OccamSec

05/28/2026

Does your organization run Microsoft Exchange on-premise still? May want to check out CVE-2026-42897. It's an XSS vulnerability in Outlook Web Access that's being actively exploited in the wild. No permanent patch exists. The next scheduled Patch Tuesday is still a couple weeks away (June 10).

What it does. An attacker sends a specially crafted email. If the recipient opens it in OWA, arbitrary JavaScript executes in their authenticated browser session — enabling session token theft, mailbox impersonation, and email rule manipulation without the attacker ever touching the server.

Who's affected. Exchange Server 2016, 2019, and Subscription Edition (SE). Exchange Online / Microsoft 365 users are not affected.

What's available now. Microsoft's Exchange Emergency Mitigation Service (EEMS) can apply interim protection automatically for on-premises deployments. The Exchange On-Premises Mitigation Tool (EOMT) is also available for manual application, though some administrators have reported minor OWA side effects.

What else to consider. CISA added this to its Known Exploited Vulnerabilities catalog on May 15 — with a remediation deadline of May 29 for federal agencies. That's tomorrow!

Get our summary — including analyst commentary and detailed mitigation guidance — is in our weekly threat brief. Link in the comments.

05/10/2026

Your Mac's code signing is supposed to guarantee that what's running on your machine is exactly what it claims to be. It's one of the fundamental security promises Apple makes.

We just found a way around it. Again.

In 2021 our research team discovered a flaw that let us disguise a malicious binary as a legitimately signed one. Apple quietly closed it with the M1 release — no acknowledgment, no CVE.

And now we've found another gap in the same system. We've published everything — not a polished summary, the full technical detail — so the security community can see exactly how it works.

Link in the comments if you want to dig in.

05/04/2026

Here's the thing about AI that can find vulnerabilities in your code and write the fix: it's solving the technical part of a problem that was never only technical.

Finding the flaw faster is useful. But deciding whether the suggested fix is correct, whether it's safe to deploy, whether it introduces new risk somewhere else — that's a process problem. It requires human judgment, review, and accountability. AI doesn't make those decisions for you, and you probably don't want it to.

There's also the scope question. A codebase scanner sees your application layer. It doesn't see your cloud configuration, your network architecture, how your credentials are managed, or your exposure through third-party vendors. Those are where a lot of real breaches actually start.

Knowing where your security program stands across all of it is a different question than "does this tool work." It's worth asking both. Our readiness assessment can help you determine if your program can answer these questions. Link to it in the comments!

05/03/2026

Have your employees been getting fake Zoom, Teams, and DocuSign links?

We've been tracking a phishing campaign that tricks users into downloading ScreenConnect, a real remote access tool, configured to give attackers full control of the machine. It looks like a software update. It installs a backdoor.

Activity spiked between April 18–21 but it's not slowing down.

Three things you can do now:
Step 1: Block .exe and .msi downloads for anyone who isn't in IT.
Step 2: Restrict local admin rights — this is how they escalate.
Step 3: If ScreenConnect shows up somewhere your team didn't put it, treat it as an incident.

The full breakdown — including IOC lists and detection rules — is in our threat brief. Link in comments.

05/01/2026

Running cPanel or WHM? A critical vulnerability — CVE-2026-4190 — allows attackers to bypass authentication entirely and gain full admin access. No credentials needed. A public exploit is already out there, which means this isn't just a sophisticated-attacker problem anymore.

Here's what to do right now:
Step 1: Apply the vendor patch. Don't wait for a scheduled window.
Step 2: If your server was internet-facing before patching, assume it may be compromised.
Step 3: Rotate all admin and root credentials immediately.
Step 4: Check for unauthorized changes to SSH keys, scheduled tasks, and config files.
Step 5: Restrict management interface access to known IPs or put it behind a VPN.

Our team alerted clients to this earlier this week. If you're unsure whether your environment is affected, reach out — we'll follow up promptly.

Get our regular weekly threat brief to find out about other risks you should be watching: https://hubs.la/Q04f9cLc0

04/24/2026

Is your security team tracking what's actively being exploited right now?

This week's OSec Weekly Threat Brief covers 5 live threats — including a zero-day in Adobe Reader that may have gone undetected since December, two unpatched Windows Defender privilege escalation bugs, and attackers hijacking a legitimate AI tool to deliver malware.

Find out what happened, who's at risk, and exactly what to do. Link in the comments.

04/22/2026

The 2026 NAB Show just wrapped. The event was buzzing about AI, cloud workflows, and the future of storytelling.

What wasn't on the main stage: the security conversation the industry keeps avoiding.

The 2014 Sony Pictures breach wasn't a piracy story. Unreleased films leaked, yes. But the most enduring damage were internal emails, executive compensation, and talent data going fully public. The reputational fallout lasted years — and that was before AI entered every production workflow.

Fast-forward to today: A major production can employ 200–400 vendors. VFX houses. Render farms. Localization shops. Digital dailies. Each doing their job well, each running software and potentially AI tools that ingest your unreleased content, talent data, and deal terms — without a risk or governance model that can keep up.

Our Head of Customer Success, Dayse Morales, just got back from NAB. The AI enthusiasm was real. But so was the silence around what happens when one of those vendors gets compromised.

Third-party breaches have doubled as a share of all incidents in a single year. In media and entertainment — where supply chains are deep, vendor offboarding is an afterthought, and IP is the product — that number should stop people cold. Read our thoughts on this challenge. Link in the comments.

A single film touches 400 vendors. Every one is now running AI tools. Almost none have the security to match. Here's what the media industry is missing — and what to do about it.

04/20/2026

Last week's threat landscape was a lot.

Iranian hackers targeting exposed industrial systems. An unpatched Windows zero-day. AI-powered phishing bypassing MFA daily. Chinese state-backed espionage expanding across Europe. And a critical WordPress flaw already being exploited in the wild.

Our team tracked all of it — with actionable guidance your security team can use this week.

See the link to the brief in the comments. 👇

04/20/2026

Everyone's talking about Mythos like it's the end of days for cybersecurity.

After reading the actual research, here's what OSec CEO and Founder, Mark Stamford, concluded. Sharing here in case it resonates with you:

Yes, it finds vulnerabilities faster than a human team can. No, most of them aren't going to affect your organization this week. And a lot of the heavy lifting in the research was done by additional tooling — the results weren't as dramatic as the headlines suggest.

The bigger question nobody's asking: if Mythos could actually do what's being claimed, would any responsible company be advertising it? "We've built the doomsday weapon — here's the press release" doesn't quite add up.

The fundamentals of security haven't changed. Breaches still mostly come down to unpatched systems, weak passwords, and poor hygiene — not exotic AI-powered zero-days. AI can help find problems faster. It doesn't fix the ones you've been ignoring.

Before you rethink your entire security program based on a news cycle, find out where you actually stand. We built a Mythos Readiness Assessment, so you can find out how Mythos really impacts your organization. Take the assessment here: https://hubs.la/Q04cKGDT0

04/15/2026

Educational institutions logged 299 ransomware victims in 2025. (We mapped out the month-by-month data from 2025.) Harvard, UPenn, Columbia, UMMC, and others have all been hit this year. And attacks are still trending up.

Our Education Sector Threat Brief covers who's behind many of these attacks, how they're getting in, and what you can do about it.

Download it today: https://hubs.la/Q04bJTLD0