Monthly Threat Report June 2026

Introduction

The Monthly Threat Report from Hornetsecurity by Proofpoint brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on industry events from the month of May 2026. As a news and commentary edition, this month’s report prioritizes depth on emerging threats and industry research over statistical data sections. 

Executive Summary

• Our Threat Intelligence Lab documented an active campaign using the Kali365 Phishing-as-a-Service (PhaaS) kit to hijack Microsoft 365 sessions through device code phishing, abusing Microsoft’s legitimate OAuth 2.0 device authorization flow to capture access and refresh tokens. The FBI issued a Public Service Announcement on the same toolkit on May 21. 
• Anthropic disclosed initial results from Project Glasswing, in which its restricted Claude Mythos model and roughly 50 partner organizations identified more than 10,000 high or critical severity vulnerabilities across critical software, including over 23,000 potential flaws across 1,000 open-source projects, at a 90.6% true-positive rate on independently sampled findings. 
• CVE-2026-41089, a critical Windows Netlogon remote code execution vulnerability with a CVSS score of 9.8, is now under active exploitation in the wild. Microsoft patched the flaw in the May 12 Patch Tuesday release. The vulnerability requires no authentication and allows complete domain controller compromise. 
• NYC Health + Hospitals confirmed that a breach disclosed earlier this year affected at least 1.8 million patients, employees, and job applicants, with stolen data including medical records, Social Security numbers, financial credentials, geolocation, and fingerprint and palm-print biometrics. The intrusion was traced to a third-party vendor compromise. 
• Foxconn confirmed a cyberattack on its North American operations on May 12, with the Nitrogen ransomware group claiming to have stolen approximately 8 terabytes of data totaling more than 11 million files. AppleInsider later confirmed that Apple server schematics appeared in the stolen dataset. 
• Device code abuse, AI-accelerated vulnerability discovery, and third-party vendor exposure represent three converging trends that organizations should prepare for over the second half of 2026. Each shifts the calculus of where to invest in detection, patching velocity, and identity controls. 

Threat Overview

Kali365: Device Code Phishing Reaches Production Scale Through PhaaS 

Our Threat Intelligence Lab documented an active campaign in early June leveraging the Kali365 Phishing-as-a-Service kit, building on a wave of activity that intensified through May. Our full technical breakdown is available on the Hornetsecurity blog. On May 21, the FBI’s Internet Crime Complaint Center (IC3) issued a Public Service Announcement on Kali365, describing it as an emerging PhaaS platform that gives even low-skilled operators access to advanced phishing capabilities. Bleeping Computer and Infosecurity Magazine independently covered the FBI advisory. 

Kali365 sells access through Telegram channels for approximately $250 per month or $2,000 per year. The toolkit bundles AI-generated phishing lures, campaign templates, real-time victim-tracking dashboards, and the central capability that distinguishes it from credential-harvesting phishing: OAuth token capture via device code flow abuse. 

How Device Code Phishing Works 

Device code authentication is a legitimate Microsoft OAuth 2.0 flow originally designed for input-constrained devices such as smart TVs, conference room hardware, and IoT systems. In the legitimate flow, a device that cannot easily accept credentials displays a short verification code, and the user visits Microsoft’s sign-in portal on a separate device to enter that code and complete authentication. Microsoft then issues access and refresh tokens to the requesting device. 

Device code phishing inverts the trust model. The attacker initiates the device code flow from infrastructure they control, then convinces the victim to enter the attacker’s code on Microsoft’s genuine sign-in page. The victim authenticates against real Microsoft infrastructure, satisfies any MFA challenges, and unknowingly authorizes Microsoft to issue tokens to the attacker’s session. No credentials are intercepted. No fake login page is displayed. The deception happens before authentication, not during it. 

The Observed Campaign

The campaign our Threat Intelligence Lab analyzed opens with a payment-themed lure. The observed sample carried the subject line “EFT Payment in Progress” and used remittance language designed to land naturally with finance and accounting staff. The email avoided overt urgency tactics, instead presenting a routine business workflow centered on a “SEE REMITTANCE DETAILS” call to action. 

