✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Legal Services
Breach intelligence, attack campaigns, and threat reports targeting the Legal Services sector.
Explore Other Sectors
Legal Services Threat Reports
INC Ransomware's 2026 Surge: A Growing Threat to Sensitive Sectors
In early 2026, the INC ransomware group, a ransomware-as-a-service (RaaS) operation active since mid-2023, intensified its attacks across various sectors, notably healthcare, education, and government entities. Utilizing double extortion tactics, INC affiliates gained initial access through spear-phishing campaigns and exploitation of vulnerabilities in external services. Once inside, they conducted internal reconnaissance using tools like NETSCAN.EXE and AnyDesk.exe, exfiltrated sensitive data, and deployed ransomware to encrypt systems, pressuring victims into paying ransoms to prevent data leaks. ([explore.ontolocy.com](https://explore.ontolocy.com/intel/intrusion-sets/inc-ransomware-group/?utm_source=openai)) This surge in INC's activities underscores the evolving ransomware landscape, where groups leverage RaaS models to scale operations rapidly. The focus on sectors with sensitive data highlights the critical need for organizations to bolster defenses against such multifaceted threats.
1 week ago
Kill Chain
Understanding the 'SearchLeak' Vulnerability in Microsoft 365 Copilot (CVE-2026-42824)
In June 2026, a critical vulnerability known as 'SearchLeak' (CVE-2026-42824) was discovered in Microsoft 365 Copilot. This flaw allowed attackers to craft malicious links that, when accessed by a user, could exfiltrate sensitive data such as emails, meeting notes, and documents from OneDrive and SharePoint. The attack exploited a parameter-to-prompt injection (P2P) technique, enabling unauthorized data disclosure over the network. Microsoft promptly addressed the issue by releasing a patch to mitigate the vulnerability. The 'SearchLeak' incident underscores the evolving nature of AI-driven cyber threats, particularly those targeting large language model (LLM) systems integrated into enterprise environments. It highlights the necessity for organizations to implement robust security measures, including prompt isolation and output sanitization, to protect against sophisticated prompt-injection attacks.
1 week ago
Kill Chain
EvilTokens: The Phishing Service That Bypasses MFA Without Stealing Passwords
In early 2026, the EvilTokens Phishing-as-a-Service platform emerged, exploiting the OAuth 2.0 device authorization grant flow to compromise over 340 Microsoft 365 organizations across multiple countries within five weeks. This method bypasses traditional password theft by tricking users into completing legitimate multi-factor authentication (MFA) processes on genuine Microsoft login pages, thereby granting attackers access tokens without raising typical security alarms. The attackers then gain persistent access to corporate emails, files, and other sensitive resources, facilitating data exfiltration and business email compromise (BEC) attacks. This incident underscores the evolving sophistication of phishing techniques that render conventional MFA defenses insufficient. Organizations must reassess their security protocols to address these advanced threats, emphasizing the need for continuous monitoring and user education on emerging phishing tactics.
1 week ago
Kill Chain
Microsoft 365 Copilot 'SearchLeak' Vulnerability (CVE-2026-42824) Exposes Sensitive Data
In June 2026, a critical vulnerability chain known as 'SearchLeak' was discovered in Microsoft 365 Copilot Enterprise, identified as CVE-2026-42824. This exploit allowed attackers to steal sensitive data from users' mailboxes, OneDrive, and SharePoint accounts through specially crafted URLs. The attack combined a parameter-to-prompt injection, an HTML rendering race condition, and a content-security-policy bypass enabled by Bing server-side request forgery. Microsoft addressed this vulnerability at the beginning of June 2026, assigning it a critical severity rating. The 'SearchLeak' incident underscores the evolving nature of cyber threats targeting AI-integrated enterprise tools. It highlights the necessity for organizations to implement robust security measures, conduct regular vulnerability assessments, and stay informed about emerging attack vectors to protect sensitive data effectively.
1 week ago
Kill Chain
Microsoft 365 Copilot 'SearchLeak' Vulnerability Exposes Sensitive Data
In June 2026, Varonis Threat Labs identified a critical vulnerability in Microsoft 365 Copilot, termed 'SearchLeak'. This flaw allowed attackers to craft a single-click link that, when accessed by a user, could exfiltrate sensitive data such as emails, calendar details, and indexed files without any further interaction. The attack exploited a combination of AI prompt injection and web vulnerabilities, enabling unauthorized access to a user's Microsoft Graph data. Microsoft assigned CVE-2026-42824 to this issue and has since mitigated the flaw on its backend, with no known exploitation in the wild. This incident underscores the evolving nature of cyber threats targeting AI-integrated platforms. As organizations increasingly adopt AI-driven tools, it is imperative to implement robust security measures to prevent similar vulnerabilities. Continuous monitoring and prompt patching are essential to safeguard sensitive information against emerging attack vectors.
1 week ago
Kill Chain
Unveiling App.MenuItem: A New Forensic Artifact in macOS Tahoe 26
In June 2026, researchers identified a new artifact in macOS Tahoe 26, named App.MenuItem, which logs specific menu selections made by users across the operating system. This artifact provides a detailed record of user actions, such as compressing files or emptying the trash, offering critical context for forensic investigations. Located at ~/Library/Biome/streams/restricted/App.MenuItem/local, the artifact contains SEGB-encapsulated protobuf entries that require specific tools to parse. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/new-macos-artifact-discovered/?_wpnonce=c8aaaf1bea&lg=en&pdf=download&utm_source=openai)) The discovery of App.MenuItem is significant for digital forensics, as it allows examiners to reconstruct user workflows with greater precision. By capturing exact menu choices and timestamps, investigators can gain insights into user intent and actions, enhancing the accuracy of forensic analyses. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/new-macos-artifact-discovered/?_wpnonce=c8aaaf1bea&lg=en&pdf=download&utm_source=openai))
1 week ago
Kill Chain
Coupang Data Breach 2025: A Wake-Up Call for E-Commerce Security
In June 2025, Coupang, South Korea's leading e-commerce platform, experienced a significant data breach that went undetected until November 2025. The breach compromised personal information of approximately 37.55 million customers, including names, email addresses, phone numbers, delivery addresses, and order histories. Investigations revealed that the breach resulted from inadequate security practices, such as poor authentication key management and insufficient access controls. This incident underscores the critical importance of robust cybersecurity measures in protecting sensitive customer data. The substantial fine imposed by South Korean authorities highlights the growing regulatory focus on data protection and the severe consequences of security lapses for organizations handling large volumes of personal information.
