// Service

Microsoft 365

Microsoft 365 / Entra ID productivity and identity suite (Outlook, Teams, SharePoint).

// Alerts

Recent threats

Active social engineering campaign targets Microsoft Teams users via fake IT support calls. Threat actors impersonate helpdesk personnel using external Teams accounts to convince victims to enable screen sharing and install legitimate remote access tools. Attackers then deploy malicious MSI installers that fetch Node.js and execute EtherRAT, a cross-platform remote access trojan capable of command execution, data exfiltration, and persistence. EtherRAT uses Ethereum smart contracts to fetch C2 addresses, complicating remediation. Campaign publicly documented by Palo Alto Networks Unit 42 as of July 2026.

CVE-2026-45504 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server 2019 that allows authenticated low-privileged users to read arbitrary files via improper URL validation in the OneDriveProUtilities component. The flaw stems from unsafe handling of user-controlled input in WOPI (Web Application Open Platform Interface) URL processing, enabling attackers to chain the vulnerability through malicious attachment references to access sensitive files such as configuration data and credentials. A proof-of-concept exploit has been publicly released.

CVE-2026-45659, a high-severity remote code execution vulnerability in Microsoft SharePoint Server, was added to CISA's Known Exploited Vulnerabilities catalog on July 1, 2026, following confirmed active exploitation. The flaw stems from improper deserialization of untrusted data and affects SharePoint Server Subscription Edition, 2019, and Enterprise Server 2016 (patched May 2026). Authenticated attackers with minimum Site Member permissions can execute arbitrary code on vulnerable systems; the threat group and exploitation details remain unknown. CISA mandates that U.S. federal agencies patch by July 4, 2026.

CVE-2026-33825 (BlueHammer), a privilege escalation vulnerability in Microsoft Defender, is actively exploited in ransomware campaigns. The flaw was disclosed April 2 and patched April 14, 2026. CISA's Known Exploited Vulnerabilities catalog was recently updated to confirm ransomware activity. The vulnerability requires authenticated access but enables attackers to escalate privileges, disable defenses, and move laterally within compromised environments.

CVE-2025-49715 is an unauthenticated information disclosure vulnerability in Microsoft Dynamics 365 FastTrack Implementation Assets that exposes personally identifiable information (PII) to remote attackers with no authentication required. The vulnerability affects widely-used implementation templates and configuration scripts that organizations often deploy directly to production. Microsoft's MSRC advisory contains conflicting CVE identifiers (CVE-2025-49715 vs CVE-2025-55238), potentially delaying remediation efforts. Organizations should apply patches immediately and rotate any exposed credentials.

Active password spray campaign targeting Azure CLI is compromising Microsoft 365 user accounts. Between June 12-21, attackers made over 81 million login attempts originating from systems associated with LSHIY hosting provider, successfully compromising at least 78 user accounts across 64 organizations. Attackers rely on compromised password combo lists and are increasing credential spray attack volumes across Microsoft 365 environments.

CVE-2025-60727, an out-of-bounds read vulnerability in Microsoft 365 Apps Excel parser, allows remote code execution via malicious Excel files. The flaw affects Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021 and 2024, and Office Online Server. Exploitation requires user interaction but can lead to arbitrary code execution with victim privileges, enabling credential harvesting and lateral movement. Microsoft has released security updates and organizations should prioritize patching.

FBI warned of active Kali365 phishing campaign targeting Microsoft 365 users since April 2026. The platform leverages Microsoft's legitimate device code sign-in process to bypass passwords and multi-factor authentication, capturing OAuth tokens to gain unauthorized access to Outlook, Teams, and OneDrive accounts. Campaign distributed via Telegram with AI-generated phishing templates.

Microsoft Threat Intelligence disclosed an active campaign since April 2026 using 'authentication laundering' to bypass email security filters on hotels across Europe and Asia. Attackers register legitimate SaaS accounts (Calendly, GitHub, Jira) and route phishing emails through their trusted infrastructure to pass SPF, DKIM, and DMARC checks. Hotel employees receive messages with archives containing Windows shortcuts that execute PowerShell, deploy a signed Node.js runtime, and drop a memory-only JavaScript implant establishing persistence via registry run keys and Defender exclusions. Compromised front-desk workstations gain access to property management systems and guest databases.

Microsoft DART disclosed an active campaign by threat group Storm-2603 targeting unpatched on-premises SharePoint servers. The group exploits CVE-2025-49706, CVE-2025-49704, and CVE-2025-11371 to gain initial access, then deploys ransomware, establishes persistent backdoors via Cloudflare tunnels and Zoho Assist, and exfiltrates Active Directory credentials. A second unnamed actor was also present in parallel, using DLL sideloading to maintain access. Organizations are advised to prioritize patching SharePoint servers and implement strict identity controls.