From that initial deception, the chain proceeds through several stages designed to defeat both automated analysis and human suspicion: 

Stage 1: The link in the email points to a legitimate third-party SaaS platform (mixpanel[.]com in the observed sample), where a hosted page presents what appears to be a scanned document interface with professional branding. 

Stage 2: A Cloudflare-style interstitial verification page introduces friction that filters out some automated security crawlers and reinforces the impression of legitimate hosting. 

Stage 3: The victim lands on the Kali365 page itself, a Microsoft-themed secure-document interface displaying Outlook-style branding, message encryption language, and a short device code. The page instructs the victim to open Microsoft’s sign-in portal, enter the displayed code, authenticate, and then return. 

Stage 4: The victim visits microsoft.com/devicelogin, enters the code, completes authentication including any MFA prompts, and sees a confirmation referencing “Microsoft Authentication Broker on another device.” At that moment, valid OAuth tokens are issued to the attacker’s session, not the victim’s browser. 

A second variant observed on June 2 shifted the lure theme from EFT payment to “urgent proposal review” while maintaining an identical technical chain, indicating active operational adaptation. 

Indicators of Compromise (IOCs)

First-stage lure hosts: – hxxps://mixpanel[.]com/public/5TwfnfSBNLp72xaBMcuEwT - hxxps://biovelt[.]com/@trianzprop

Second-stage phishing pages: – hxxps://6civt6gowo[.]clearprocesses[.]de/l/375eYPgUe-4 - hxxps://l2k9vlvw7p[.]brinautomotivekow[.]sbs/l/fjOZveI_IVw

Associated IP: - 104.21.28[.]254

Why It Matters

Device code phishing reframes a foundational assumption in user awareness training. For years we have trained users to inspect URLs and look for fake login pages. In a device code attack, no fake login page exists. The victim authenticates against genuine Microsoft infrastructure, on a real Microsoft domain, completing real MFA. Conventional indicators of compromise that users have been taught to recognize are absent. 

This shifts the suspicious moment earlier in the chain. The red flag is not the login page itself but the instruction to enter a short code retrieved from an email or document workflow. Microsoft and the FBI both note that device code flow is rarely used in normal business workflows but is increasingly common in phishing operations. That asymmetry makes a unilateral block on device code authentication, gated through Conditional Access policies after an audit of legitimate use cases, one of the most effective controls available. 

The PhaaS distribution model also matters. Kali365 is not a bespoke threat that requires nation-state tradecraft. At $250 per month, the kit is accessible to a broad operator base, and the toolkit’s automation lowers the technical barrier to running campaigns at scale. We should expect continued growth in device code abuse through the remainder of 2026. 

We recommend treating device code flow as a controlled, audited authentication path rather than a default-enabled one. Conditional Access policies that restrict device code authentication to known device categories, combined with user training that specifically covers code-entry deception, materially reduce exposure to this technique. 

Major Incidents and Industry Events

Anthropic’s Project Glasswing Surfaces 10,000+ Critical Vulnerabilities, and a Patching Bottleneck 

On May 22, Anthropic published an initial update on Project Glasswing, the company’s restricted cybersecurity research program that gives roughly 50 vetted partner organizations controlled access to Claude Mythos Preview, an AI model purpose-built for vulnerability discovery and exploit construction. Partners include AWS, Apple, Cisco, Cloudflare, CrowdStrike, Google, JPMorgan Chase, Microsoft, Mozilla, and NVIDIA, among others. Bleeping Computer and The Hacker News both covered the release. 

The headline numbers are striking. In the first month of partner deployment, Mythos identified more than 10,000 high or critical severity vulnerabilities across the most systemically important software in use today. In a complementary open-source scanning effort across more than 1,000 projects, Mythos flagged 23,019 potential vulnerabilities, of which roughly 6,202 were estimated to be high or critical severity. Six independent security research firms sampled 1,752 of those findings to assess validity. The true-positive rate came back at 90.6%, with 62.4% of confirmed valid findings landing in the high or critical severity tier. Anthropic projects approximately 3,900 high or critical severity bugs across the open-source scanned set. 

Several specific findings stand out. Mythos identified CVE-2026-5194, a critical flaw in WolfSSL with a CVSS score of 9.1 that allows certificate forgery, enabling an attacker to impersonate legitimate services. Mythos also surfaced a 16-year-old FFmpeg vulnerability, a FreeBSD NFS remote code execution flaw assigned CVE-2026-4747, and multiple Linux kernel privilege escalation chains. 