2 weeks ago
Kill Chain
FROST Attack: A New Threat to User Privacy via SSD Timing
In June 2026, researchers from Graz University of Technology unveiled a novel side-channel attack named FROST (Fingerprinting Remotely using OPFS-based SSD Timing). This attack enables malicious websites to infer users' browsing habits and application usage by exploiting SSD access time variations through JavaScript, without requiring native code execution or user permissions. By leveraging the Origin Private File System (OPFS) API, attackers can create large files that induce measurable SSD latency changes when other applications or websites are accessed, allowing them to identify specific user activities with high accuracy. ([tugraz.elsevierpure.com](https://tugraz.elsevierpure.com/de/publications/frost-fingerprinting-remotely-using-opfs-based-ssd-timing/?utm_source=openai)) The FROST attack underscores the evolving landscape of web-based privacy threats, highlighting the potential for sophisticated side-channel attacks that operate entirely within the browser environment. As web applications become more complex and integrated with local system resources, the need for robust security measures to mitigate such vulnerabilities becomes increasingly critical.
2 weeks ago
Kill Chain
UNC3753's 2026 Data Theft Campaign: A Blend of Vishing and Physical Intrusions
Between January and May 2026, the threat actor UNC3753, also known as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG), targeted numerous U.S. organizations in the professional, legal, and financial sectors. Utilizing voice phishing (vishing) and social engineering tactics, they impersonated IT support to gain remote access via screen-sharing sessions and remote monitoring tools. In some cases, attackers physically infiltrated offices, posing as IT technicians to exfiltrate data using USB devices. Stolen information included proprietary legal agreements, personally identifiable information (PII), and financial records. The group rapidly demanded ransoms, threatening to publish the stolen data if payments were not made promptly. This incident underscores the evolving tactics of cybercriminals, combining traditional social engineering with physical intrusion methods. The rapid execution of these attacks, often completed within a single business day, highlights the need for organizations to enhance their security awareness training and implement robust verification processes for IT support interactions.
2 weeks ago
Kill Chain
UNC5221's Prolonged Cyber-Espionage via Brickstorm Malware
In June 2026, the Chinese state-sponsored group UNC5221, also known as VerdantBamboo, was found to have infiltrated U.S. organizations using the Brickstorm backdoor and newly identified malware variants, Plenet and AgentPSD. The attackers maintained undetected access for over 18 months, compromising Microsoft 365 environments and managed service providers. Their tactics included exploiting zero-day vulnerabilities in edge devices and deploying advanced malware implants written in Golang and Rust. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/amp/?utm_source=openai)) This incident underscores the evolving sophistication of state-sponsored cyber-espionage campaigns, highlighting the need for organizations to enhance their detection capabilities, particularly in monitoring network appliances and implementing robust access controls to prevent prolonged unauthorized access.
2 weeks ago
Kill Chain
Microsoft 365 Android Apps Vulnerability Exposes User Tokens
In June 2026, a significant security vulnerability was discovered in several Microsoft 365 Android applications, including Word, Excel, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot. Researchers at Enclave identified that a debug setting, intended for testing purposes, was inadvertently left enabled in production versions of these apps. This oversight disabled critical security controls, allowing any app on the same device to request and receive Microsoft authentication tokens without proper authorization checks. Consequently, malicious applications could gain unauthorized access to user accounts, potentially compromising emails, files, and other sensitive data. Microsoft promptly addressed the issue by releasing updates and assigning CVEs such as CVE-2026-41100, CVE-2026-41101, CVE-2026-41102, and CVE-2026-42832 to track the vulnerabilities. This incident underscores the critical importance of rigorous security practices in software development, particularly in managing authentication tokens. The exposure highlights the potential risks associated with residual debug settings in production environments, emphasizing the need for comprehensive code reviews and security audits to prevent similar vulnerabilities in the future.
3 weeks ago
Kill Chain
Critical Vulnerability in Microsoft 365 Android Apps Exposes User Tokens
In May 2026, a critical vulnerability was discovered in several Microsoft 365 Android applications, including Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote. A development flag, 'IsDebugMode', was inadvertently left enabled in production builds, disabling the security check that restricts account-token sharing to trusted Microsoft apps. This oversight allowed any app on the same device to request and obtain the signed-in user's Microsoft account tokens without requiring a password, login screen, or permission prompt. Consequently, unauthorized applications could access emails, files, calendars, and send messages as the user, posing significant security risks. ([securityweek.com](https://www.securityweek.com/exclusive-how-one-line-of-code-put-billions-of-microsoft-android-app-downloads-at-risk/amp/?utm_source=openai)) This incident underscores the critical importance of rigorous security checks in the software development lifecycle, especially in mobile applications that handle sensitive user data. The ease with which a single misconfiguration can lead to widespread security breaches highlights the need for continuous monitoring and auditing of application settings. Organizations must prioritize updating affected applications and implementing robust security practices to prevent similar vulnerabilities in the future.
3 weeks ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports