Monthly Threat Report April 2026

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on industry events from the month of March 2026. 

Executive Summary

• A single stolen credential wiped approximately 80,000 devices at Stryker, courtesy of the Iran-linked Handala group abusing Microsoft Intune. The group claimed the attack reached offices across 79 countries. Device management platforms are now a tier-one attack surface. 
• Medusa ransomware shut down 35 clinics and cut off EHR access for nine days at the University of Mississippi Medical Center, the state’s only Level I trauma center, reinforcing that healthcare remains a high-value target with real patient safety consequences. 
• North Korea poisoned the Axios npm package, one of the most widely used JavaScript libraries in existence with over 70 million weekly downloads, in a supply chain attack with potentially enormous reach had it not been detected within three hours. 
• Tax season drove over 100 distinct phishing campaigns, with attackers deploying RMM tools for persistent post-compromise access alongside traditional credential harvesting, targeting individuals and financial institutions across multiple countries simultaneously. 
• Developer environments and open-source ecosystems are increasingly in the crosshairs. North Korea’s sustained npm campaign and the Axios attack together signal a deliberate and maturing strategy to compromise developers as a path to broader infrastructure access. 
• SharePoint permission sprawl represents a systemic and largely invisible risk in most organizations. Nested groups, falsified permission labels, persistent anonymous sharing links, and hidden document libraries create exposure that standard auditing processes rarely catch and standard offboarding processes frequently miss. 

Threat Overview

The Hidden Dangers of SharePoint Oversharing 

Microsoft SharePoint sits at the center of how most organizations store, share, and collaborate on internal documents. That centrality makes it a high-value target, but the more common and underappreciated risk is not an outside attacker breaking in but instead a slow accumulation of excessive, poorly understood permissions from the inside over a period of time. 

Most SharePoint environments grow organically over years of day-to-day business activity. Files get shared, folders get nested, groups get created and forgotten, and guest links get generated for a one-time collaboration and never revoked. The result is a permission landscape that no administrator can fully see or confidently audit using native tooling. According to Hornetsecurity’s own research, a company with approximately 400 employees can accumulate 2 million files in SharePoint with more than 100,000 distinct access rights. At that scale, manually tracking who has access to what becomes effectively impossible. 

This visibility gap creates several specific security risks that are worth understanding in detail. 

Nested Groups Obscure Real Access 

SharePoint does not display group membership when an administrator views a permission entry. Groups also exist in two separate locations: Microsoft Entra ID and legacy SharePoint Groups. An administrator reviewing permissions may see a group name with no practical way to determine who is actually in that group, or whether that group contains other groups that extend access further. Attackers with any level of administrative access can exploit this deliberately, burying access inside nested group structures that survive even active attempts to revoke it. 

Permission Labels Can be Falsified 

SharePoint allows permission levels to be renamed independently of the actual permissions they grant. A permission level configured to give Full Control can be labeled “Read” in its display name, for example. SharePoint surfaces the label, not the underlying permissions, meaning administrators reviewing access cannot trust what they see without digging into the configuration directly. 

Anonymous Sharing Links are Persistent by Default 

Microsoft 365’s default settings generate anonymous sharing links for files shared through Teams. These links persist even after an organization attempts to remove a user’s access, creating a durable and largely invisible exfiltration pathway that standard offboarding processes frequently miss. 

Hidden Document Libraries Enable Quiet Data Exfiltration 

Users with elevated SharePoint access can create document libraries that are invisible to other members, copy sensitive files into those libraries, and grant external guest access, enabling sustained and covert data exfiltration with no obvious audit trail. 

Why It Matters 

The practical consequence of these risks is that most organizations do not have an accurate picture of who can access what in their SharePoint environment at any given time. This matters for several reasons beyond compliance. 

From an insider threat perspective, departing or disgruntled employees can retain access through nested group memberships or anonymous links that survive standard offboarding. M365 sign-in blocking, the most common first step in offboarding, is slow and does not immediately invalidate all access pathways. An employee who knows the environment well can exploit this window. 

From an external attacker perspective, any account compromise in an environment with sprawling SharePoint permissions yields a much larger blast radius than it should. A single compromised account with permissions that nobody audited might have access to years of sensitive internal documents across multiple departments. 

We recommend that organizations treat SharePoint permission hygiene as a standing security control rather than a periodic cleanup task. Auditing nested group membership, reviewing and revoking stale guest links, validating permission level configurations, and establishing policies governing how external sharing is approved and time-limited are all concrete steps that meaningfully reduce exposure without requiring a security incident to motivate action. 

