Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six βzero-dayβ vulnerabilities that attackers are already exploiting in the wild.
Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning or consent dialogs. CVE-2026-21510 affects all currently supported versions of Windows.
The zero-day flawΒ CVE-2026-21513 is aΒ security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows. CVE-2026-21514 is a related security feature bypass in Microsoft Word.
The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to βSYSTEMβ level access in Windows Remote Desktop Services. CVE-2026-21519 is a zero-day elevation of privilege flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a userβs screen. Microsoft fixed a different zero-day in DWM just last month.
The sixth zero-day is CVE-2026-21525, a potentially disruptive denial-of-service vulnerability in the Windows Remote Access Connection Manager, the service responsible for maintaining VPN connections to corporate networks.
Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since Januaryβs Patch Tuesday. On January 17, Microsoft pushed a fix that resolved a credential prompt failure when attempting remote desktop or remote application connections. On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.
Kev Breen at Immersive notes that this monthβs Patch Tuesday includes several fixes for remote code execution vulnerabilities affecting GitHub Copilot and multiple integrated development environments (IDEs), including VS Code, Visual Studio, and JetBrains products. The relevant CVEs are CVE-2026-21516, CVE-2026-21523, and CVE-2026-21256.
Breen said the AI vulnerabilities Microsoft patched this month stem from a command injection flaw that can be triggered through prompt injection, or tricking the AI agent into doing something it shouldnβt β like executing malicious code or commands.
βDevelopers are high-value targets for threat actors, as they often have access to sensitive data such as API keys and secrets that function as keys to critical infrastructure, including privileged AWS or Azure API keys,β Breen said. βWhen organizations enable developers and automation pipelines to use LLMs and agentic AI, a malicious prompt can have significant impact. This does not mean organizations should stop using AI. It does mean developers should understand the risks, teams should clearly identify which systems and workflows have access to AI agents, and least-privilege principles should be applied to limit the blast radius if developer secrets are compromised.β
TheΒ SANS Internet Storm CenterΒ has aΒ clickable breakdown of each individual fix this month from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on wonky updates. Please donβt neglect to back up your data if it has been a while since youβve done that, and feel free to sound off in the comments if you experience problems installing any of these fixes.
SmarterTools says customers were impacted after hackers compromised a data center used for quality control testing.
The post SmarterTools Hit by Ransomware via Vulnerability in Its Own Product appeared first on SecurityWeek.
The security defect allows unauthenticated attackers to execute arbitrary code remotely via malicious HTTP requests.
The post Critical SmarterMail Vulnerability Exploited in Ransomware Attacks appeared first on SecurityWeek.
βYouβre invited!βΒ
It soundsΒ friendly,Β familiarΒ and quiteΒ harmless.Β But in aΒ scamΒ we recentlyΒ spotted, thatΒ simpleΒ phrase is beingΒ usedΒ to trick victims into installing a full remote access tool on theirΒ WindowsΒ computersβgiving attackers complete control of the system.Β
What appears to be aΒ casual party or event invitationΒ leads toΒ the silent installation ofΒ ScreenConnect, a legitimate remoteΒ supportΒ toolΒ quietly installedΒ in the background and abused byΒ attackers.Β
Hereβs how theΒ scamΒ works, whyΒ itβsΒ effective, andΒ how to protect yourself.Β
Victims receive an email framed as a personal invitationβoften written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action.Β
In the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you donβt know.
So far,Β weβveΒ only seenΒ thisΒ campaignΒ targetingΒ peopleΒ in theΒ UK,Β butΒ thereβs nothingΒ stoppingΒ it from expandingΒ elsewhere.Β
Clicking the link in the email leadsΒ to a polishedΒ invitationΒ page hosted on an attacker-controlled domain.Β
The landing page leans heavily into theΒ partyΒ theme,Β but instead of showing event details, the pageΒ nudgesΒ the user toward opening a file. None of them look dangerous on their own, but together theyΒ keep the user focused on theΒ βinvitationβΒ file:Β
Within seconds, the browser is redirected to downloadΒ RSVPPartyInvitationCard.msiΒ
The page even triggers the download automatically to keep the victim moving forward without stopping to think.Β
This MSI fileΒ isnβtΒ an invitation.Β ItβsΒ an installer.Β
When theΒ user opens theΒ MSI file, it launchesΒ msiexec.exeΒ andΒ silentlyΒ installsΒ ScreenConnectΒ Client, a legitimate remote access tool often used by IT support teams.Β Β
ThereβsΒ noΒ invitation, RSVP form, or calendar entry.Β
What happens instead:Β
Login
C:\Program Files (x86)\ScreenConnectΒ Client\Β From the victimβs perspective,Β very littleΒ seems to happen. But at this point, the attackerΒ can now remotely accessΒ theirΒ computer.Β
Once installed, the ScreenConnect client initiates encrypted outbound connections to ScreenConnectβs relay servers, including a uniquely assigned instance domain.
