The FBI published Public Service Announcement I-052126-PSA on May 21 warning about Kali365, a phishing-as-a-service platform first seen in April 2026 and distributed via Telegram. Kali365 doesn't steal passwords — it captures Microsoft 365 OAuth access and refresh tokens by abusing the device code authorization grant flow. Per the PSA: "The attacker captures OAuth access and refresh tokens, granting them access to the targeted individuals/entities' Microsoft 365 account."

The mechanics are short. An operator sends a lure impersonating a cloud productivity service with a real device code and instructions to visit microsoft.com/devicelogin. The user goes to a legitimate Microsoft page, pastes the code in, and authorizes the attacker's device. Token theft is step three; persistent access is step four. Per the PSA, the attacker "can now access Microsoft 365 services such as Outlook, Teams, and OneDrive without needing a password or completing any additional MFA challenges."

The FBI's top mitigation is one Conditional Access policy: "Create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes." And the kit lowers the bar — the PSA lists what subscribers get: "AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities." Not tradecraft anymore. A Telegram subscription.

What to do this week:

1. Add a Conditional Access policy blocking device code authentication. In the Entra admin center, create a new CA policy targeted at all users, condition Authentication flows = Device code flow, grant Block access. Exclude a break-glass account and any service account you have already audited as a legitimate dependency. Report-only first if you have a CSP-managed tenant and have not yet inventoried device-code usage.

2. Audit existing device code flow usage before enforcement. Per the PSA: "Audit existing device code flow usage to identify legitimate dependencies before creating a conditional access policy." In an Entra workbook, query sign-in logs for authenticationProtocol eq 'deviceCode' over the last 30 days. Legitimate hits are typically headless CLI tooling — Azure CLI, kubectl with az aks plugins, GitHub Actions runners, IoT bootstrap. Scope them to a separate group, then enforce on everyone else.

3. Block authentication transfer policies. Same PSA bullet, separate control: "Block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices." This closes the QR-code-handoff variant where a user is tricked into completing the authorization on a personal phone.

4. Tag the IoC trail to your detection pipeline. In Defender XDR, save a hunting query against AADSignInEventsBeta filtered on AuthenticationProcessingDetails containing device code. Pair with anomalous-location and impossible-travel logic. A successful CA block does not retroactively revoke tokens already captured.

5. Pre-stage the response. If a tenant signs in via device code from an unexpected IP, revoke refresh tokens for the user (Revoke-MgUserSignInSession) and reset the password, in that order. The Kali365 lifecycle includes a refresh-token loop; password reset alone does not break it.

Cleanup for a tenant already hit looks like every other token-theft incident: rotate creds, revoke refresh tokens, audit mailbox forwarding rules, audit application consent grants, review OAuth sign-ins. The prevention is a one-line CA policy. Add it.

Advisories

CISA KEV adds two Microsoft Defender CVEs and five historical bugs

CISA's May 20 catalog update added seven CVEs in a single batch with a June 3 remediation due date. Two are May 2026 Microsoft Defender flaws: CVE-2026-41091, a link-following elevation of privilege (CVSS 7.8, CWE-59), and CVE-2026-45498, a denial-of-service (Microsoft CVSS 4.0, NVD-primary 7.5). The May 2026 CVRF entries carry the threat block Publicly Disclosed:Yes;Exploited:Yes;Latest Software Release:Exploitation Detected for both. The other five are 2008–2010 Microsoft and Adobe vintage: the Windows Server Service buffer overflow (MS08-067), a DirectX NULL byte overwrite, two Internet Explorer use-after-frees, and an Adobe Acrobat heap overflow.

Action: confirm Defender platform updates are landing on every managed endpoint — the May Defender release ships these fixes through the Defender signature/engine channel, not Windows Update. In the Defender for Endpoint portal, sort Device inventory by Antivirus engine version and chase laggards. The historical CVEs are a prompt to walk back through any remaining Windows 7 / Server 2008 / legacy IE estate.

YellowKey BitLocker bypass shipped as public PoC with mitigation only, no patch yet

Microsoft assigned CVE-2026-45585 on May 20 for the "YellowKey" security feature bypass, CVSS 6.8 with vector AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The advisory's published rationale is unusually direct: "The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available." Microsoft's mitigation FAQ confirms TPM+PIN is not affected: "if you are using TPM+PIN the vulnerability is not exploitable." The attack requires physical access (AV:P); the exposure is BitLocker bypass on a stolen or unattended device.

Action: if any of your managed estate still uses TPM-only BitLocker — typical on devices shipped before Autopilot pre-provisioning matured — switch them to TPM+PIN this week via Intune disk-encryption policy. That single configuration change is the supported mitigation per the Microsoft FAQ. Watch the next Patch Tuesday for the actual fix.

GreyNoise: SonicWall management-interface scanning surged to 597,000 sessions May 12

GreyNoise published on May 21 that scanning against SonicWall SonicOS management interfaces peaked at approximately 597,000 sessions on May 12, the largest single-day total on the SonicOS API Scanner tag in the prior 90 days and roughly 46× the typical daily baseline. The surge window ran May 9–18. Source geography concentrated in the Netherlands (~56%) and Ukraine (~44%), with one ASN (AS211736) carrying about half the traffic. The scanner fingerprint was identical to a January–February pattern that preceded the February 24 disclosure of CVE-2026-0400 by 10–37 days across three spikes. GreyNoise hedges the framing: "Three documented spikes on this tag preceded a single CVE — a precedent, not an established cadence."

Action: treat this as a leading indicator with low confidence, not a confirmed zero-day signal. The hardening on SonicWall management is unchanged: disable HTTP/HTTPS management on WAN interfaces, restrict SSH management to known source IPs, and audit SSLVPN account inventory and stale credentials. If you have not applied the most recent SonicOS firmware update across managed firewalls, do that this week regardless of the surge.