Tax Season Brings a Surge in Phishing Campaigns Targeting Taxpayers and Financial Institutions 

Every year as tax season arrives, threat actors reliably exploit the combination of financial stress, deadline urgency, and the volume of sensitive communications flowing between individuals, employers, and government agencies. March 2026 was no exception. Proofpoint’s threat research team documented over 100 distinct tax-themed phishing campaigns active in early 2026, representing a meaningful escalation in both volume and variety compared to prior tax seasons. 

The campaigns broke down along two broad lines. The first category impersonated tax authorities, most commonly the IRS, using lures referencing expired tax documents, pending refunds, or required account verification. These campaigns aimed to harvest credentials or install remote management and monitoring (RMM) tools such as Datto, N-Able, RemotePC, and ScreenConnect, giving attackers persistent footholds on victim machines well beyond the initial interaction. The second category targeted financial institutions directly, using credential phishing kits against customers of banks and financial services providers across multiple countries, with Canada, Australia, Singapore, Switzerland, and Japan among the most frequently targeted. 

Proofpoint’s research also identified threat actors delivering information stealer malware through tax-themed lures, indicating that some operators are less interested in account access and more focused on bulk credential and session token harvesting for downstream sale or use. 

Why It Matters 

Tax season phishing is not new, but the scale and sophistication documented this year warrants attention for a few reasons. 

The use of RMM tools as a post-compromise payload is a notable shift from the credential-harvesting-only approach that has historically dominated tax lure campaigns. RMM tools are legitimate software, which means endpoint detection tools often do not flag them, and once installed they provide attackers with persistent, on-demand remote access that can be revisited long after the original campaign ends. An organization whose employee installs an attacker-controlled RMM instance in late March may not discover the access problem until months later. 

The geographic breadth of financial institution targeting is also worth noting. These campaigns are not narrowly focused on a single market. Attackers are running parallel operations across multiple regions simultaneously, adjusting lures and phishing kits to match local institutions and filing periods. Organizations operating across multiple countries should ensure their security awareness training addresses region-specific lure variations, not just IRS-branded content. 

At the user level, the guidance is straightforward: tax authorities and financial institutions do not initiate contact via unsolicited email links or attachments. Any communication claiming urgency around a tax filing, refund, or account verification should be treated with skepticism and verified through official channels directly. 

Major Incidents and Industry Events

Iran-Linked Handala Group Destroys Approximately 80,000 Devices at Stryker Using Microsoft Intune 

In mid-March, a destructive cyberattack against medical technology giant Stryker demonstrated how dramatically the risk calculus around device management platforms has shifted. The Iran-linked hacktivist group Handala, attributed to Iran’s Ministry of Intelligence and Security (MOIS) and tracked by security researchers as Void Manticore, compromised a single Stryker administrator account and used it to issue a mass remote-wipe command through Microsoft Intune, destroying operating system installations across the company. Security researchers verified approximately 80,000 Windows devices were wiped, while Handala claimed the attack affected more than 200,000 systems across 79 countries, a figure that has not been independently confirmed. Stryker confirmed the attack was contained and that restoration efforts were underway. No malware was involved. A single stolen credential was the entire attack vector. 

CISA responded within days, issuing guidance urging organizations to review and harden their Microsoft Intune environments, treating the event as a wake-up call for how cloud-based device management infrastructure can be turned against the organizations that depend on it. Krebs on Security also covered the attack in depth, including details on the group’s attribution and broader targeting patterns. 

Why It Matters 

The Stryker attack is a textbook example of a capability that exists in virtually every modern enterprise being weaponized with devastating efficiency. Microsoft Intune is broadly deployed precisely because it centralizes device management, streamlines policy enforcement, and simplifies remote administration at scale. Those same properties mean a single compromised privileged account can translate directly into an enterprise-wide wipe with no additional tooling, no lateral movement through internal networks, and no malware for endpoint detection to catch. 

Several things make this attack pattern particularly concerning: 

• The attacker didn’t need to be sophisticated. No zero-day, no advanced implant, no months-long dwell time. From what is known, seemingly one stolen credential was sufficient to cause massive operational disruption across a global organization. 
• Device management platforms are not typically treated as a tier-one attack surface. Many organizations invest heavily in hardening identity, endpoints, and perimeter controls, while the management planes sitting above those endpoints receive comparatively less scrutiny. 
• Destructive attacks are increasing. This whole case fits a broader operational pattern of Iran-nexus actors prioritizing operational disruption and destruction rather than quiet, persistent access. When the goal is damage rather than intelligence collection, speed and destructive reach matter more than stealth. 

