Research Deep Dives · 2026-W28
Strategic analyses
In-depth analyses from the Auto-CTI pipeline: full-text articles from vendor and researcher blogs, summarised by Claude Sonnet and annotated with key findings for your stack. Click a card for the unabridged version.
Week 29
13 Jul – 19 Jul 2026CVE-2026-55040: Microsoft SharePoint JWT Token Authentication Bypass (FIXED)
Rapid7 Labs discovered a vulnerability in Microsoft SharePoint that allows bypassing JWT token authentication (CVE-2026-55040). An unauthenticated attacker can assume the identity of any SharePoint user, provided they kn
Defending SaaS-based applications against ShinyHunters OAuth abuse
Between mid-2025 and mid-2026, Microsoft observed ShinyHunters campaigns abusing OAuth trust relationships in SaaS applications like Salesforce. The threat actors used voice phishing, supply chain compromise via trusted
Microsoft Entra ID security updates: Passkeys are the default authentication method in Entra ID
Starting September 1, 2026, Microsoft will make passkeys the default authentication method in Entra ID. Users currently on SMS or voice authentication will be automatically enabled for passkeys and prompted to register.
Week 28
06 Jul – 12 Jul 2026New Abuse of the ClickOnce Technology, Part 2: Stop Threat Actors from Clicking Once and Staying Forever
ClickOnce applications provide threat actors with a built-in update mechanism and reliable persistence method through .appref-ms files in the Start Menu, executable on every user launch.
CVE-2026-47291: Remote Code Execution in the Windows HTTP.sys
A vulnerability was discovered in Windows HTTP.sys, the kernel-mode HTTP driver, due to insufficient bounds checking when parsing HTTP/1.x headers. An integer overflow can allow a remote, unauthenticated attacker to send
This new Windows malware can take over your PC and wipe it clean
The research report describes 'GigaWiper', a modular Windows backdoor written in Golang that combines remote access, espionage, and multiple data destruction methods. The malware leverages components from earlier tools l
Microsoft fixes RoguePlanet zero-day in Defender
Microsoft has fixed the RoguePlanet zero-day vulnerability (CVE-2026-50656) in Microsoft Defender. This elevation of privilege flaw allowed attackers to escalate from a standard user account to NT AUTHORITY\SYSTEM, gaini
Week 27
29 Jun – 05 Jul 2026Chrome needs another whopper update to fix 382 security bugs
Google has released a critical Chrome update to fix 382 security vulnerabilities, 15 of which are rated critical. These flaws could allow attackers to execute arbitrary code outside the browser's sandbox. Notably, CVE-20
The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign
The report reveals a large-scale campaign where attackers abuse the legitimate remote access tool ScreenConnect to distribute AsyncRAT malware. Malicious installers are disguised as popular freeware applications like OBS
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
ARToken is a fully automated PhaaS panel with 80+ API endpoints for targeted Microsoft 365 phishing, including persistent token acquisition via Microsoft Authentication Broker and SharePoint exfiltration , an escalated t
What's new in Microsoft Security: June 2026
Microsoft introduces agent-based AI systems (MDASH) for automated vulnerability discovery and extends threat protection to AWS databases alongside enhanced identity backup capabilities.
29th June , Threat Intelligence Report
Report aggregates multiple unrelated attacks and vulnerabilities (Polymarket supply-chain attack, KDDI breach, Cisco zero-day, Fortinet vulnerabilities) without focus on a single active campaign; serves as a weekly threa
Week 26
22 Jun – 28 Jun 2026Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access
The report details an active multi-stage intrusion campaign targeting the hospitality and hotel industry since April 2026. The attackers use photo-themed ZIP archives with fake image shortcuts to initiate a chain involvi
Introduction to COM usage by Windows threats
Researchers systematically document how malware abuses COM interfaces for lateral movement, persistence, and Windows automation, with Qakbot presented as a case study and reverse-engineering tools discussed.
StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
A previously undocumented malware family (SharkLoader) is being deployed in a multinational campaign targeting government and diplomatic organizations to deliver Cobalt Strike Beacon; the threat actor leverages publicly
Week 24
08 Jun – 14 Jun 2026Week 20
11 May – 17 May 2026Week 17
20 Apr – 26 Apr 2026Week 16
13 Apr – 19 Apr 2026No more deep dives.