Monthly Threat Report March 2026

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on industry events from the month of February 2026. 

Executive Summary

• Fuzzing in Email Campaigns – Threat actors are increasingly using dynamic text randomization to evade signature-based and clustering detection, fragmenting campaign signals across thousands of low-volume variants to stay below detection thresholds. 
• Tycoon 2FA Takedown – A major coordinated disruption involving Proofpoint, Microsoft, Europol, and international law enforcement seized 330 control panel domains linked to one of the most prolific AiTM phishing-as-a-service platforms in operation.
• BeyondTrust Zero-Day (CVE-2026-1731) – A pre-authentication RCE flaw in BeyondTrust Remote Support was exploited in active ransomware campaigns. CISA issued a three-day patch mandate for federal agencies, underscoring the urgency. 
• VMware Aria Operations RCE (CVE-2026-22719) – A second management platform vulnerability in the same month landed on CISA’s Known Exploited Vulnerabilities list, reinforcing an emerging attacker pattern of targeting the infrastructure defenders rely on most.
• Looking Ahead – MFA bypass techniques, PhaaS platform resilience, and the targeting of management tooling are set to define the threat landscape in the months ahead. Layered defenses and aggressive patch cadences are no longer optional. 

Threat Overview

Fuzzing in Email Attack Campaigns: The Art of Looking Different Every Time

Every so often in this monthly report, we like to highlight threat techniques used by threat actors. This months report includes some discussion around the use of “Fuzzing” in email attacks. 

Fuzzing, or the dynamic randomization of textual elements within email messages, has become a go-to evasion technique for threat actors running large-scale spam and phishing operations. Rather than blasting out identical copies of the same message, attackers have gotten smart over the years and now embed variable placeholders (think {RAND_1} or {RAND_ALPHA}) directly into sending templates. They then use scripts or spambot modules to generate unique values at send time. The result is a flood of messages that all share the same malicious intent but look just different enough from one another to avoid being grouped together. Randomized fields typically include sender aliases, display names, and subject lines and are exactly the attributes that many detection and clustering systems lean on most heavily. 

What makes this technique particularly effective is its precision. The randomization isn’t purely chaotic. It follows constrained patterns, such as fixed-length strings, limited character sets, or templated phrases with one or two randomized tokens swapped in. Actors will tune these parameters based on deliverability rates and detection feedback, dialing up or down the degree of variability to stay just below the threshold where filtering systems start connecting the dots. Campaigns are deliberately spread across many low-volume variants, which keeps each individual “cluster” of threatening emails too small to trigger burst detection of the campaign or reputation enforcement, while the volume continues (or so the threat actors hopes) to drive inbox placement at scale. 

Why does it matter? 

The downstream impact on filtering infrastructure is significant and multi-layered. Clustering-based detection, which groups messages by shared attributes to identify coordinated campaigns, loses accuracy when every message looks slightly different. Complaint-based feedback loops (FBLs) fragment across dozens of low-volume variants, making it harder for older reputation systems to surface a clear signal. Indicators that would normally be reliable, like sender aliases, subjects, or body text, become polluted or inconsistent, stripping defenders of the pattern recognition that drives timely response. Relying heavily on signature-based or reputation-driven filtering alone is no longer effective Next generation email protection that incorporates behavioral analysis, content inspection, and advanced heuristics is essential to detecting what static pattern matching misses. 

Tycoon 2FA Disrupted: A Major Win Against AiTM Phishing-as-a-Service 

In a significant coordinated takedown announced on March 4, 2026, Tycoon 2FA, a prolific adversary-in-the-middle (AiTM) phishing-as-a-service platform was disrupted by a group of public and private partners including Proofpoint, Microsoft, Europol, Cloudflare, and law enforcement across multiple countries. This resulted in the seizure of 330 Tycoon 2FA control panel domains. 

Tycoon 2FA has been sold via Telegram since 2023 and functioned primarily by harvesting Microsoft 365 and Gmail session cookies through a transparent proxy. This would allow attackers to bypass MFA entirely and achieve full account takeover. In February 2026 alone, Proofpoint observed over three million messages tied to Tycoon 2FA campaigns, targeting organizations across virtually every major vertical. 