For any organization running Microsoft Intune, Microsoft Endpoint Configuration Manager, or comparable mobile device management (MDM) platforms, this incident should prompt an immediate review of who holds administrative access, whether those accounts are protected with phishing-resistant multi-factor authentication (MFA), and whether device wipe commands require additional out-of-band authorization before execution. The blast radius of a compromised MDM administrator account is no longer theoretical. 

Medusa Ransomware Cripples University of Mississippi Medical Center 

In late February, the Medusa ransomware gang compromised the University of Mississippi Medical Center (UMMC), the state’s only Level I trauma center and its only children’s hospital, serving approximately 10,000 employees and a patient population spanning the entire state. The attack forced UMMC to shut down 35 clinics, suspend elective surgeries, and lose access to its Epic electronic health records (EHR) system for nine days. By March 12, Medusa posted UMMC to its dark web leak site, claiming a large amount of exfiltrated data including patient health information, and set an $800,000 ransom deadline of March 20. 

The group simultaneously claimed Passaic County, New Jersey, in the same posting period, indicating continued parallel targeting across healthcare and government sectors. 

Why It Matters 

This attack is yet another very real case illustrating the patient safety implications that ransomware carries in healthcare environments. Loss of EHR access doesn’t just create administrative inconvenience; it disrupts care workflows, forces clinicians back to paper processes, and can directly affect treatment decisions. At a Level I trauma center, those delays carry serious consequences. 

Medusa has been among the more active ransomware operations in recent months, and its continued focus on healthcare and public-sector targets follows a calculated logic. These organizations often operate with constrained IT security budgets, face enormous pressure to restore operations quickly, and handle data sensitive enough to create strong leverage for extortion. They are, in the language of ransomware economics, high-pressure targets. 

A few takeaways are worth underscoring: 

• Ransomware groups are not deterred by the humanitarian nature of their targets. Healthcare organizations should not assume that their mission provides any protection. The Medusa operation has demonstrated repeatedly that hospitals, trauma centers, and government services are viewed as productive targets, not off-limits ones. 
• EHR platform resilience deserves specific attention. Epic and comparable enterprise clinical systems represent single points of failure for clinical operations. Incident response plans should explicitly address EHR unavailability scenarios, including tested offline workflows. 
• Exfiltration now precedes encryption as standard practice. By the time encryption is deployed, data has typically already left the environment. The threat of public data exposure means that restoring from backups, while critical, no longer resolves the full scope of a ransomware incident. 

Organizations in healthcare and public services should treat Medusa’s continued activity as a standing threat, not a one-off event. 

North Korea Poisons the Axios npm Package in Brazen Supply Chain Attack

On March 31, two malicious versions of the Axios npm package were published to the npm registry by North Korean threat actors. Axios is one of the most widely used JavaScript HTTP client libraries in existence, with over 70 million weekly downloads. The malicious versions (1.14.1 and 0.30.4) contained an injected dependency, “plain-crypto-js,” that downloaded remote access trojan (RAT) payloads from North Korean command-and-control infrastructure. The packages were live for approximately three hours before detection and removal. 

Microsoft attributed the attack to Sapphire Sleet, while Google Threat Intelligence independently attributed it to UNC1069. Both groups are assessed as North Korea-nexus threat actors. The fact that two major threat intelligence organizations reached independent, consistent conclusions on attribution gives this assessment a higher degree of confidence than single-source attributions typically carry. 

Why It Matters 

Supply chain attacks targeting the npm ecosystem are not new, but the choice of Axios as a target is a meaningful escalation. Most malicious package campaigns target obscure or lookalike packages with limited reach and rely on developers accidentally downloading them. Targeting a package with Axios’s install base is a different proposition entirely. If the malicious versions had remained live longer, or if detection had been slower, the potential scope of compromise across cloud, enterprise, and developer environments would have been enormous. 

This attack also connects to a broader and sustained North Korean campaign against software developers. As we noted in the previous edition of this report, North Korean actors have been running the “Contagious Interview” campaign for some time, publishing malicious npm packages designed to target crypto, Web3, and AI developers through fake recruiter outreach. The Axios attack follows the same general tradecraft but with a dramatically larger potential blast radius. Rather than hoping developers accidentally install a fake package, these actors found a way into a package developers already trust and use by default. 

