# CTI Daily Brief — 2026-05-18

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.7, model ID `claude-opus-4-7`) with parallel research and verification by sub-agents (Claude Sonnet 4.6, Claude Opus 4.7) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.7 (`claude-opus-4-7`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.7, Claude Sonnet 4.6, Claude Opus 4.7, Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.59 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Microsoft Exchange Server CVE-2026-42897 (OWA stored XSS, actively exploited, CISA KEV) — Exchange Team Blog update confirms the EM Service auto-mitigation requires outbound HTTPS connectivity from the Exchange host to `officemitigations.microsoft.com`.** Segmented or air-gapped Exchange 2016 / 2019 / SE environments that block this egress path will not have received the automatic URL-Rewrite mitigation and remain exposed; no permanent patch is available yet ([Microsoft Exchange Team Blog, 2026-05-17](https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498); [Microsoft MSRC](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897)).
- **NGINX Rift CVE-2026-42945 — VulnCheck honeypot telemetry confirms in-the-wild exploitation as of 2026-05-17.** The 18-year-old heap overflow in `ngx_http_rewrite_module` (versions 0.6.27 through 1.30.0) is now actively probed; patches are NGINX Open Source 1.30.1 / 1.31.0 and NGINX Plus R32 P6 / R36 P4 ([The Hacker News, 2026-05-17](https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html); [Security Affairs, 2026-05-14](https://securityaffairs.com/192132/hacking/nginx-rift-an-18-year-old-flaw-in-the-worlds-most-deployed-web-server-just-came-to-light.html)).
- **THORChain — Switzerland-based cross-chain liquidity protocol — drained of ~$11M across nine blockchains via a suspected GG20 Threshold-Signature-Scheme implementation flaw.** A malicious newly-churned validator node is reported to have gradually leaked vault key shards over multiple keygen/signing rounds before forging outbound signatures; The Record reports user funds were unaffected and only protocol-owned assets were impacted ([The Record, 2026-05-15](https://therecord.media/more-than-10-million-stolen-crypto-platform-thorchain); [TRM Labs, 2026-05-15](https://www.trmlabs.com/resources/blog/thorchain-exploit-drains-usd-11m-across-at-least-nine-chains-what-trm-knows-now)).
- **Tycoon2FA PhaaS pivots from credential-relay AiTM to OAuth 2.0 Device Authorization Grant abuse against Microsoft 365.** Victims paste an attacker-supplied device code into the legitimate `microsoft.com/devicelogin` endpoint; MFA succeeds on the real Microsoft endpoint and tokens are issued to the attacker's registered device. eSentire documented the campaign with a four-layer browser chain ending in a fake Microsoft CAPTCHA ([BleepingComputer, 2026-05-17](https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/); [eSentire TRU, 2026-05-12](https://www.esentire.com/blog/tycoon-2fa-operators-adopt-oauth-device-code-phishing)).

> **Immediate Action — Verify Exchange Emergency Mitigation Service health and `officemitigations.microsoft.com` connectivity.** CVE-2026-42897 is an actively-exploited OWA stored-XSS with no permanent patch; the EM Service auto-applies the URL-Rewrite mitigation M2.1.x only if outbound HTTPS to `officemitigations.microsoft.com` is reachable from each Exchange Mailbox server. Segmented or restricted-egress on-premises Exchange 2016 / 2019 / SE estates may be silently unprotected. Right now: run `Get-ExchangeDiagnosticInfo -Server <server> -Process EdgeTransport -Component EmergencyMitigation` on every Mailbox role, confirm Status `Active` and rule M2.1.x applied; on segmented servers run `.\EOMT.ps1 -CVE "CVE-2026-42897"` manually from an elevated Exchange Management Shell.
>
> — *Source: [Microsoft Exchange Team Blog, 2026-05-17](https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498) · Additional source: [Microsoft MSRC](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897) · Tags: vulnerabilities, actively-exploited, cisa-kev, no-patch · Region: global · Sector: public-sector, healthcare, education · CVE: CVE-2026-42897 · CVSS: 8.1 · Vector: user-interaction · Auth: pre-auth · Status: exploited, cisa-kev, mitigation-only · Evidence: "The Exchange Emergency Mitigation Service will provide mitigation automatically, and is on by default. If it is not already enabled on your Exchange Server, you need to enable Exchange Emergency Mitigation Service." (Microsoft Exchange Team Blog); "We are working on developing and testing a more permanent fix which we will provide when it meets our quality standards." (Microsoft Exchange Team Blog)*

