The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris. Here’s our pick of the top stories, and why you should care
Hundreds of Oracle E-Business Suite instances exposed to attacks
Threat actors are actively exploiting a critical vulnerability in the Oracle E-Business Suite (EBS) Oracle Payments product, with hundreds of global customers potentially at risk. CVE-2026-46817 has a CVSS score of 9.8 and could allow unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Oracle claimed that “attackers have been successful because targeted customers had failed to apply available Oracle patches”.
Why it matters
The Shadowserver Foundation has tracked 950 exposed instances globally, although it’s not clear how many have been patched. Compromising Oracle Payments could enable hackers to steal sensitive financial information, manipulate payment processes or move laterally into other enterprise systems.
Assured’s recommended action
Identify any affected EBS instances and apply Oracle’s patch in line with vendor guidance. Review logs for suspicious activity and signs of lateral movement.
Massive password spraying campaign generates 81 million login attempts
A security vendor has released details of a major password spraying campaign targeting Microsoft 365 customers. Huntress said the ongoing campaign, which is now in its third week, targets Microsoft’s Azure command-line interface (CLI). The threat actors behind it have made more than 81 million login attempts and successfully compromised at least 78 Microsoft accounts. The attackers used valid logins exposed in previous breaches, a common practice among users. Once they found a valid login pair, the hackers authenticated via the ROPC (Resource Owner Password Credentials) OAuth mechanism. This bypassed MFA in some environments due to misconfigured conditional access policies.
Why it matters
Access to Microsoft 365 could provide threat actors with an opportunity to steal sensitive information for extortion, obtain credentials for deeper access and possible ransomware deployment, and insert themselves into email chains for business email compromise (BEC).
Assured’s recommended action
Review enterprise logins for password spraying indicators. Configure conditional access policies to require phishing-resistant MFA for all apps and all users, blocking ROPC flows. Restrict Azure CLI for non-admin users.
OpenAI tenants abused for corporate snooping
Threat actors are creating new OpenAI tenants that spoof legitimate companies and inviting employees to join, in an apparent effort to eavesdrop on their activity. Push Security discovered one such “poisoned tenant” campaign after several employees received invitations to join an OpenAI organisation named “Push Security Inc”. To add legitimacy to the scam, all invitees were granted admin privileges, and a payment card had been added to the billing account.
Why it matters
Because the invites were sent from a legitimate OpenAI address they bypassed firms’ email security filters. If employees are tricked and start using the tenant, they may expose sensitive internal and customer information via prompts.
Assured’s recommended action
Update user awareness training programmes to warn employees not to join unsolicited SaaS invitations like this. Review IoCs in the writeup to check if your organisation has been targeted. Consider investing in tools that provide visibility into SaaS account creation and organisation membership.
Ransomware activity accelerates in Europe
Ransomware attacks are surging in Europe, according to new research from Black Kite. The security vendor claimed that European organisations suffered 684 ransomware attacks in the first four months of 2026, compared with 441 during the same period in 2025 – a 55% year-on-year increase. The figure already exceeds the 643 attacks recorded across the entire first half of last year. The five largest economies – UK, Germany, France, Italy, and Spain – accounted for 69% of attacks in the period, with growth rates in France (119%), Italy (92%), and Spain (77%) the highest.
Why it matters
A serious ransomware incident can turn into an existential event for smaller companies, given the potential impact on the bottom line. After successful law enforcement disruption, the “industry” is now populated by a larger number of smaller, opportunistic players. It’s also a market that regenerates faster after takedowns.
Assured’s recommended action
Reassess the threat model to understand whether your organisation or sector is at risk. Plan for a breach and focus on resilience: whether your team can detect lateral movement quickly, isolate affected systems, restore critical services, and recover according to business-defined objectives. Verify backup and recovery processes and practice your incident response plans.
FortiBleed linked to ransomware groups
A massive credential theft operation targeting Fortinet customers is feeding two ransomware operations: INC Ransom and Lynx. That’s according to a new SOCRadar Threat Research Unit report. The threat actor operates as an initial access broker, using a custom Golang tool called FortigateSniffer to passively intercept authentication traffic by abusing FortiOS’s native “diagnose sniffer packet” command across two dozen protocols.
Why it matters
The campaign targeted 430,000 FortiGate firewalls globally, gathering over 110 million credentials in the process. Scanning activity was tracked against 11,250 FortiGate portals in more than 150 countries, followed by confirmed admin-level access on 409 targets and successful completion of the full attack chain on 354 of them. At least 12 ransomware deployments have resulted, causing hundreds of endpoints to be encrypted. More could follow.
Assured’s recommended action
Verify exposure, treat FortiGate credentials as potentially compromised and look for signs of compromise. Practise incident response plans and ensure backups are isolated and regularly tested.