LiteSpeed User-End cPanel Plugin privilege escalation hits KEV at CVSS 9.8

CISA added CVE-2026-48172 on May 26 with a May 29 due date — three days. NVD describes "LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026." CVSS v3.1 9.8 (NVD primary), v4.0 10.0 (vendor secondary), CWE-266. The vendor's detection grep is short and worth copy-pasting: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null. No output = clean. Output = compromise indicator.

Action: for MSPs running cPanel/WHM hosting on behalf of clients, update the LiteSpeed plugin to 2.4.5 or newer on every server, then run the grep across /var/cpanel/logs and /usr/local/cpanel/logs. This is the second cPanel-shaped auth bypass on KEV in eight weeks; the cPanel WHM auth bypass from issue #004 is the relevant playbook for incident response.

Product changes

Defender XDR May update: Defender Experts for Servers as standalone, new identity hunting scenarios

The May 2026 entry on the Defender XDR What's new page documents that Microsoft Defender Experts for Servers and Microsoft Defender Experts for Hunting - Servers are now standalone offerings for customers using Defender for Cloud on on-premises and multicloud servers — they were previously add-ons to Defender Experts for XDR and Defender Experts for Hunting. The same update adds new identity-focused predefined scenarios in the advanced hunting graph: Kerberoast and AS-REP roast paths, domain compromise routes, OAuth application risks, and external user access to cloud resources. Defender Chat is in Preview as a built-in prompt assistant for SOC analysts.

Action: the standalone server SKU is a procurement story for tenants with significant on-premises or AWS/GCP server estates — managed hunting can now be purchased without the full XDR overhead. The identity hunting scenarios are the immediate operational win. Pin Kerberoast and OAuth application risk to a saved query group and run them monthly per tenant.

Microsoft Teams external-domain anomalies report rolls out

Microsoft's release-communications API lists the Microsoft Teams External Domains Anomalies Report rolling out with GA in May. From the entry text: "This new report helps admins proactively spot unusual or risky interactions with external organizations. By analyzing communication trends and detecting sudden spikes, new domains, or abnormal engagement patterns, it provides early visibility" into anomalous external Teams traffic.

Action: in the Teams admin center, look for the External Domains Anomalies report under Reports once it lands in your tenant. The patterns it surfaces — sudden spike, new domain, abnormal engagement — overlap with helpdesk-impersonation variants like the Teams external-tenant chain from issue #002. Pull this report weekly for tenants with permissive externalAccess configurations.

Field notes

Mini Shai-Hulud: @antv npm packages compromised, 61,274 access tokens invalidated

Microsoft Defender Security Research published on May 20 that "a threat actor compromised an @antv maintainer account" and weaponized every package under the org. The payload is a "~499 KB obfuscated JavaScript file" with "1,732 Base64-encoded strings" that scrapes GitHub Action runner process memory, harvests Vault tokens from "12+ token paths," and exfiltrates over two channels. Downstream blast radius: echarts-for-react alone has "more than 1 million weekly downloads." GitHub's response was substantial — the post records GitHub "removed 640 malicious packages" and "invalidated 61,274 npm granular access tokens," with "more than 2,200" attacker-created public repos observed.

Action: if any client CI/CD pipeline runs npm install against @antv/* or transitively pulls echarts-for-react, pin known-good versions and rerun the pipelines from the compromise window with --ignore-scripts. Rotate every GitHub PAT, npm token, and CI/CD secret that touched a compromised job — GitHub's revocation caught the obvious tokens, but vault paths and AWS credentials in build environments need manual rotation.

F5 BIG-IP Virtual Edition plus Confluence to enterprise compromise

Microsoft Defender Security Research published on May 22 an intrusion that started on an internet-facing F5 BIG-IP Virtual Edition appliance that "reached end-of-life (EOL) on December 31, 2024" — exploited via CVE-2025-53521 — and pivoted through internal Confluence and a Kerberos relay chain abusing CVE-2025-33073 to compromise the wider enterprise. Microsoft's takeaway, verbatim: "Treat internet-facing edge appliances as Tier-0 assets and enforce lifecycle + patch governance." The chain used standard open-source tooling — Nmap, enum4linux, kerbrute, responder, gowitness, testssl — with no custom malware until Linux post-exploitation, where Defender for Endpoint on Linux flagged HackTool:Linux/MalPack.B and HackTool:Linux/Kerbrute!rfn.

Action: inventory client edge appliances against vendor end-of-support dates. F5 BIG-IP VE EOL December 31 2024 is over a year past — any remaining production deployment is a Tier-0 lifecycle bug to close this quarter. On the internal pivot side: enforce SMB signing and LDAP channel binding by GPO, disable NTLM where you can, and separate admin tiers.

Cryptojacking via ScreenConnect and Microsoft .NET LOL utilities

Microsoft Defender Experts published on May 26 a cryptojacking campaign (internally tracked as D3F4E2A1) that delivers gminer, lolMiner, and SRBMiner-MULTI miners via poisoned search results and ScreenConnect remote-access sessions, then injects mining code into Microsoft .NET utilities — InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, aspnet_compiler.exe. Infrastructure includes "more than 150 malicious domains." The actor "appears focused on compromising systems with higher mining value" rather than spraying — they pick GPU-rich hosts.

Action: ScreenConnect (ConnectWise Control) is back in the attack path — the same RMM tool that picked up a KEV entry in issue #003 and showed up as Storm-2949 persistence in issue #006. Confirm every client deployment is on the patched build, audit the user list for accounts your team did not create, and enable Defender ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" to catch the .NET utility abuse pattern. If clients run GPU workstations for rendering or training, watch utilization graphs for the off-hours mining pattern.