Partner outcomes are the most revealing data point in the disclosure. Mozilla used Mythos to identify and patch 271 Firefox vulnerabilities in a single release (Firefox 150), reportedly more than ten times what its team had been able to surface using prior model generations. Cloudflare identified roughly 2,000 bugs across its infrastructure, with 400 rated high or critical severity, and reported false-positive rates better than human testers. Palo Alto Networks released approximately five times its usual patch volume during the same period. 

The less encouraging finding is the patching bottleneck. Anthropic disclosed 530 high or critical severity bugs to open-source maintainers; 75 have been patched and 65 have received public advisories. Across the broader scanned set, less than one percent of the vulnerabilities Mythos identified have been patched. The bottleneck has moved from discovery to remediation. 

Why It Matters 

Project Glasswing is the most concrete public evidence to date that AI-driven vulnerability discovery has reached a productive operational tier. The 90.6% true-positive rate against independent expert review is meaningful: a finding rate at that quality level, combined with the volume Mythos produces, exceeds what most security teams can review and remediate on conventional cadences. The fact that Mozilla patched 271 vulnerabilities in one Firefox release because Mythos surfaced them in a tractable form is a glimpse of what a productive defender-side AI tool looks like in practice. 

The same technology is the most important variable on the offensive side of the equation. If Mythos-class capabilities reach a broader operator pool, either through public availability, model exfiltration, or independent replication, the vulnerability discovery rate available to attackers rises sharply. Organizations should not assume the current latency between vulnerability disclosure and weaponization will hold. Patching velocity, particularly for open-source components in third-party software, is the variable most likely to determine exposure outcomes over the next twelve months. 

The patching bottleneck is its own concern. A pipeline that produces ten times the findings of prior tools but is still bound by human-mediated patch review, testing, and deployment cycles will result in growing public backlogs of unfixed flaws. We expect this gap to drive renewed organizational focus on Software Bill of Materials (SBOM) hygiene, automated dependency management, and prioritized patching workflows over the second half of the year. 

CVE-2026-41089: Windows Netlogon RCE Under Active Exploitation 

Microsoft patched CVE-2026-41089 in the May 12 Patch Tuesday release as one of 118 vulnerabilities addressed that month, with 17 rated critical. The flaw is a stack-based buffer overflow in the Windows Netlogon RPC interface that allows an unauthenticated remote attacker to send a specially crafted network request to a Windows server acting as a domain controller and execute code with SYSTEM-level privileges. Microsoft assigned a CVSS score of 9.8. No user interaction is required and no prior authentication is needed. 

On June 1, Belgium’s Centre for Cybersecurity Belgium (CCB) confirmed active exploitation based on information from trusted partners. Bleeping Computer independently reported the active exploitation on the same day, and SecurityWeek published a separate confirmation. Microsoft updated its advisory accordingly, urging immediate patching of unpatched systems. All currently supported Windows Server versions are affected, including Windows Server 2025. 

No specific threat actor attribution has been published as of this writing. 

Why It Matters 

Domain controllers are the highest-value targets in a Windows environment. Code execution at SYSTEM level on a domain controller is functionally equivalent to full directory takeover, and from there, the attacker controls authentication for the entire domain. An unauthenticated, no-user-interaction RCE that achieves this directly is the type of vulnerability that defines incident response calendars for months afterward. 

Organizations should treat CVE-2026-41089 as a top-priority patching item and verify completion across the entire domain controller fleet, not just a sample. For environments where immediate patching is not possible, network segmentation that restricts Netlogon RPC traffic to known administrative paths reduces but does not eliminate exposure. 

NYC Health + Hospitals Breach Confirmed at 1.8 Million Affected, Including Biometric Data

On May 18, NYC Health + Hospitals confirmed that a previously disclosed cyberattack exposed personal, medical, financial, and biometric data belonging to at least 1.8 million patients, employees, and job applicants. TechCrunch first reported the updated scope, and the HIPAA Journal independently confirmed the affected population. NYC Health + Hospitals’ own notice of data breach was posted on its website and began arriving in affected individuals’ mailboxes in late March. 