Varonis disclosed SearchLeak (CVE-2026-42824), a three-stage vulnerability chain in Microsoft 365 Copilot Enterprise combining parameter-to-prompt injection, HTML rendering race conditions, and CSP bypass via Bing SSRF. The flaw enables one-click exfiltration of emails, MFA codes, calendar items, SharePoint and OneDrive files. Microsoft assigned critical severity and patched the issue.

Public proof-of-concept exploit released for CVE-2026-45504, a server-side request forgery vulnerability in Microsoft Exchange Server 2016 and 2019 that enables privilege escalation via arbitrary file reads. The flaw allows authenticated attackers with low privileges to exfiltrate sensitive files, credentials, and configuration data from on-premises Exchange deployments. Microsoft released patches on June 9, 2026; unpatched systems face significant risk as functional exploit code is now publicly available.

Microsoft acknowledged CVE-2026-50656 (RoguePlanet), a zero-day elevation-of-privilege flaw in Microsoft Defender that exploits a race condition to spawn a command shell with SYSTEM privileges. Public proof-of-concept code released by Nightmare Eclipse on June 16, 2026. Affects fully patched Windows 10 and Windows 11 devices. Microsoft is working on a high-quality patch but has not announced a timeline; no wild exploitation detected yet.

The FBI issued a warning about Kali365, a phishing-as-a-service platform sold on Telegram for $250 monthly that targets Microsoft 365 users including Outlook, Teams, and OneDrive. The platform bypasses multi-factor authentication by tricking users into entering authentication codes themselves, granting attackers full account access.

Microsoft patched CVE-2026-42824 (SearchLeak), a critical vulnerability in Microsoft 365 Copilot Enterprise that allowed attackers to craft a malicious link to steal emails, documents, and meeting details from victims with a single click. The attack chained three separate bugs to exfiltrate data without user awareness. Microsoft applied the fix automatically at the beginning of June 2026.

Microsoft's Azure repositories were compromised by the Miasma worm, resulting in 73 package repositories being automatically disabled by GitHub. The attack originated from the previously compromised Microsoft Durabletask package in May 2026, which was used to distribute infected packages via PyPI. Credentials stolen during the initial attack may not have been properly revoked, enabling the continued compromise. The Durabletask package had over 400,000 monthly downloads, indicating potential downstream impact to organizations depending on these packages.

Microsoft disclosed CVE-2026-42835, an information disclosure vulnerability in Microsoft Teams for Android rated Important. The flaw allows authenticated attackers to read sensitive heap memory contents including authentication tokens via improper neutralization of special elements (CWE-74). Microsoft released a security update on June 9, 2026, available through the Google Play Store. No active exploitation has been observed.

Researcher Nightmare Eclipse publicly released RoguePlanet, a proof-of-concept exploit for a previously undisclosed race condition (TOCTOU) vulnerability in Microsoft Windows Defender on June 10, 2026. The exploit allows local privilege escalation to SYSTEM level and has been confirmed working on fully patched Windows 10, Windows 11, and Windows Server systems. This zero-day disclosure came hours after Microsoft's record Patch Tuesday release and represents the latest in a series of Defender-targeting exploits from the same researcher since April 2026.

Microsoft has patched CVE-2026-42897, a high-severity actively exploited cross-site scripting (XSS) vulnerability in Exchange Server 2016, 2019, and Subscription Edition. The flaw allows remote attackers with no privileges to execute arbitrary JavaScript in Outlook Web Access by sending specially crafted emails. Microsoft deployed automatic temporary mitigations via the Exchange Emergency Mitigation Service in mid-May and released fixes in June 2026 Patch Tuesday.

Microsoft released a record-breaking Patch Tuesday on June 9, 2026, addressing 208 CVEs across Windows, Office, Azure, Exchange, and related products, with one actively exploited zero-day (CVE-2026-41091 in Microsoft Defender). Critical vulnerabilities include remote code execution flaws in Windows kernel and HTTP.sys, requiring immediate patching across enterprises relying on Microsoft infrastructure.

Microsoft disclosed CVE-2026-45472, a critical remote code execution vulnerability in Office for Mac (including Microsoft 365 for Mac, Office LTSC 2021, and 2024) with no patch available as of June 9, 2026. The vulnerability allows attackers to execute arbitrary code via malicious Office files that can be triggered through Finder Quick Look preview without opening the file. A proof-of-concept exploit and active exploitation attempts have been observed in the wild.

Microsoft disclosed CVE-2026-45497, a remote code execution vulnerability (CVSS 7.7) in Microsoft 365 Copilot caused by command injection that could allow scope escalation within the Microsoft 365 environment. Microsoft fixed the vulnerability server-side on June 4, 2026, before public disclosure as part of its Early Security Updates. No customer patching is required; however, organizations should review identity and access logs for suspicious activity.