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### THORChain GG20 Threshold Signature Scheme vault drain — ~$11M across nine chains; Switzerland-based protocol

On 2026-05-15 a malicious validator node drained approximately $11M in protocol-owned funds from [THORChain](https://therecord.media/more-than-10-million-stolen-crypto-platform-thorchain), a Switzerland-based decentralised cross-chain liquidity protocol founded in 2018, across Bitcoin, Ethereum, BNB Smart Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP ([The Record, 2026-05-15](https://therecord.media/more-than-10-million-stolen-crypto-platform-thorchain); [TRM Labs, 2026-05-15](https://www.trmlabs.com/resources/blog/thorchain-exploit-drains-usd-11m-across-at-least-nine-chains-what-trm-knows-now)). The leading technical hypothesis — reported by Chainalysis, PeckShield and Cyvers via [CryptoTimes's post-mortem synthesis on 2026-05-17](https://www.cryptotimes.io/2026/05/17/10-8-million-drained-inside-the-thorchain-exploit-that-froze-cross-chain-defi-for-13-hours/) — is a GG20 Threshold Signature Scheme (TSS) implementation flaw: a node identified as `thor16ucjv3v695mq283me7esh0wdhajjalengcn84q` joined the active validator set days before the attack, gradually leaked vault key shards during keygen and signing rounds, reconstructed sufficient key material offline, and then forged outbound vault signatures without triggering the protocol's quorum checks. CryptoTimes records verbatim: *"the operator (or a compromised machine acting as the operator) exploited a vulnerability in the GG20 Threshold Signature Scheme implementation. Rather than a single dramatic key compromise, the attack appears to have involved the gradual leakage of vault key material during keygen or signing rounds — the kind of malformed-proof exploitation that the TSSHOCK class of CVEs first put on the industry's radar a few years ago."* Chainalysis shared an on-chain analysis thread on 2026-05-16 linking attacker-controlled wallets to weeks of preparatory infrastructure staging through Monero and Hyperliquid before the vault drain. TRM Labs traced the proceeds to a two-address cluster within hours but has not attributed the exploit to any specific actor as of disclosure; historical THORChain laundering activity has been dominated by North Korean operators (Lazarus Group, including the $1.5B Bybit and ~$300M KelpDAO thefts per TRM Labs), but no Lazarus attribution is confirmed for this event. The Record reports user balances were not directly drained. **Why it matters to us:** the relevance to a Swiss / EU public-sector SOC is the *technique class*, not the cryptocurrency context. Any organisation operating MPC-custody, threshold-signing, or cross-chain bridge validator infrastructure — including FINMA-supervised digital-asset custodians, EU MiCA-regulated DeFi platforms, and any internal HSM-replacement projects that have moved to MPC-TSS — should audit node-admission controls, keygen/signing-round integrity, and whether newly-joined nodes can participate in signing quorums before completing a full security review. The TSSHOCK vulnerability class — [CVE-2023-33241](https://nvd.nist.gov/vuln/detail/CVE-2023-33241) (Fireblocks GG18/GG20 Paillier-ZK-proof flaw) and related GG20/ECDSA-MPC research — showed that malformed or missing zero-knowledge proofs during GG18/GG20 keygen can leak private-key shards across multiple rounds; the THORChain exploit is the second large-scale production demonstration of that theoretical class.

— *Source: [The Record, 2026-05-15](https://therecord.media/more-than-10-million-stolen-crypto-platform-thorchain) · [TRM Labs, 2026-05-15](https://www.trmlabs.com/resources/blog/thorchain-exploit-drains-usd-11m-across-at-least-nine-chains-what-trm-knows-now) · Additional source: [CryptoTimes, 2026-05-17](https://www.cryptotimes.io/2026/05/17/10-8-million-drained-inside-the-thorchain-exploit-that-froze-cross-chain-defi-for-13-hours/) · Tags: cryptocrime, organized-crime, supply-chain, cloud · Region: switzerland, global · Sector: finance · Evidence: "One of THORChain's six vaults was compromised, though the platform's automated systems detected abnormal behavior and halted signing activity, preventing further losses. User funds were reportedly unaffected, with only protocol-owned assets impacted." (The Record); "At the time of writing, TRM has not attributed the May 15 exploit to any specific actor." (TRM Labs); "the operator (or a compromised machine acting as the operator) exploited a vulnerability in the GG20 Threshold Signature Scheme implementation. Rather than a single dramatic key compromise, the attack appears to have involved the gradual leakage of vault key material during keygen or signing rounds — the kind of malformed-proof exploitation that the TSSHOCK class of CVEs first put on the industry's radar a few years ago." (CryptoTimes)*

## 2. Trending Vulnerabilities

*No new in-window CVE clears the § 2 inclusion gates this run — the three actively-exploited or newly-patched items in scope (CVE-2026-42897 Exchange OWA, CVE-2026-42945 NGINX Rift, CVE-2026-0300 PAN-OS) all carry material in-window deltas that belong in § 4 Updates rather than as fresh § 2 entries. Section intentionally left empty.*

## 3. Research & Investigative Reporting

*No new research with operational defender impact published inside the 36-hour recency window this run — Sunday-into-Monday is research-light. Three substantive pieces (DFIR Report on EtherRAT + TukTuk → Gentleman ransomware, 2026-05-11; Microsoft IR on a 123-day MSP-mediated intrusion via HPE Operations Manager, 2026-05-12; Unit 42 on AD CS ESC1 + shadow-credential exploitation by Fighting Ursa, 2026-05-11) were surfaced by S3 but all fall outside the strict window and outside prior coverage; they are flagged in § 7 as candidates for the weekly summary rather than padded into today's brief. Section intentionally left empty.*

## 4. Updates to Prior Coverage

### UPDATE: CVE-2026-42897 Exchange OWA — EM Service auto-mitigation depends on outbound connectivity to `officemitigations.microsoft.com`

> **UPDATE (originally covered 2026-05-15 / deep-dive 2026-05-16):** The [Microsoft Exchange Team Blog post addressing CVE-2026-42897 was last modified 2026-05-17](https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498) to clarify an operational dependency that defenders must verify on every Exchange Mailbox host: the Exchange Emergency Mitigation Service (EM Service / EEMS) — which auto-applies the URL-Rewrite mitigation labelled M2.1.x — only delivers that mitigation when it can reach `officemitigations.microsoft.com` over outbound HTTPS. Segmented on-premises Exchange 2016 / 2019 / Subscription-Edition deployments that block direct outbound HTTPS from the Mailbox role will therefore not have received the automatic mitigation and remain exposed to the actively-exploited OWA stored-XSS chain.
>
> The CVE remains CISA KEV-listed (added 2026-05-15) with no permanent cumulative-update fix as of 2026-05-18; Microsoft states verbatim *"We are working on developing and testing a more permanent fix which we will provide when it meets our quality standards."* Exchange Online is unaffected. Operational verification per server: `Get-ExchangeDiagnosticInfo -Server <server> -Process EdgeTransport -Component EmergencyMitigation` returns `Status: Active` and rule M2.1.x applied; manual application on hosts that cannot reach the mitigation service: `.\EOMT.ps1 -CVE "CVE-2026-42897"` from an elevated Exchange Management Shell, or apply the documented URL Rewrite rule by hand.
>
> — *Source: [Microsoft Exchange Team Blog, 2026-05-17](https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498) · Additional source: [Microsoft MSRC](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897) · Tags: vulnerabilities, actively-exploited, cisa-kev, no-patch · Region: global · Sector: public-sector, healthcare, education · CVE: CVE-2026-42897 · CVSS: 8.1 · Vector: user-interaction · Auth: pre-auth · Status: exploited, cisa-kev, mitigation-only*

### UPDATE: CVE-2026-42945 NGINX Rift — in-the-wild exploitation confirmed by VulnCheck honeypots

> **UPDATE (originally covered 2026-W21 weekly):** [VulnCheck honeypot telemetry confirmed active exploitation of CVE-2026-42945 on 2026-05-17](https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html), promoting the 18-year-old `ngx_http_rewrite_module` heap buffer overflow from PoC-public status (where it sat last week) to actively-exploited. The flaw is reachable by an unauthenticated remote attacker via a single crafted HTTP request to any NGINX instance running a rewrite-rule configuration that uses unnamed PCRE captures (`$1`, `$2`); successful exploitation crashes the worker process (DoS reliable on ASLR-enabled hosts) and reaches RCE on hosts where ASLR is disabled.
>
> Affected per [F5 PSIRT advisory K000161019](https://my.f5.com/manage/s/article/K000161019): NGINX Open Source 0.6.27 through 1.30.0 (every release since 2008) and NGINX Plus R32 through R36, plus F5 NGINX Instance Manager, NGINX Ingress Controller, NGINX Gateway Fabric, NGINX App Protect WAF, F5 WAF for NGINX, and NGINX App Protect DoS. Patches: NGINX Open Source 1.30.1 / 1.31.0; NGINX Plus R32 P6, R36 P4. Interim mitigation if immediate upgrade is not possible: convert unnamed PCRE captures in all rewrite directives to named captures (`(?P<name>...)` syntax). Detection-engineering anchors that follow from the flaw class (heap-overflow worker crash under specific rewrite-rule configurations) are NGINX worker-process crash events (SIGSEGV / SIGABRT and immediate respawn) in syslog / journald, correlated with inbound HTTP requests carrying unusually long or deeply-nested rewrite-rule input strings from the same source; defenders should validate these against their own rewrite-rule configuration before depending on them.
>
> — *Source: [The Hacker News, 2026-05-17](https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html) · Additional source: [F5 PSIRT K000161019](https://my.f5.com/manage/s/article/K000161019) · [Security Affairs, 2026-05-14](https://securityaffairs.com/192132/hacking/nginx-rift-an-18-year-old-flaw-in-the-worlds-most-deployed-web-server-just-came-to-light.html) · [NCSC-CH Security Hub post #12575](https://security-hub.ncsc.admin.ch/#/posts/12575) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, dos · Region: global · Sector: public-sector, technology · CVE: CVE-2026-42945 · CVSS: 9.2 · Vector: zero-click · Auth: pre-auth · Status: exploited, patch-available*

### UPDATE: CVE-2026-0300 PAN-OS Captive Portal — revised fix-release timelines for 10.2.13-h21 and 10.2.16-h7; wave-2 target remains 2026-05-28

> **UPDATE (originally covered 2026-05-07 deep dive):** The [Palo Alto Networks PSIRT advisory for CVE-2026-0300](https://security.paloaltonetworks.com/CVE-2026-0300) was revised on 2026-05-16 to update the per-build fix-release schedule: PAN-OS `10.2.13-h21` was retimed on 2026-05-16, `10.2.16-h7` on 2026-05-14. Both are commonly deployed LTS branches in large enterprise and government estates; PA-Series and VM-Series devices on those two specific builds remain mitigation-only.
>
> The wave-2 patch target for the remaining outstanding builds remains 2026-05-28. No new exploitation evidence accompanied the revision; the actively-exploited posture (unauthenticated heap overflow in the User-ID Authentication Portal / Captive Portal service, CVSS 9.3, pre-auth root RCE) reported in prior briefs continues. Defender action: verify each PA / VM appliance's installed PAN-OS build against the advisory's per-version patch matrix; if the installed build is `10.2.13-h21` or `10.2.16-h7`, confirm the Captive Portal / User-ID Authentication Portal mitigation (disable the feature if unused, or apply the published Threat Prevention rule) remains active until the wave-2 fix lands.
>
> — *Source: [Palo Alto Networks PSIRT — CVE-2026-0300](https://security.paloaltonetworks.com/CVE-2026-0300) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, cisa-kev · Region: global · Sector: public-sector, technology · CVE: CVE-2026-0300 · CVSS: 9.3 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, mitigation-only*

