May Cyber Threat Download™

Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

Third-party compromise

In its ransomware investigations, the digital forensics and incident response team has seen an uptick in the number of compromises stemming from third parties, including managed service providers (MSPs) and contractors. In these compromises, threat actors gain access to client environments using trusted remote tools, such as BeyondTrust Remote Support and SimpleHelp, to bypass security controls. This tactic works because these tools are allowed within organizations as trusted, whitelisted tools, and the activity appears as a legitimate IT support. In addition, there's often no granular logging or session recording enabled that shows what's happening behind the scenes.

The business impact of third-party compromises can be substantial. These compromises can cause widespread encryption across systems, backup destruction or encryption, multiclient compromise through an MSP or contractor, and data exfiltration. 

The team also identified many of the control gaps in third-party compromises including overprivileged MSP accounts, no multifactor authentication (MFA) enforcement of MSP access, a lack of session monitoring and logging for remote tools, no segmentation between MSP access and critical infrastructure, and limited visibility into third-party activity. Organizations should closely monitor who has access to the network, why they have access, how they are authenticated, and what is exposed. Moving forward, the team suggests that organizations strengthen their external exposure into the network.

Notable vulnerabilities

As many as 6,328 newly disclosed vulnerabilities were reported in March. That's a very large number for the month, considering that the average range has been 4,000-4,500 vulnerabilities per month. The vulnerability management team expects the number to keep increasing in future months due to more ethical hackers looking for vulnerabilities and the rising use of artificial intelligence (AI). Of those 6,328, there was known exploitation of 31 of them, including Microsoft, Google, Apple, ConnectWise, Cisco, and Citrix. Online proof-of-concept codes were made available for 10 of the vulnerabilities, which may increase the number of threat actors who exploit the products.

As a monthly trend, the team explained that 10 of the newly disclosed vulnerabilities affect Apple and Microsoft products, and nine of the 10 allow remote code execution (RCE). The team discussed in detail three of the Apple vulnerabilities.

• DarkSword exploit kits. This vulnerability affects Apple operating systems 18.4 to 18.7. The exploit kit is complex, indicating that a state-sponsored actor or state government developed the exploit, and three or more groups, including Turkish firm PARS Defense, have deployed it. The exploit kit chains together multiple vulnerabilities to achieve RCE, sandbox escape, and kernel-level compromise. The attacks target high-value individuals with large cryptocurrency wallets in Saudi Arabia, Turkey, Malaysia, and Ukraine.

• Snapchat scam. In this exploit, threat actors send emails that lure victims to a fake Snapchat site. The threat actors use JavaScript to create an iframe for frame.html, and they set a session storage key on the device to prevent reinfection. Victims are moved to Safari since the exploit chain uses a Safari vulnerability. At the end of the exploit, victims are redirected to the legitimate Snapchat site to mask the malicious activity.

• Signal messages. The FBI announced that it can recover deleted Signal messages due to a notification services vulnerability, or logging issue, where notifications marked for deletion can be unexpectedly retained on devices. Apple users need to patch devices running iOS 26.4.2.

During Microsoft Patch Tuesday in March, 82 reported vulnerabilities were addressed, with eight critical vulnerabilities that were mostly RCEs and no zero-day exploits. The team reminded clients to patch applications, particularly ones that users work in daily.

In April, 164 reported vulnerabilities were addressed during Microsoft Patch Tuesday. Of those 164, eight were critical vulnerabilities, seven of which were RCEs and one was a denial-of-service vulnerability. Two of the reported vulnerabilities were zero days: one involved the Microsoft SharePoint server, and the other one was a Microsoft Defender vulnerability. The team recommends that organizations apply timely patches following the Microsoft Patch Tuesday announcements.

AI-enabled phishing

Phishing was the No. 1 reported cybercrime last year, according to the FBI, and the Anti-Phishing Working Group reported an estimated 3.8 million recorded attacks in 2025. At Pondurance, the security operations center (SOC) team is seeing an uptick in phishing campaigns. As a shift in tactics, threat actors are no longer hacking into systems. Instead, they're logging in with stolen credentials from phishing scams.

In the past, phishing emails were somewhat obvious due to poor grammar and awkward language. Today, with the assistance of AI, threat actors send emails with hyperpersonalized content that look like normal business emails, invoices, or internal tasks. They also use fake voicemails, Microsoft alerts, shipping messages, and QR codes to bypass email filtering. AI-enabled phishing attacks typically target executives or employees in specific roles, such as finance or operations, and involve some urgency to respond.

It's important for organizations to understand how AI-enabled phishing works. After all, threat actors can gain MFA access and steal credentials that can be used in account takeovers, business email compromise, wire fraud, data theft, and even as a launching point for ransomware attacks. Organizations should offer updated training, stronger identity protection, and fast detection to combat phishing campaigns that use AI.

Browser extension safety

Browser extensions are programs or apps that function like an entire operating system inside the browser. These extensions are privileged JavaScript with a trusted auto-update channel. They can't read or write to a hard drive, but the browser extensions can be privileged enough to read or write everything in the browser. 

Typically, organizations are not monitoring browser extensions, and endpoint detection and response (EDR) tools don't block or remove browser extensions from systems, even when they are known to be bad. However, the detection engineering team recommends that clients should monitor browser extensions because threat actors are leveraging them to take malicious actions. 

The team noted a few dangerous use cases including broad host access where threat actors read and change data on all websites; high-risk application programming interfaces such as cookies, scripting, and clipboards; permission expansion after installation; and developer or ownership transfers where a previously benign extension is sold, abandoned, or silently handed over, then the threat actor weaponizes it during the update. In addition, some browsers, such as the Chromium-based browsers, sync so that everything in the last browser is available in the new browser — and that includes the password history. 

The team calculated that, in April alone, clients installed 9,231 general browser extensions and downloaded 949 unique browser extensions. Of those, eight potentially malicious browser extensions were detected. Most organizations don't use controls for browser extensions, but they should. Generally, group policies can help organizations to centrally control which new browser extensions are installed. Currently installed browser extensions require user and/or scripted solutions for removal. 

The Pondurance team is currently auditing managed EDRs that supply the telemetry for recently installed extensions, and the team will present its findings in an upcoming webinar. For specific questions about browser extensions, clients can create Scope tickets to discuss issues with the team.

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our SOC, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.