According to Microsoft, the platform gave cybercriminals access to nearly 100,000 organizations including schools, hospitals, and government institutions. Proofpoint data shows that 59% of successfully taken over accounts had MFA enabled at the time of compromise. Tycoon 2FA campaigns were deliberately broad and opportunistic, delivered via email links, QR codes, and attachments. Attackers would even leverage compromised accounts to lend authenticity to the lure. This “ATO Jumping” technique, where a hijacked inbox is used to distribute further phishing, made detection especially difficult for recipients. 

Why does it matter? 

This takedown is a meaningful disruption to one of the most active MFA bypass ecosystems in the threat landscape, but it shouldn’t be read as a solved problem. PhaaS platforms are resilient and unfortunately operators rebuild, rebrand, and resurface. The more important lesson here is that MFA alone is no longer a sufficient control against sophisticated AiTM-style attacks. Organizations relying on MFA as their primary identity defense need to layer in session token protections, phishing-resistant authentication methods (such as FIDO2/passkeys), and advanced email filtering capable of detecting the delivery mechanisms Tycoon 2FA relies on such as QR codes, malicious attachments, and compromised sender accounts. 

Major Incidents and Industry Events

Critical BeyondTrust Remote Support RCE Zero-Day Exploited in Ransomware Campaigns 

In early February, BeyondTrust disclosed a pre-authentication remote code execution vulnerability in its Remote Support product, tracked as CVE-2026-1731. The flaw, caused by an OS command injection weakness, allows an unauthenticated attacker to execute arbitrary commands via specially crafted client requests with no credentials required. Public proof-of-concept exploits emerged almost immediately after disclosure on February 6, and CISA confirmed active in-the-wild exploitation by February 13, adding the vulnerability to its Known Exploited Vulnerabilities catalog and giving federal agencies three days to patch or pull the product entirely. 

Why does it matter?

Remote support tooling sits at the heart of most IT operations (especially MSPs). Remote support tooling often carries elevated privileges and wide network access which makes tools of these types extraordinarily high-value targets. A pre-auth RCE in a tool of this nature effectively hands attackers a skeleton key with no phishing, no credential theft, or no social engineering required, depending on application architecture. The speed at which CVE-2026-1731 moved from disclosure to active ransomware exploitation (less than two weeks) proves to the industry once again that patch windows are continuing to shrink. Organizations running self-hosted BeyondTrust deployments that didn’t act within days of the advisory should treat this as a potential compromise scenario and investigate accordingly. 

VMware Aria Operations RCE Flaw (CVE-2026-22719) – CISA Adds to Known Exploited List 

Hot on the heels of BeyondTrust, another enterprise management platform landed on CISA’s radar in February. VMware’s Aria Operations platform was found to contain a command injection vulnerability tracked as CVE-2026-22719, rated with a CVSS score of 8.1 and initially disclosed by Broadcom on February 24 as part of advisory VMSA-2026-0001.

The flaw allows an unauthenticated attacker to execute arbitrary commands on vulnerable systems during the product’s support-assisted migration process. Despite being patched at disclosure, CISA moved quickly to add the vulnerability to its Known Exploited Vulnerabilities catalog, citing reports of active exploitation in the wild, and set a federal remediation deadline of March 24, 2026. Broadcom acknowledged awareness of exploitation reports but noted it could not independently confirm all claims, and provided a shell script workaround for organizations unable to immediately apply patches.

Why does it matter?

VMware Aria Operations is an enterprise-grade monitoring platform used to track the health and performance of servers, networks, and cloud infrastructure across large organizations. Again, this is the kind of visibility and access that makes it a prized target. As noted in the BeyondTrust story above, management and monitoring platforms are increasingly in attackers’ crosshairs precisely because compromising them yields potentially VAST access. Two CISA-flagged, actively exploited management platform vulnerabilities in a single month is not a coincidence…. It’s a continued pattern where we’re seeing a deliberate shift in attacker focus toward the tools defenders rely on most. Patch urgently, and if patching isn’t immediately possible, apply Broadcom’s provided mitigation script and restrict access to the Aria Operations interface at the network level. 