That connectionΒ givesΒ the attacker theΒ same level of access as a remote ITΒ technician, including theΒ ability to:Β
BecauseΒ ScreenConnectΒ is legitimate softwareΒ commonlyΒ usedΒ for remote support,Β its presenceΒ isnβtΒ always obvious. On a personal computer, the first signs are often behavioral, such as unexplained cursor movement, windows opening on their own, or a ScreenConnect process the user doesnβt remember installing.Β
This campaign is effective because it targetsΒ normal, predictable human behavior. From a behavioral security standpoint, it exploitsΒ our naturalΒ curiosityΒ andΒ appears to beΒ a lowΒ risk.Β
Most peopleΒ donβtΒ think of invitations as dangerous. Opening one feels passive,Β like glancing at a flyer or checking a message, not installing software.Β
Even security-aware users are trained to watch out for warnings and pressure. A friendly βyouβre invitedβ messageΒ doesnβtΒ trigger those alarms.Β
By the time something feels off, the software is already installed.Β
Watch for:Β
RSVPPartyInvitationCard.msiΒ This campaign is a reminder that modern attacks oftenΒ donβtΒ break inβtheyβreΒ invited in.Β Remote access tools give attackers deep control over a system. Acting quickly can limitΒ the damage.Β Β
For individualsΒ
If you receive an email like this:Β
If you already clicked or ran the file:Β Β
ForΒ organisationsΒ (especially in the UK)Β
This scam works by installing a legitimate remote access tool without clear user intent. Thatβs exactly the gap Malwarebytes is designed to catch.
Malwarebytes now detects newly installed remote access tools and alerts you when one appears on your system. Youβre then given a choice: confirm that the tool is expected and trusted, or remove it if it isnβt.
We donβt just report on threatsβwe remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byΒ downloading Malwarebytes today.
βYouβre invited!βΒ
It soundsΒ friendly,Β familiarΒ and quiteΒ harmless.Β But in aΒ scamΒ we recentlyΒ spotted, thatΒ simpleΒ phrase is beingΒ usedΒ to trick victims into installing a full remote access tool on theirΒ WindowsΒ computersβgiving attackers complete control of the system.Β
What appears to be aΒ casual party or event invitationΒ leads toΒ the silent installation ofΒ ScreenConnect, a legitimate remoteΒ supportΒ toolΒ quietly installedΒ in the background and abused byΒ attackers.Β
Hereβs how theΒ scamΒ works, whyΒ itβsΒ effective, andΒ how to protect yourself.Β
Victims receive an email framed as a personal invitationβoften written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action.Β
In the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you donβt know.
So far,Β weβveΒ only seenΒ thisΒ campaignΒ targetingΒ peopleΒ in theΒ UK,Β butΒ thereβs nothingΒ stoppingΒ it from expandingΒ elsewhere.Β
Clicking the link in the email leadsΒ to a polishedΒ invitationΒ page hosted on an attacker-controlled domain.Β
The landing page leans heavily into theΒ partyΒ theme,Β but instead of showing event details, the pageΒ nudgesΒ the user toward opening a file. None of them look dangerous on their own, but together theyΒ keep the user focused on theΒ βinvitationβΒ file:Β
Within seconds, the browser is redirected to downloadΒ RSVPPartyInvitationCard.msiΒ
The page even triggers the download automatically to keep the victim moving forward without stopping to think.Β
This MSI fileΒ isnβtΒ an invitation.Β ItβsΒ an installer.Β
When theΒ user opens theΒ MSI file, it launchesΒ msiexec.exeΒ andΒ silentlyΒ installsΒ ScreenConnectΒ Client, a legitimate remote access tool often used by IT support teams.Β Β
ThereβsΒ noΒ invitation, RSVP form, or calendar entry.Β
What happens instead:Β
C:\Program Files (x86)\ScreenConnectΒ Client\Β From the victimβs perspective,Β very littleΒ seems to happen. But at this point, the attackerΒ can now remotely accessΒ theirΒ computer.Β
Once installed, the ScreenConnect client initiates encrypted outbound connections to ScreenConnectβs relay servers, including a uniquely assigned instance domain.
That connectionΒ givesΒ the attacker theΒ same level of access as a remote ITΒ technician, including theΒ ability to:Β
BecauseΒ ScreenConnectΒ is legitimate softwareΒ commonlyΒ usedΒ for remote support,Β its presenceΒ isnβtΒ always obvious. On a personal computer, the first signs are often behavioral, such as unexplained cursor movement, windows opening on their own, or a ScreenConnect process the user doesnβt remember installing.Β
This campaign is effective because it targetsΒ normal, predictable human behavior. From a behavioral security standpoint, it exploitsΒ our naturalΒ curiosityΒ andΒ appears to beΒ a lowΒ risk.Β
Most peopleΒ donβtΒ think of invitations as dangerous. Opening one feels passive,Β like glancing at a flyer or checking a message, not installing software.Β
Even security-aware users are trained to watch out for warnings and pressure. A friendly βyouβre invitedβ messageΒ doesnβtΒ trigger those alarms.Β
By the time something feels off, the software is already installed.Β
Watch for:Β
RSVPPartyInvitationCard.msiΒ This campaign is a reminder that modern attacks oftenΒ donβtΒ break inβtheyβreΒ invited in.Β Remote access tools give attackers deep control over a system. Acting quickly can limitΒ the damage.Β Β
For individualsΒ
If you receive an email like this:Β
If you already clicked or ran the file:Β Β
ForΒ organisationsΒ (especially in the UK)Β
This scam works by installing a legitimate remote access tool without clear user intent. Thatβs exactly the gap Malwarebytes is designed to catch.