Several implications deserve direct attention: 

• Package integrity verification is no longer optional. Organizations consuming open-source dependencies at scale should be running software composition analysis (SCA) tooling and monitoring for unexpected dependency changes in packages they rely on. The three-hour window in which these malicious Axios versions were live is far too narrow for manual detection. 
• North Korean supply chain operations are maturing. The Contagious Interview campaign demonstrated patience and scale. The Axios attack demonstrates willingness to target central infrastructure rather than just peripheral targets. The combination points to a threat actor that is growing more capable and more aggressive in targeting developer ecosystems. 
• The developer workstation is a high-value target. Attackers who compromise a developer’s environment gain access to source code, credentials, cloud API tokens, and in many cases direct deployment access. The downstream exposure from a single compromised developer can extend well beyond the individual. 

We strongly recommend reviewing npm package integrity tooling, evaluating lockfile hygiene across active projects, and ensuring that any environment consuming the Axios package has verified it is running a clean, uncompromised version. 

Predictions for the Coming Months

• MDM and device management platforms will attract increased attacker attention. The Stryker incident demonstrated the devastating reach of a single compromised Intune administrator account. Expect threat actors, particularly those with destructive intent, to probe MDM environments more deliberately as this attack pattern becomes better understood and replicated across the threat actor community. 
• Iran-nexus destructive operations will continue to escalate. Handala’s Stryker attack fits a broader pattern of Iran-aligned actors prioritizing disruption over stealth. As geopolitical tensions remain elevated, we expect continued destructive campaigns against Western organizations, with device management platforms, cloud infrastructure, and operational technology as likely target categories. 
• Healthcare will remain a primary ransomware target. Medusa’s attack on UMMC is consistent with a sustained industry-wide pattern. The combination of constrained security budgets, pressure to restore operations quickly, and highly sensitive patient data makes healthcare organizations reliable targets. Ransomware groups are not changing their calculus here. 
• North Korean supply chain operations will grow more ambitious. The progression from the Contagious Interview campaign to the Axios attack shows a threat actor steadily increasing both the scale and the centrality of its supply chain targets. Future attacks targeting foundational open-source packages, CI/CD tooling, or developer credential stores are a logical next step. 
• Tax-themed lure campaigns will taper but RMM-based persistence will linger. As filing deadlines pass, the volume of tax-themed phishing will decline. However, organizations where employees interacted with RMM-delivering campaigns during peak season may still be harboring undetected persistent access. A post-tax-season sweep of endpoint tooling and remote access software is warranted. 
• SaaS and cloud management planes will see continued targeting. Across this month’s incidents, a common thread is attackers going after the tools that manage and orchestrate other systems rather than attacking individual endpoints directly. MDM platforms, npm registries, and cloud credential stores all fit this pattern. Expect this focus to intensify. 

Monthly Recommendations

• Audit MDM administrator access immediately. Review who holds administrative roles in Microsoft Intune, Microsoft Endpoint Configuration Manager, or any comparable MDM platform. Confirm those accounts are protected with phishing-resistant MFA, apply least-privilege principles to limit who can issue bulk wipe commands, and consider requiring out-of-band authorization for destructive actions. The Stryker attack required no malware and no lateral movement. Credential hygiene for MDM admins is now a critical control. 
• Treat EHR unavailability as a defined incident scenario. Healthcare organizations should ensure their incident response plans explicitly address scenarios where clinical platforms like Epic are inaccessible. Offline workflows should be documented, tested, and known to clinical staff before they are needed under pressure. 
• Run a post-tax-season RMM sweep. If your organization did not block RMM tool installation via endpoint controls during tax season, audit endpoints now for unauthorized instances of tools like ScreenConnect, RemotePC, N-Able, or Datto RMM. Attacker-installed RMM access is silent, persistent, and will not expire on its own. 
• Implement software composition analysis (SCA) tooling across development pipelines. The three-hour window of the Axios attack is too short for manual detection. Automated SCA tooling that monitors for unexpected dependency additions or package version anomalies is the appropriate control. Pair this with lockfile hygiene practices and integrity verification for critical packages. 
• Extend security awareness training to cover tax-season phishing patterns. Ensure end users understand that tax authorities and financial institutions do not initiate contact through unsolicited emails containing links or attachments. Training should address both IRS-branded lures and institution-specific phishing targeting employees’ personal financial accounts, since both have been active this season. 
• Harden privileged cloud identities across all management platforms. The Stryker attack, the ongoing North Korean developer targeting, and the broader pattern of management plane attacks all trace back to credential compromise as the entry point. Enforce phishing-resistant MFA for all cloud administrative roles, audit OAuth grants and service account permissions, and monitor for anomalous administrative actions as a standing control, not a reactive one. 

---

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 125,000 customers.