Weekly Cyber Briefing 06.03.2026
Phishing campaigns abuse OAuth and target LastPass users; an iOS exploit kit portends new mobile risks; FreeScout customers are urged to upgrade; and the NCSC warns UK firms about Iranian attacks.
The National Cyber Security Centre (NCSC) has issued a warning to UK firms that Iranian threat actors may lash out as US and Israeli operations continue in the country. The NCSC claimed that although the direct cyber threat has not changed, there’s now “almost certainly” an increased risk for organisations that have a presence, or supply chains, in the Middle East. This assessment could change as the war continues, it added.
Iran has a long track record of using cyber operations to retaliate against political slights or military attacks. This has ranged from DDoS and web defacements to destructive malware.
Follow the NCSC’s advice. Take note of previous advisories on DDoS, phishing and ICS threats. Sign up for its Early Warning service. If you have exposure to the region, consider this guidance. If you provide critical infrastructure, review the NCSC’s guide to responding to a severe threat.
Microsoft has warned that threat actors are abusing OAuth redirects to install malware on victims’ machines. The attacks abuse a feature in OAuth that allows identity providers (e.g., Entra ID, Google Workspace) to redirect users to a landing page when an error occurs. The phishing emails are themed around Teams meeting recordings and Microsoft 365 password reset requests. Clicking through will trigger the OAuth error, taking the user to a phishing page under the attacker’s control.
The attacks bypass traditional email security because the links in the phishing emails (e.g., login.microsoftonline.com) are legitimate. The threat actor triggers the error by inserting an “invalid scope” parameter, forcing the redirect. This can be done silently via the “prompt=none” parameter. Although this specific campaign targeted the public sector, it could spread.
Regularly review and remove unused or overprivileged OAuth applications. Enforce strong identity protection and conditional access policies. Deploy cross-domain detection across email, identity, and endpoints to prevent abuse of trusted authentication flows. Block known IoCs as listed by Microsoft.
Google researchers have discovered a powerful iOS exploit kit in the hands of cybercrime groups. “Coruna” contains five iOS exploit chains and a total of 23 exploits, some of which target vulnerabilities for which CVE identifiers were never issued. They mainly target legacy iPhone models for crypto-theft, but other campaigns may have different goals.
It’s not only nation states that now have access to sophisticated exploit kits, meaning more organisations are at risk of mass-scale targeting by evasive, zero-click attacks.
Ensure users are on the latest iOS version (using mobile device management tooling where appropriate). Audit BYOD programmes for users with older devices and iOS versions. Consider Lockdown Mode for high-value targets.
LastPass has warned users of a new phishing campaign designed to harvest master passwords. The emails impersonate a LastPass staffer (with a spoofed display name) and urge the recipient to take action on unauthorised access or master password changes. Links point to a fake LastPass login page. The messages include fake email chains designed to make it look like someone else is trying to access the victim’s account.
Master passwords in password managers are the keys to the kingdom, potentially granting access to a trove of corporate logins. As such, they’re frequent targets for phishers.
Enforce multi-factor authentication (MFA) for password manager logins (ideally, hardware-based keys or passkeys). Restrict logins via IP address/corporate VPN. Update security awareness training to ensure staff know how to spot a LastPass phish.
Researchers have discovered a maximum-severity bug in the popular helpdesk platform FreeScout that could enable full system compromise with no user interaction. CVE‑2026‑28289 (Mail2Shell) is a bypass for an earlier vulnerability (CVE-2026-27636) in the open source platform.
A full server/system takeover could allow adversaries to steal data from helpdesk tickets and other information stored in FreeScout. They could also move laterally from FreeScout to other systems on the network.
Upgrade to version v1.8.207 or later. Always disable AllowOverrideAll in the Apache configuration on the FreeScout server, even on the latest version.
Features 03.03.2026
France Travail’s failings are a reminder that identifying risk is not the same as managing it
Features 02.03.2026
What telco CISOs need to do to avoid becoming the next Odido
Weekly Cyber Briefing 27.02.2026
Zero-day threats stalk Cisco SD-WAN users, and AI is blamed for helping threat actors target FortiGate firewalls and accelerate breakout time. Ransomware attack volumes and the cost of insider threats surge.