## 5. Deep Dive — Tycoon2FA after the March 2026 takedown — OAuth Device Authorization Grant abuse on Microsoft 365

**Background.** Tycoon2FA is one of the established Microsoft 365 Phishing-as-a-Service (PhaaS) kits, previously documented as a classic adversary-in-the-middle (AiTM) credential-relay kit ([Sekoia's reference analysis](https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/) catalogued earlier versions of the kit). eSentire's Threat Response Unit documented a late-April 2026 campaign in which the kit's operators have moved away from credential-relay AiTM and are now abusing the legitimate OAuth 2.0 Device Authorization Grant flow as their post-MFA token-theft primitive ([eSentire TRU, 2026-05-12](https://www.esentire.com/blog/tycoon-2fa-operators-adopt-oauth-device-code-phishing); [BleepingComputer, 2026-05-17](https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/)). The substantive defender consequence is that the new chain runs against Microsoft's own authentication endpoints rather than against a credential-relay proxy the defender could block at the infrastructure layer; the abuse is structurally indistinguishable from a legitimate device-code sign-in until the resulting token is used.

**Attack chain.** A phishing email directs the victim through a four-layer browser chain documented by eSentire: a Trustifi click-tracking redirect (legitimate-email-marketing infrastructure, abused for reputation laundering) hands off to a Cloudflare Workers throwaway subdomain whose stage performs anti-analysis fingerprinting, AES-GCM-encrypted JavaScript decrypts the next stage only when the browser fingerprint clears, and finally the victim lands on a fake Microsoft CAPTCHA / "Check Domain" page that bridges into the OAuth device-code lure. eSentire records the underlying hosting ASN rotated to AS45102 (Alibaba Cloud) from 2026-04-10 onward, replacing previously documented ASNs. The terminal step is the technique pivot: instead of relaying credentials through an AiTM proxy, the phishing site displays a Microsoft-branded prompt instructing the victim to *"complete sign-in by visiting `microsoft.com/devicelogin` and entering this code: AB12-CDEF"*. The code is a real device code that the attacker pre-generated by calling the OAuth Device Authorization Grant endpoint (`/oauth2/v2.0/devicecode`) on the victim's tenant, presenting itself as the [Microsoft Authentication Broker client](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code) (AppId `29d9ed98-a469-4536-ade2-f981bc1d605e`) — a first-party Microsoft client whose presence does not trip standard "unknown OAuth app" alerts in Entra ID. When the victim completes the device-code login in their browser they are authenticating to genuine Microsoft endpoints, MFA fires and succeeds against the victim's own MFA method (push, OTP, SMS) — and the resulting access and refresh tokens are issued to the attacker's polling device, not the victim. Entra ID sign-in logs record this as `AuthenticationProtocol = deviceCode` originating from an unfamiliar IP, but the actual authentication is logged as successful with valid MFA, masking the abuse.