Malwarebytes now detects newly installed remote access tools and alerts you when one appears on your system. Youβre then given a choice: confirm that the tool is expected and trusted, or remove it if it isnβt.
We donβt just report on threatsβwe remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byΒ downloading Malwarebytes today.
Deceptive-Auditing is a tool that deploysΒ Active Directory honeypots and automatically enables auditing for those honeypots.
The post Deceptive-Auditing: An Active Directory Honeypots Tool appeared first on Black Hills Information Security, Inc..
Keeping websites and applications secure starts with knowing which vulnerabilities exist, how severe they are, and whether they affect your stack. Thatβs exactly where the CVE program shines. Below, weβll cover some CVE fundamentals, including what they are, how to search and understand the data, and how to translate this information into actionable steps.
Introduction to the CVE database
So, what is CVE?
CVE stands for Common Vulnerabilities and Exposures, a community-driven program that assigns unique identifiers to publicly known vulnerabilities.
Continue reading A Beginnerβs Guide to the CVE Database at Sucuri Blog.
Imagine this: Youβre an attacker ready to get their hands on valuable data that you can sell to afford going on a sweet vacation. You do your research, your recon, everything, ensuring that thereβs no way this can go wrong. The day of the attack, you brew some coffee, crack your knuckles, and get started. A few hours into the service scan, you come to realize that all the network ports are open, but in use.
The post GoSpoofΒ β Turning Attacks into IntelΒ appeared first on Black Hills Information Security, Inc..
But what if we need to wrangle Windows Event Logs for more than one system? In part 2, weβll wrangle EVTX logs at scale by incorporating Hayabusa and SOF-ELK into my rapid endpoint investigation workflow (βREIWβ)!Β
The post Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) appeared first on Black Hills Information Security, Inc..
DomCat is a command-line tool written in Golang that helps the user find expired domains with desirable categorizations.
The post DomCat: A Domain Categorization Tool appeared first on Black Hills Information Security, Inc..
Remember the good βol days of Zip drives, Winamp, the advent of βOffice 365,β and copy machines that didnβt understand email authentication? Okay, maybe they werenβt so good! For a [β¦]
The post Stop Spoofing Yourself! Disabling M365 Direct Send appeared first on Black Hills Information Security, Inc..
An Infosec Survival Guide Resource, released as blog posts, with fully designed, printer-friendly PDF cheatsheets.
The post Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource appeared first on Black Hills Information Security, Inc..
DNS Triage is a reconnaissance tool that finds information about an organization's infrastructure, software, and third-party services as fast as possible. The goal of DNS Triage is not to exhaustively find every technology asset that exists on the internet. The goal is to find the most commonly abused items of interest for real attackers.
The post DNS Triage Cheatsheet appeared first on Black Hills Information Security, Inc..
GraphRunner is a collection of post-exploitation PowerShell modules for interacting with the Microsoft Graph API. It provides modules for enumeration, exfiltration, persistence, and more!
The post GraphRunner Cheatsheet appeared first on Black Hills Information Security, Inc..
Burp Suite is an intercepting HTTP proxy that can also scan a web-based service for vulnerabilities. A tool like this is indispensable for testing web applications. Burp Suite is written in Java and comes bundled with a JVM, so it works on any operating system you're likely to use.
The post Burp Suite Cheatsheet appeared first on Black Hills Information Security, Inc..
Impacket is an extremely useful tool for post exploitation. It is a collection of Python scripts that provides low-level programmatic access to the packets and for some protocols, such as DCOM, Kerberos, SMB1, and MSRPC, the protocol implementation itself.
The post Impacket Cheatsheet appeared first on Black Hills Information Security, Inc..
Wireshark is an incredible tool used to read and analyze network traffic coming in and out of an endpoint. Additionally, it can load previously captured traffic to assist with troubleshooting network issues or analyze malicious traffic to help determine what a threat actor is doing on your network.
The post Wireshark Cheatsheet appeared first on Black Hills Information Security, Inc..
Hashcat is a powerful tool for recovering lost passwords, and, thanks to GPU acceleration, itβs one of the fastest. It works by rapidly trying different password guesses to determine the original password from its scrambled (hashed) version.
The post Hashcat Cheatsheet appeared first on Black Hills Information Security, Inc..
Offensive Purpose:Β Efficient way to gather info about web services & their hosting infrastructure. Automates taking screenshots for quick & easy review.
The post EyeWitness Cheatsheet appeared first on Black Hills Information Security, Inc..
