quantity of items that admins are having to review. There are a lot of CVEs and a lot of one-offs that we don’t normally see. While Windows update and automatic updates for some applications will take care of a lot of the heavy lifting here, there’s still testing that is required before deploying updates this large. Additionally, with the likes of .NET, SharePoint, and SQL Server, there’s always the potential for difficult patches and/or version incompatibility that may crop up during testing.

Patience is going to be a keyword this month, followed very quickly by resourcing. Massive patch drops like this and the conversation around next-gen LLMs means that we need to be aware of the pressure on our teams and the amount of work they are expected to complete. If you still see your security teams as a cost centre, it is time to start rethinking that and looking at the value they bring to protecting your data and your systems. Large patch drops mean that you really need to review your teams to ensure they are adequately resourced.