Monthly Threat Report February 2026

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data and industry events from the month of January 2026.

Executive Summary

• Email authentication remains a frontline defense – Proper implementation of SPF, DKIM, and DMARC continues to block a significant percentage of phishing, impersonation, and BEC attempts before they reach end users.
• Data theft-first extortion is accelerating – The Nike breach reinforces a growing trend where attackers prioritize stealing and leaking internal data over encrypting systems.
• Microsoft Office remains a prime initial access vector – Active exploitation of an Office zero-day once again highlights how quickly attackers weaponize document-based vulnerabilities.
• Automation platforms are becoming high-value targets – Critical flaws in n8n demonstrate how workflow tools with broad SaaS access can rapidly become “keys to the kingdom.”
• AI is reshaping vulnerability discovery – AI-assisted research uncovered multiple OpenSSL flaws, signaling both defensive opportunity and faster exploit development cycles.
• Attack speed continues to outpace patch cycles – Out-of-band updates and rapid exploitation timelines are increasing operational strain on security and IT teams.

Threat Overview

The Ongoing Value of Email Authentication Protocols: SPF, DKIM, and DMARC

Email remains one of the most leveraged vectors for initial access in cyberattacks. This could be credential harvesting, business email compromise (BEC), fraud, impersonation, phishing campaigns,etc that target both employees and / or MSP customers. While no single control stops all mail-based threats, the trio of SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) continues to prove its worth as a foundational protective layer that stops a wide range of abuse before it ever lands in an inbox.

At its core, SPF allows a domain owner to declare which mail servers or services are permitted to send mail on behalf of thier domain. DKIM goes a step further by cryptographically signing outbound messages to ensure the content hasn’t been tampered with in transit. DMARC ties both together with a policy layer that dictates how receivers should handle mail that fails authentication. Example responses could range from monitor-only reporting to outright rejection of forged mail.

See our blog article What is DMARC and How Does it Work? for a detailed overview.

Common Attack Types Thwarted by Proper Use of SPF, DKIM, and DMARC

Even in 2026, attackers still rely on familiar social engineering hooks that are made dramatically more effective when forged mail successfully masquerades as trusted senders. SPF, DKIM, and DMARC collectively interrupt this playbook in several notable ways:

Impersonation-based Credential Harvesting

Attackers often spoof corporate brands or business partners in phishing campaigns to trick users into entering credentials on malicious portals. Without valid SPF/DKIM signatures and a protective DMARC policy, these spoofed messages stand a much higher chance of bypassing spam filters and user suspicion.

Business Email Compromise (BEC)

BEC scams frequently start with spoofed executive or vendor addresses asking for wire transfers or sensitive changes to payment details. High-confidence email authentication drastically reduces the delivery success of these forgeries by telling receiving systems “this mail didn’t come from a valid source, treat it as suspicious.”

Invoice and Payment Fraud

Financial fraud schemes that inject fake invoices or payment requests into business workflows are often enabled by spoofed sender addresses. Validating mail via SPF/DKIM and enforcing DMARC failure actions disrupt these tactics right at the gateway.

Brand Abuse and Supply Chain Trust Manipulation

Attackers spoof trusted domains to deceive customers, partners, or vendors. Strong DMARC enforcement sends a clear signal across the ecosystem that unauthorized mail will not be accepted, reducing the efficacy of such abuse.

Why it Matters

While advanced threat actors can sometimes bypass perimeter defenses through compromised credentials or zero-day exploits, a surprising proportion of socially engineered attacks are neutralized simply by making it harder to impersonate trusted senders in the first place. Implemented correctly, SPF, DKIM, and DMARC:

• Reduce successful delivery of spoofed mail,
• Increase the visibility of abuse through aggregate and forensic reporting,
• Raise the cost and effort required for attackers to succeed,
• And complement other defensive layers like multi-factor authentication (MFA) and threat-aware training.

In an era where identity and trust are under constant assault, email authentication remains one of the most cost-effective and measurable controls enterprises can deploy. Organizations that lag on DMARC adoption are effectively leaving the front door open to common phishing and BEC techniques that have been reliably exploited for over a decade.

Adopting DMARC with a “reject” policy and being backed by complete SPF and DKIM coverage doesn’t just enhance mail hygiene; it materially degrades one of the attackers’ favorite initial access vectors.

Organizations would be well served to start implementing an email authentication strategy today if they have not done so already.

Major Incidents and Industry Events

Nike Suffers Major Data Leak Following Ransomware Extortion

In late January, reports emerged that Nike had suffered a significant data breach after an extortion group operating under the name World Leaks published approximately 1.4 TB of internal corporate data online. According to multiple reports, the leaked dataset has not been divulged at this time. At the time of disclosure, Nike confirmed it was investigating the incident, while the threat actors seem to have pulled down the dump of data, indicating that behind-the-scenes negotiations may be happening, according to the Bleeping Computer article.

While public details remain limited, the scale of the data release potentially suggests access well beyond a single compromised endpoint. Some reporting even claims that manufacturing data was involved. Analysts noted that the volume of exposed materials may indicated a broader internal compromise potentially involving credential theft or access to internal development and collaboration systems rather than a traditional ransomware deployment that simply encrypts production systems.

Why does it matter?

We’re continuing to see a growing trend in the industry where attackers prioritize data theft and public leaks over encryption-based ransomware. For large enterprises, intellectual property, internal tooling, and source code can be as damaging as extended downtime. Even without customer financial data exposure (which all indications so far show no exposure of this kind), leaked internal information can fuel follow-on attacks, supply chain abuse, or competitive harm. This breach is just further proof that extortion-focused operations continue to evolve, and that organizations must treat internal data protection and access control as crucial components of ransomware defense, not just backup and recovery.