**ATT&CK mapping.** [`T1566.002`](https://attack.mitre.org/techniques/T1566/002/) Phishing: Spearphishing Link → [`T1528`](https://attack.mitre.org/techniques/T1528/) Steal Application Access Token (the device-code flow itself) → [`T1550.001`](https://attack.mitre.org/techniques/T1550/001/) Use Alternate Authentication Material: Application Access Token → [`T1078.004`](https://attack.mitre.org/techniques/T1078/004/) Valid Accounts: Cloud Accounts (sustained post-MFA access using the issued tokens against Exchange Online, SharePoint, OneDrive, Teams, and Graph API). MFA bypass is structural here — Tycoon2FA does not break MFA; it sidesteps it by binding the MFA-validated session to an attacker-owned device through the legitimate OAuth flow. Every MFA method except FIDO2 / WebAuthn with phishing-resistant attestation is vulnerable to this attack class because the victim approves an MFA prompt on a flow the kit chose, not the flow the victim believes they are completing.

**Hunt / detection concepts.** Per eSentire's TRU analysis: query Entra ID sign-in logs for `AuthenticationProtocol = "deviceCode"` paired with `ClientAppUsed = "Microsoft Authentication Broker"` from IPs the user has never authenticated from previously; alert on any device-code authentication from foreign ASNs against high-privilege users (Global Admins, Privileged Role Admins, Compliance Admins) regardless of MFA outcome; correlate device-code sign-ins with Entra audit-log entries showing immediate token-refresh activity against Exchange Online or SharePoint endpoints (`Add OAuth2PermissionGrant`); on the email layer hunt for inbound mail containing the literal string `microsoft.com/devicelogin` paired with a device-code-shaped substring (eight alphanumerics with a hyphen at the midpoint) in the body — legitimate Microsoft messaging almost never instructs an end user to enter such a code in response to an email. Kit-fingerprint detection (useful when investigating a confirmed campaign): the Tycoon2FA browser stage retains the hardcoded CryptoJS AES-CBC key `1234567890123456` first documented in the kit's 2024 build, and the fake CAPTCHA layer still embeds the same Cloudflare-anti-bot bypass JavaScript across the rebuilt infrastructure.

**Hardening.** [Entra Conditional Access policy](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows) to block OAuth Device Code flow as an authentication transport for users who do not need it — the policy is `Conditional Access > New policy > Conditions > Authentication flows > Device code flow > Block`; Microsoft recommends this as a tenant-wide default in modern deployments because the device-code flow is only legitimately needed for input-constrained devices (smart TVs, IoT, CLI tools) and almost never for desktop or browser users. Where a wholesale block is operationally infeasible, scope the block to all licensed user accounts and exempt only the named service principals that require it. Enable Continuous Access Evaluation (CAE) so that anomaly-driven sign-in revocation can cut an attacker's session within minutes rather than hours. Migrate high-privilege users to FIDO2 / WebAuthn with phishing-resistant attestation as their only permitted MFA method — the device-code flow can still be initiated, but the attacker cannot complete it because the FIDO2 origin-binding fails on a non-matching browser session. Awareness messaging should make explicit that Microsoft never sends device codes via email and that any incoming message asking the recipient to enter a code at `microsoft.com/devicelogin` is fraudulent regardless of the apparent sender.

— *Source: [BleepingComputer, 2026-05-17](https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/) · Additional source: [eSentire Threat Response Unit, 2026-05-12](https://www.esentire.com/blog/tycoon-2fa-operators-adopt-oauth-device-code-phishing) · Tags: phishing, identity, cloud, organized-crime, ai-abuse · Region: global, europe · Sector: public-sector, healthcare, education, finance, technology · Evidence: "Doing so authorizes the attacker to register a rogue device with the victim's Microsoft 365 account, giving them unrestricted access to the victim's data and services, including email, calendar, and cloud file storage." (BleepingComputer); "The user's MFA worked exactly as designed. There is no proxy, no credential capture, no fake Microsoft page." (eSentire Threat Response Unit)*

## 6. Action Items

- **Verify Exchange Emergency Mitigation Service health on every on-premises Mailbox role.** Run `Get-ExchangeDiagnosticInfo -Server <server> -Process EdgeTransport -Component EmergencyMitigation` against each Exchange 2016 / 2019 / SE host; confirm `Status: Active` and rule M2.1.x is applied. On segmented hosts that block outbound HTTPS to `officemitigations.microsoft.com`, manually apply via `.\EOMT.ps1 -CVE "CVE-2026-42897"` from an elevated Exchange Management Shell. No permanent patch yet; CISA KEV-listed and actively exploited. See § 4 update.

