Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise
Microsoft detailed a large adversary-in-the-middle phishing campaign that targeted more than 35,000 users across more than 13,000 organizations in 26 countries. The campaign used code-of-conduct themed lures, CAPTCHA steps, and realistic enterprise-style messaging to push users through a token theft flow. This matters because the attack doesn’t just steal passwords. It can capture valid session tokens after MFA, which is why security teams should keep pushing phishing-resistant MFA, conditional access controls, session risk detection, and better monitoring for unusual post-login activity.
RMM Tools Fuel Stealthy Phishing Campaign
Researchers are tracking a phishing campaign that abuses legitimate remote monitoring and management tools, including SimpleHelp and ScreenConnect, to maintain access after compromise. The activity has affected more than 80 organizations and uses fake Social Security Administration lures to convince victims to download a malicious executable. The practical concern is that RMM tools often look like normal admin software, so defenders need tighter allowlisting, visibility into newly installed remote access tools, and alerts for unexpected RMM activity on user endpoints.
Critical MOVEit Automation auth bypass vulnerability fixed (CVE-2026-4670)
Progress patched two MOVEit Automation flaws, including a critical authentication bypass that could let unauthenticated attackers gain administrative access and potentially expose credentials, business files, and connected workflows. There’s no reported exploitation in the wild so far, but MOVEit remains a high-interest target because it sits in sensitive file-transfer workflows. Organizations using MOVEit Automation should upgrade to the fixed versions through the full installer and review audit logs for unexpected privilege escalation or unauthorized access.
Instructure confirms data breach, ShinyHunters claims attack
Instructure confirmed that data was stolen in a cyberattack affecting users of its education technology platform, best known for Canvas. The company said exposed data may include names, email addresses, student ID numbers, and user messages, while ShinyHunters claims the impact is much larger and spans thousands of institutions. This is a reminder that SaaS platforms holding large shared datasets can create broad third-party exposure, especially when API keys, app integrations, and customer reauthorization workflows become part of the response.
Hackers earning millions from hijacked cargo, FBI says
The FBI warned that cybercriminals are compromising freight brokers and carriers, impersonating companies on load boards, and redirecting shipments to steal cargo. The report says cargo theft losses in the U.S. and Canada reached nearly $725 million last year, with attackers using malicious links, spoofed broker communications, and compromised accounts to manipulate logistics workflows. This matters for critical infrastructure and supply chain teams because the cyber impact isn’t limited to data theft. It can directly affect physical goods, delivery integrity, and business operations.
The post InfoSec News Nuggets 05/05/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