The timeline matters. NYC Health + Hospitals discovered suspicious activity on February 2, 2026. The subsequent investigation determined that an unauthorized actor accessed certain systems between approximately November 25, 2025 and February 11, 2026, with the attacker present in the environment for roughly two and a half months before detection. The organization stated that the unauthorized actor “may have gained access to NYC Health + Hospitals systems due to a security breach at a third-party vendor.” The vendor has not been publicly named. 

The data categories compromised are unusually broad. According to NYC Health + Hospitals’ own disclosure, the exposed information includes health insurance details, medical records (diagnoses, medications, test results, images, treatment plans), Social Security numbers, driver’s licenses, government identifiers, tax identifiers, financial account information and credentials, online account credentials, precise geolocation data, and biometric data including fingerprints and palm prints. NYC Health + Hospitals is offering 24 months of identity theft prevention and credit monitoring services through Kroll Information Assurance to workforce members and patients since 2020. A class action lawsuit has already been filed. 

Why It Matters

Healthcare breaches are not new, but two characteristics of this incident warrant particular attention. 

The first is the inclusion of biometric data. Fingerprint and palm-print records are not replaceable. Stolen passwords can be rotated, and stolen credit cards can be reissued, but a stolen biometric is compromised permanently. As biometric authentication becomes more common in financial services, healthcare, and physical access systems, the long-term value of a breached biometric record will continue to rise. Organizations that collect biometric data for authentication, attendance, or identity verification should treat that data as a higher tier of sensitivity than typical PII and implement controls appropriate to that classification. 

The second is the third-party vendor vector. The largest healthcare breach of the year so far did not result from a direct compromise of NYC Health + Hospitals’ own systems. It originated with a vendor whose access into the environment was either not adequately monitored or not appropriately restricted. The April edition of this report covered the destructive Stryker attack, which began with a single compromised administrator credential and ended with approximately 80,000 wiped devices. The pattern across both incidents is the same: identity is the perimeter, and any identity outside the organization’s direct control (vendor accounts, supply chain access, federated trust relationships) is a part of the attack surface that must be governed accordingly. 

Organizations should treat third-party access into sensitive environments as a first-class governance problem. Identity audits, granular access scoping, time-limited credentials, and behavioral monitoring of vendor sessions are concrete controls that materially reduce the blast radius of a compromised vendor account. 

Foxconn Confirms Cyberattack, Nitrogen Ransomware Group Claims 8TB Including Apple Server Schematics 

On May 12, Foxconn confirmed a cyberattack against its North American operations, with facilities in Mount Pleasant, Wisconsin and Houston, Texas affected. The Nitrogen ransomware group claimed responsibility on its leak site, asserting it had exfiltrated approximately 8 terabytes of data totaling more than 11 million files. Cybernews and TechRepublic independently covered the claim. 

Foxconn confirmed the incident publicly but did not validate the volume or specific contents of stolen data. A Foxconn spokesperson stated, “The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery.” Some operations reportedly fell back to manual processes during recovery. 

The data Nitrogen claimed to have taken includes confidential instructions, internal project documentation, circuit board layouts, and technical drawings reportedly tied to projects at Apple, Nvidia, Intel, Google, Dell, and AMD. The claim was initially treated with caution given the absence of independent verification. On May 20, AppleInsider reported that it had reviewed samples from the dataset and confirmed Apple server schematics among the stolen files. The other OEM claims remain unverified at the time of writing. 

Nitrogen has been active since 2023 and operates as a double-extortion group: it encrypts victim files and threatens to publish stolen data unless a ransom is paid. The group is believed to be built on code derived from the leaked Conti 2 ransomware builder and is suspected of having links to the ALPHV/BlackCat ecosystem. 

Why It Matters 

The Foxconn incident is notable less for the encryption event itself, which appears to have been contained, and more for what the exfiltrated data represents. Contract manufacturers and OEM partners hold concentrated technical IP from multiple downstream customers. A successful compromise at that tier exposes not just the affected manufacturer but every customer whose designs, schematics, and roadmaps live in that environment. Apple’s confirmed server schematics are the publicly visible portion of a much larger potential exposure across the broader OEM portfolio. 