  — *Source: [Microsoft Exchange Team Blog, 2026-05-17](https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498) · Tags: vulnerabilities, actively-exploited, cisa-kev, no-patch · Region: global · Sector: public-sector*

- **Patch NGINX 1.30.0 → 1.30.1 / 1.31.0 (open source) or NGINX Plus → R32 P6 / R36 P4 immediately on any internet-exposed instance.** VulnCheck honeypot telemetry confirmed in-the-wild exploitation of CVE-2026-42945 ("NGINX Rift") on 2026-05-17. Where same-day upgrade is not feasible, audit `nginx.conf` and included `*.conf` rewrite rules for unnamed PCRE captures (`$1`, `$2`) and convert to named captures as an interim mitigation per the F5 advisory. See § 4 update.

  — *Source: [F5 PSIRT K000161019](https://my.f5.com/manage/s/article/K000161019) · [The Hacker News, 2026-05-17](https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html) · [NCSC-CH Security Hub post #12575](https://security-hub.ncsc.admin.ch/#/posts/12575) · Tags: vulnerabilities, actively-exploited, pre-auth, rce · Region: global · Sector: public-sector*

- **Block OAuth Device Code flow tenant-wide in Entra ID Conditional Access where it is not operationally required.** Path: Conditional Access → New policy → Conditions → Authentication flows → Device code flow → Block. Scope to all user accounts and exempt only the named service principals (smart-TV, IoT, CLI) that demonstrably need it. Where a wholesale block is infeasible, restrict the device-code flow to compliant devices and named-location IPs. Monitor Entra ID sign-in logs for `AuthenticationProtocol = "deviceCode"` from unfamiliar IPs against high-privilege users — see § 5 deep dive.

  — *Source: [eSentire Threat Response Unit, 2026-05-12](https://www.esentire.com/blog/tycoon-2fa-operators-adopt-oauth-device-code-phishing) · [BleepingComputer, 2026-05-17](https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/) · Tags: phishing, identity, cloud · Region: global · Sector: public-sector*

- **Audit PAN-OS build version against the revised CVE-2026-0300 fix-release timeline.** Inventory PA-Series and VM-Series appliances; if any device runs `10.2.13-h21` or `10.2.16-h7`, confirm Captive Portal / User-ID Authentication Portal mitigation remains active and track the wave-2 patch target (2026-05-28). See § 4 update.

  — *Source: [Palo Alto Networks PSIRT — CVE-2026-0300](https://security.paloaltonetworks.com/CVE-2026-0300) · Tags: vulnerabilities, actively-exploited, cisa-kev · Region: global · Sector: public-sector*