Predictions for the Coming Months

• PhaaS Platforms Will Regroup and Resurface – The Tycoon 2FA disruption is a win, but it won’t be the last AiTM platform defenders have to contend with. Operators in this space have demonstrated a consistent ability to rebuild infrastructure, rebrand, and resume operations. Expect successor platforms or revived Tycoon 2FA infrastructure to emerge within weeks to months, likely with improved OPSEC baked in from the start. 
• MFA Bypass Will Continue to Accelerate – With Tycoon 2FA successfully stealing session cookies from MFA-protected accounts at scale, other threat actors have a proven playbook to follow. AiTM phishing techniques will proliferate further across the PhaaS ecosystem, and organizations still treating MFA as a sufficient control should expect to be caught flat-footed. 
• Management and Monitoring Platforms Are the New Perimeter – Two actively exploited, CISA-flagged RCE vulnerabilities in enterprise management tools in a single month signals a continuing strategic shift. Expect continued targeting of RMM tools, observability platforms, and IT management software as attackers prioritize access that multiplies their reach rather than piece-by-piece compromise. 
• Ransomware Groups Will Chase Fast-Moving Vulnerability Windows – The BeyondTrust timeline, from disclosure to ransomware exploitation nearly immediately after disclosure, confirms that threat actors are operationalizing PoC exploits faster than most organizations can patch. This gap will continue to be exploited…… aggressively, particularly against self-hosted enterprise tooling with large install bases and slow patch adoption curves. 
• Email Fuzzing Will Grow More Sophisticated – As detection systems improve their behavioral and heuristic capabilities, expect threat actors to respond by making their fuzzing logic more adaptive. 
• Supply Chain and Third-Party Access Will Remain a Primary Entry Vector – The pattern of attackers compromising trusted accounts to seed further phishing (as seen in Tycoon 2FA’s ATO Jumping technique) will expand. Expect more campaigns that weaponize legitimate sender infrastructure to bypass reputation and filtering controls. 

Monthly Recommendations

• Harden Your Email Filtering Beyond Signatures and Reputation – Fuzzing-based evasion renders static pattern matching and reputation-based filtering significantly less effective. Invest in advanced email protection that incorporates behavioral analysis and content inspection. 
• Move Beyond MFA — Adopt Phishing-Resistant Authentication –  The Tycoon 2FA takedown confirmed what many already suspected: standard MFA is no longer a reliable last line of defense against AiTM attacks. Begin evaluating and deploying phishing-resistant authentication methods such as FIDO2 passkeys or hardware security keys, especially for privileged accounts, executives, and any role with access to sensitive cloud environments. Conditional access policies that evaluate session risk continuously are a strong complement as well. 
• Audit and Revoke Unnecessary OAuth and Session Tokens –  AiTM phishing succeeds by stealing session cookies rather than credentials. Which means even recently authenticated sessions can be hijacked. Conduct a review of active OAuth grants and session token lifetimes across M365. Implement token binding where possible and configure continuous access evaluation to invalidate sessions when anomalous behavior is detected. 
• Patch BeyondTrust Remote Support Immediately and Investigate if You Haven’t –  If your organization runs self-hosted BeyondTrust Remote Support instances and didn’t apply the CVE-2026-1731 patch within days of the February 6 disclosure, treat your environment as potentially compromised and initiate a forensic review. 
• Patch VMware Aria Operations and Restrict Management Interface Access –  Apply Broadcom’s patch for CVE-2026-22719 immediately. If immediate patching is not possible, implement Broadcom’s provided shell script workaround and restrict network-level access to the Aria Operations management interface to trusted administrator IP ranges only. CISA’s March 24 federal deadline should be treated as an upper bound, not a target. 

---

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 125,000 customers.