This is a category of supply chain risk that is qualitatively different from the open-source package compromises (npm, GitHub Actions) we have been covering through 2026. It’s pretty clear that physical-supply-chain partners are also software-supply-chain partners in the sense that they hold the same kind of confidential technical material as the originating company, and they may have a different security posture than the customers whose data they hold. Organizations should treat technical IP held at contract manufacturers, design partners, and OEM suppliers as in scope for their own threat models, with corresponding contractual security requirements, audit rights, and incident response coordination commitments. 

Predictions for the Coming Months

• Device code abuse will continue scaling as PhaaS distribution lowers the operator barrier. Kali365’s $250 per month pricing makes the technique accessible to a broad operator pool, and Microsoft 365 remains a high-value target. Expect device code phishing campaigns to diversify in lure themes (currently dominated by payment and procurement) and to start incorporating more aggressive impersonation of routine M365 system notifications. 
• Mythos-class AI capabilities will reach broader public availability, and the offense-defense balance will be tested in real environments. Despite the current delays in Mythos / Fable being put back on the market, said models will eventually reach mainstream availability. The first generation of AI-discovered vulnerabilities that appear in active exploitation rather than coordinated disclosure will be the marker that the offensive side has caught up. 
• CVE-2026-41089 will appear in domain takeover incident reports. A public, unauthenticated, no-user-interaction RCE on domain controllers is too useful to remain a coordinated-disclosure curiosity for long. Expect to see this CVE referenced in post-incident reports through Q3 2026, particularly in environments where coordinated patching across the domain controller fleet was incomplete. 
• Third-party vendor compromise will dominate root-cause analysis in healthcare breaches. The NYC Health + Hospitals incident is the year’s largest healthcare breach to date and originated outside the affected organization’s own perimeter. As healthcare consolidates vendor relationships around fewer specialized platforms, the blast radius of a single vendor compromise will continue to expand. 
• Biometric data will become a more visible breach category. As organizations across healthcare, financial services, and physical access continue rolling out biometric authentication, the long-term value of stolen biometric records to attackers will rise. We expect more breach disclosures over the second half of 2026 to specifically call out biometric data exposure, and expect regulators to begin treating biometric breaches as a distinct category for notification and remediation purposes. 
• Open-source patching backlogs will become a strategic risk category. With Mythos and similar tools producing findings faster than the open-source community can triage and remediate them, organizations will need to monitor their software supply chains for unpatched advisories more actively than they have historically. 

Monthly Recommendations

• Block or tightly restrict Microsoft 365 device code authentication via Conditional Access. Audit legitimate use cases first (typically a small set of input-constrained devices), then apply policies that block device code flow for all other users and device categories. Pair this with Security Awareness Training that specifically covers code-entry deception so users understand that a real Microsoft sign-in page can still be the attacker’s path in. 
• Patch CVE-2026-41089 across the entire domain controller fleet in a coordinated maintenance window. Partial patching creates an indefensible state, because any single unpatched domain controller is sufficient for compromise. Verify completion across all controllers, not a sample, and confirm Netlogon RPC traffic is appropriately restricted at the network layer where feasible. 
• Audit third-party vendor identity and access into your environment. The NYC Health + Hospitals breach originated with a vendor compromise. Inventory all standing vendor access, validate that it is appropriately scoped and time-limited, and apply behavioral monitoring to vendor sessions. Treat federated identity relationships and service accounts created for third parties as in scope for the same controls as employee identity. 
• For Managed Service Providers (MSPs), review the Hornetsecurity MSP Playbook 2026. The playbook covers onboarding, monitoring, customization, cybersecurity management, vendor management, and GenAI as operational areas where standardization and automation drive both profitability and security outcomes. Device code phishing and third-party vendor risk both land squarely in the cybersecurity and vendor management workstreams the playbook addresses. 
• Strengthen open-source dependency monitoring and patching workflows. With AI-driven vulnerability discovery producing findings at a rate that exceeds traditional patching cadences, organizations should ensure they have an accurate Software Bill of Materials (SBOM), automated dependency scanning tied to current advisory feeds, and a prioritization process that distinguishes high-severity findings from background noise. 

---

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 125,000 customers.