## 7. Verification Notes

- **Coverage window:** standard daily (gap to prior brief 2026-05-17 ≈ 24 h; `window_hours = 36`). Quiet Sunday-into-Monday — § 2 and § 3 are intentionally empty per PD-11.
- **Items dropped (sub-agent returned but failed Phase 2 / dedup / recency):**
  - SEPPmail CVE-2026-44125 / 44126 / 44127 / 44128 / 44129 / 7864 cluster (NCSC-CH post #12551, 2026-05-08) — already covered in the 2026-05-09 deep dive and the CVEs are all in `cves_seen.json`; the NCSC-CH advisory date (2026-05-08) is 10 days outside `window_hours = 36`; dropped, no in-window delta.
  - Windows YellowKey / GreenPlasma zero-days (NCSC-CH post #12574, 2026-05-14) — already covered in the 2026-05-15 § 1; no fresh in-window development.
  - DHTMLX CVE-2026-41553 / 41552 / 7182 — already covered as a TL;DR item in 2026-05-17; CERT-PL advisory date 2026-05-15 sits at the edge of window but the coverage is already current.
  - NCSC-CH weekly review Week 19 (advance-fee scam, double-phishing awareness items) — primary-source date 2026-05-12 is outside `window_hours`; awareness-class content with no fresh defender action.
- **Single-source items:** [SINGLE-SOURCE] CVE-2026-0300 PAN-OS § 4 UPDATE — sole primary source is the Palo Alto Networks PSIRT advisory (vendor-authoritative; national-CERT carve-out does not apply but vendor-PSIRT is itself the primary disclosing party).
- **Included with reduced confidence (no in-window primary):** none in this brief — the three out-of-window S3 items were dropped rather than promoted.
- **Out-of-window research deferred to weekly summary (or next-week daily if material develops):**
  - [The DFIR Report, 2026-05-11](https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/) — EtherRAT blockchain-C2 + TukTuk SaaS-C2 chain ending in Gentleman ransomware; novel detection-engineering content (EtherHiding / Arweave dead-drop / multi-SaaS C2 fingerprints) but source is 7 days outside `window_hours`.
  - [Microsoft Security Blog, 2026-05-12](https://www.microsoft.com/en-us/security/blog/2026/05/12/undermining-the-trust-boundary-investigating-a-stealthy-intrusion-through-third-party-compromise/) — 123-day MSP-mediated intrusion via HPE Operations Manager with malicious Windows Network Provider DLL and LSA password-filter persistence; high relevance to public-sector outsourced IT but 6 days outside `window_hours`.
  - [Unit 42, 2026-05-11](https://unit42.paloaltonetworks.com/active-directory-certificate-services-exploitation/) — Active Directory Certificate Services ESC1 + shadow-credential exploitation attributed to Fighting Ursa (APT28); 7 days outside `window_hours`.
- **Contradictions surfaced:** CVSS scoring for CVE-2026-42945 NGINX Rift differs across primaries — NCSC-CH lists `CVSS 4.0: 9.2 Critical` while NVD currently has no published score; The Hacker News and Security Affairs cite the F5 advisory's CVSS 4.0 base of 9.2 used in this brief. CVSS 3.1 score reported by NCSC-NL feed is 8.1. Brief uses the CVSS 4.0 score most widely cited by national-CERT sources.
- **Sub-agents that didn't return on time:** none — S1 (348 s), S2 (677 s), S3 (576 s), S4 (679 s) all returned inside the 30-min hard cap.
- **Candidate sources surfaced this run (one new candidate maximum per PD-3.6):** `depthfirst` (depthfirst.com) — AI-assisted vulnerability research, primary disclosure source for CVE-2026-42945 NGINX Rift cited by NCSC-CH; recorded as `status: candidate` in `sources/sources.json`. A second candidate (`cryptotimes`) was surfaced by S4 for THORChain technical post-mortems and is held for a future run per the one-candidate-per-run cap.
- **Coverage gaps:** cisa-kev (bridge subcommand returned no in-window adds beyond CVE-2026-20182 / CVE-2026-42897 already covered); apple-security (no in-window emergency update); chrome-releases (no in-window emergency update); akamai-sirt (RSS 403 — no in-window content corroborated via search); trendmicro-research (feed parse error — no in-window content corroborated via search); sophos-xops (HTTP 503 — no in-window content corroborated via search); inside-it-ch (host 403 — no in-window CH-specific incidents); cert-eu (most recent advisory 2026-05-06; feed empty in window); ncsc-ch weekly-review-kw20 (Week 20 review not yet published as of 2026-05-18T04:50Z); cert-fr actu (feed appears stale, items dated Sep–Oct 2025); sec-disclosures-edgar (Item 1.05 search returned zero filings for 2026-05-15 → 2026-05-18 — US weekend); ico-uk (no new enforcement actions in window); cnil-fr (no new enforcement decisions in window); databreaches-net (host 403 — WebSearch fallback used per documented mitigation).