A debug flag (setIsDebugMode) left enabled in production code across Microsoft 365 Android apps allowed any co-installed application to silently steal Microsoft account tokens without user interaction. The vulnerability, dubbed FlagLeft, affected Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote apps, potentially exposing billions of Android users to account takeover. Microsoft patched all affected apps in May 2026 with CVE-2026-41100, CVE-2026-41101, and CVE-2026-41102 assigned.

Security researcher Ammar Askar disclosed a vulnerability in Visual Studio Code's github.dev feature that allows attackers to steal GitHub OAuth tokens via malicious workspace extensions, granting access to public and private repositories. Askar published a proof-of-concept exploit within an hour, bypassing coordinated disclosure due to frustration with Microsoft's vulnerability handling process.

An anonymous security researcher known as Nightmare-Eclipse has publicly released multiple proof-of-concept exploit tools targeting Microsoft Windows Defender without coordinated disclosure, beginning April 2, 2026. Three tools are documented: BlueHammer (CVE-2026-33825), a TOCTOU race condition enabling SYSTEM-level privilege escalation that was patched in April 2026 Patch Tuesday and added to CISA's Known Exploited Vulnerabilities catalog; RedSun (CVE-2026-41091), which abuses Defender's cloud file rollback mechanism to execute attacker-planted binaries as SYSTEM; and UnDefend, which silently disables Defender's signature update pipeline. Huntress Labs confirmed active exploitation of all three tools as early as April 10, 2026, with threat actors observed deploying them under disguised filenames after gaining initial access via compromised FortiGate VPN credentials. Microsoft publicly condemned the uncoordinated disclosures on May 27, 2026, stating they put "customers at unnecessary risk" and noted that six total vulnerabilities across Defender and BitLocker were disclosed without prior notice. RedSun and UnDefend remain unpatched as of May 28, 2026, and the researcher has announced a further major disclosure targeting July 14, 2026.

Microsoft has released patches for CVE-2026-45659, a high-severity remote code execution vulnerability in SharePoint Server caused by deserialization of untrusted data. The flaw carries a CVSS score of 8.8 and affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Exploitation requires an authenticated session but no user interaction, and Microsoft rates the attack complexity as low, meaning a payload can be reused reliably against vulnerable instances. Microsoft assesses exploitation as less likely and no public proof-of-concept is available, but on-prem SharePoint servers have repeatedly been targeted by nation-state actors, ransomware operators, and initial access brokers. Fixes are available in builds 16.0.19725.20280 (Subscription Edition), 16.0.10417.20128 (2019), and 16.0.5552.1002 (2016), and administrators are advised to apply them promptly.

The FBI has issued an advisory regarding Kali365, a Telegram-based phishing-as-a-service platform first observed in April 2026 that targets Microsoft 365 accounts. According to the advisory, Kali365 enables cybercriminals to capture OAuth tokens and establish persistent access to Microsoft 365 tenants without stealing passwords or bypassing multi-factor authentication. The token-theft technique sidesteps common identity protections, allowing intruders to maintain access even after password resets. Organizations using Microsoft 365 are advised to review OAuth application consents, monitor for anomalous token use, and revoke suspicious sessions.

Microsoft has confirmed active exploitation of two Microsoft Defender vulnerabilities, CVE-2026-41091 and CVE-2026-45498, and CISA added both to its Known Exploited Vulnerabilities catalog on May 20, 2026. CVE-2026-41091 is a local privilege escalation in the Microsoft Malware Protection Engine that can yield SYSTEM privileges due to improper link resolution, while CVE-2026-45498 is a denial-of-service flaw in the Microsoft Defender Antimalware Platform that can disable protection. Fixes are delivered in Malware Protection Engine v1.1.26040.8 and Antimalware Platform v4.18.26040.7, which roll out automatically under default configurations. Reporting links the exploitation wave to proof-of-concept code published by a researcher using the handle Nightmare Eclipse, with Huntress observing an attacker chaining the BlueHammer, RedSun, and UnDefend exploits. CISA's KEV listing requires US federal civilian agencies to apply patches or remove the product by June 3, 2026.

Microsoft has disclosed CVE-2026-45585, a BitLocker security feature bypass nicknamed YellowKey that affects Windows 11, Windows Server 2022 and Windows Server 2025. The flaw resides in the Windows Recovery Environment, where a malicious autofstx.exe entry in the BootExecute registry value allows an attacker with physical access to circumvent BitLocker full-disk encryption without user credentials or recovery keys. A proof-of-concept exploit was published on May 19, 2026 by researcher Nightmare-Eclipse and has been independently confirmed to work, and Microsoft rates exploitation as more likely though no in-the-wild abuse has been reported. No official patch is available yet; Microsoft has issued manual mitigations involving removing the vulnerable entry from the mounted WinRE image and re-establishing BitLocker trust, or alternatively adding a TPM+PIN protector. Administrators of Windows 11 and Server 2022/2025 endpoints, especially mobile or easily-stolen devices, should apply the WinRE remediation and enforce TPM+PIN ahead of a formal fix.