Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cyber Security Weekly Briefing, 7-13 February
Microsoft fixes six 0-day vulnerabilities in its February Patch Tuesday
Microsoft released its February 2026 Patch Tuesday, fixing 59 CVEs affecting Windows, Office, and other components, with six zero-day vulnerabilities actively exploited in real-world environments. The six 0-days include: CVE-2026-21510 (CVSSv3 8.8 according to Microsoft), CVE-2026-21513 (CVSSv3 8.8 according to Microsoft), CVE-2026-21514 (CVSSv3 7.8 according to Microsoft), issues in Windows Shell, MSHTML and Word, respectively, which allow security features to be bypassed using malicious files, as well as CVE-2026-21519 (CVSSv3 7.8 according to Microsoft), CVE-2026-21525 (CVSSv3 6.2 according to Microsoft) and CVE-2026-21533 (CVSSv3 7.8 according to Microsoft).
In the cloud ecosystem, critical vulnerabilities in Azure ACI Confidential Containers were addressed. Additionally, remote code execution (RCE) flaws in Notepad, Hyper-V and various GitHub Copilot components were fixed. The deployment is completed with patches for denial of service in Remote Access Connection Manager.
It is recommended to prioritise the immediate implementation of these patches given the risk of active exploitation of the identified CVEs.
Supply chain attack on Office Add-ins exposes Microsoft credentials and sensitive data
According to Koi, the Outlook add-in called AgreeTo, originally legitimate and published in the Microsoft Office Add-in Store in December 2022, was abandoned by its developer and subsequently used by an actor who claimed the linked domain and turned it into a phishing kit.
Being served by Microsoft within Outlook, this malicious payload captured more than 4,000 Microsoft account credentials, as well as credit card numbers.
Threat actors implant sleeper payloads in Ivanti EPMM
When Ivanti released patches to fix CVE-2026-1281 and CVE-2026-1340 (CVSSv3 9.8 according to the vendor, both) in Endpoint Manager Mobile (EPMM), it reported that they were being actively exploited without providing specific details of the attacks.
Defused has now published an analysis explaining that attackers are not using traditional shells but rather a sleeper-type memory implant housed in the /mifs/403.jsp path, which acts as a Java class loader in memory without command interaction or disk writing and is only activated by a specific HTTP parameter, suggesting that it is being exploited for initial access brokering (IAB) rather than immediate direct exploitation. Defused highlights that this implanted class can receive a second Java payload at a later stage for further execution, and that no secondary exploitation has been detected so far.
The recommendation is to immediately apply the patches provided by Ivanti for both CVEs and restart the affected servers to clear loads in memory.
Black Basta uses CVE-2025-68947 to evade defences
Symantec's Threat Hunter Team saw in a recent Black Basta campaign that the operator Cardinal integrated a Bring-Your-Own-Vulnerable-Driver (BYOVD) technique directly into the ransomware payload. Cardinal took advantage of the fact that the NsecSoft NSecKrnl kernel driver is affected by CVE-2025-68947 (CVSSv4 5.7) to use manipulated IOCTL requests to terminate security processes before encrypting data and adding the .locked extension to files. This modality eliminates the typical separate BYOVD stage, reducing preparation signals and favouring defence evasion.
In addition, the presence of the GotoHTTP tool was identified as post-deployment remote access, suggesting persistence on the victim's network. The campaign indicates a tactical evolution of Black Basta following the leaking of internal logs in 2025 and recent legal action against associated members.
Discord announced that it will implement global age verification for access to age-restricted features
Discord announced that starting in March 2026, it will implement global age verification for access to age-restricted content and features, placing all accounts in teen mode by default until they verify their age. Users will be able to choose to submit official documents or undergo an AI age estimation by submitting images of their face.
The measure has generated a strong reaction from the community with concerns about data privacy due to an incident in October 2025 in which images of government IDs from approximately 70,000 users used in age verification processes were exposed.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