Microsoft Office Zero-Day Actively Exploited in the Wild

January also saw Microsoft scramble to address an actively exploited Microsoft Office zero-day, prompting an out-of-band security update outside the normal Patch Tuesday cycle. As reported by TechRadar, attackers abused CVE-2026-21509 which allowed crafted Office documents to bypass local security controls. This sadly continues a long-standing trend of Office applications being a highly reliable initial access vector.

The rapid exploitation observed prior to patch availability forced organizations to react quickly, often disrupting established patching and change-management workflows. As with many Office-based attacks, phishing played a central role in delivering malicious documents, increasing the likelihood of successful exploitation in real-world enterprise environments.

Why does it matter?

Office zero-days combine scale with speed. When exploitation is active, the window between disclosure and compromise can be extremely small, especially in email-heavy environments. Out-of-band patches also increase operational strain, reinforcing the need for layered defenses that don’t rely solely on patching to stop document-based attacks.

High-Severity n8n Vulnerabilities Enable Authenticated Remote Code Execution

Security researchers disclosed two high-severity vulnerabilities in n8n, a popular open-source workflow automation platform, that allow authenticated users to achieve remote code execution on the underlying server. Coverage from The Hacker News highlighted how these flaws could be abused once an attacker gains valid credentials. Yes, both of these flaws require an already authenticated user, but we know that credential theft is something that often happens through phishing, password reuse, or OAuth token theft.

The two CVEs in question are:

• CVE-2026-1470
• CVE-2026-0863

Because n8n is commonly used as an automation hub, it often holds API keys, secrets, and privileged access to multiple SaaS platforms. Successful exploitation could therefore allow attackers to pivot across connected services rather than being confined to a single system.

Why does it matter?

Automation platforms are increasingly “keys to the kingdom” in modern environments. A RCE flaw in tooling like n8n doesn’t just compromise one server, it can expose entire SaaS trust chains. This incident reinforces why workflow automation and integration platforms deserve the same security scrutiny as core infrastructure and identity systems. In fact the sheer infrastructure reach that said systems have demand it.

AI-Assisted Discovery of Multiple OpenSSL Vulnerabilities

As an industry, we’ve been inundated with AI features but businesses and security teams have been looking for tangible methods and examples for getting actual value out of AI. In another January development, researchers announced the discovery of multiple previously unknown OpenSSL vulnerabilities using AI-assisted analysis techniques.

As reported by TechRadar, the findings demonstrated how AI can be effectively paired with human expertise to uncover subtle cryptographic and memory-handling issues in one of the most widely deployed security libraries in existence.

While none of the newly identified issues immediately triggered mass exploitation, the research drew attention due to OpenSSL’s massive footprint across operating systems, appliances, and applications. Even lower-severity flaws in such a foundational library can carry outsized risk.

Why does it matter?

This development highlights a double-edged reality. AI can help defenders and researchers find vulnerabilities earlier, which is GOOD news. It is worth noting, however, that attackers can use the same techniques. As AI-assisted vulnerability discovery matures, the time between flaw discovery and weaponization is likely to shrink, especially for foundational components like OpenSSL that remain forever high-value targets.

Predictions for the Coming Months

• Extortion without encryption will become the norm – The Nike incident shows a continuing move by threat-actors toward data-theft-first operations. Expect more attackers to skip encryption entirely, focusing instead on stealing things like intellectual property, internal documentation, and source code to maximize leverage.
• Email impersonation attacks will persist where DMARC adoption lags – Organizations without enforced DMARC policies will continue to be disproportionately targeted for phishing and BEC. Attackers typically gravitate toward the easiest impersonation opportunities. Proper email authentication configuration helps mitigate this risk.
• Workflow and integration platforms will see increased targeting – Tools like n8n sit at the center of SaaS ecosystems and often hold powerful credentials for other components within a given environment. As adoption grows, so will attacker interest. This is especially true in situations where credential theft and OAuth abuse attacks occur as a first step.
• Office-based zero-days will continue to be rapidly weaponized – Document-based vulnerabilities remain attractive due to their reach and reliability. Expect continued fast-moving exploitation, often before organizations can fully deploy patches.
• AI will compress vulnerability discovery and exploit timelines – As AI-assisted research becomes more common, the gap between vulnerability discovery and real-world exploitation will shrink, particularly for foundational and more long-lived components like OpenSSL.
• Security teams will face mounting operational pressure – More out-of-band patches, faster exploit cycles, and expanding attack surfaces will continue to strain patch management, change control, and incident response processes.

Monthly Recommendations

• Enforce DMARC with a reject policy – Organizations should move beyond monitoring-only configurations and enforce DMARC rejection policies backed by complete SPF and DKIM coverage to meaningfully reduce spoofing and impersonation risk.
• Treat internal data protection as a ransomware control – Given the rise of data-theft extortion, focus on access controls, least privilege, and monitoring for large-scale data exfiltration. Also, don’t forget proper backup and recovery strategies. Just because some threat actors are skipping the encryption stage does NOT mean ransomare is not a threat. Organizations should prepare accordingly.
• Accelerate response to Office vulnerabilities – Actively exploited Office flaws demand immediate attention. Layered defenses such as attachment sandboxing, link rewriting, and user awareness training are critical during patch gaps.
• Audit automation and workflow platforms – Review tools like n8n for patch levels, credential hygiene, and scope of access. These platforms should be treated as high-risk infrastructure components, not convenience tools.
• Prepare for faster exploit cycles – As AI-assisted vulnerability discovery matures, organizations must assume less warning time between disclosure and exploitation, especially for widely deployed libraries and services.
• Continue investing in security awareness training – Email-based attacks remain effective largely due to human factors. Training users to recognize impersonation, payment fraud, and malicious documents remains a high-return defensive investment.

---

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 125,000 customers.