Microsoft’s April 2026 Patch Tuesday dropped 167 fixes — the second-largest single release in the program’s history — including a SharePoint spoofing flaw already exploited in the wild. Elsewhere, Cisco Talos published research on legitimate AI workflow platforms being weaponized as phishing infrastructure, a fake Ledger Live app passed Apple’s vetting and drained $9.5 million, and an Android RAT turned 220,000 phones into residential proxy nodes via social media ads.

In the News

Microsoft Ships Record 167 April Patches Including Exploited SharePoint Zero-Day

Microsoft’s April 2026 cumulative update addresses 167 vulnerabilities across Windows, Office, SharePoint, Azure, and Windows Defender — second only to the 175-fix release in April 2024 for the largest Patch Tuesday on record. Elevation-of-privilege flaws account for more than half of the total, which means an attacker who gains initial access to a system through any vector has an unusually large selection of paths to escalate.

The most urgent item is CVE-2026-32201, a spoofing vulnerability in SharePoint Server (CVSS 7.6) that Microsoft confirms is under active exploitation. The flaw enables attackers to present falsified content within a trusted SharePoint environment — a high-fidelity social engineering vector in organizations where employees rely on SharePoint as an authoritative document source. If an attacker can combine this with a compromised or low-privilege account, the spoofed content carries the credibility of the internal platform.

Separately, CVE-2026-33825 — a privilege escalation in Windows Defender publicly disclosed under the name “BlueHammer” (CVSS 7.8) — has not been observed in the wild yet but is now public. The combination of active exploitation on one CVE and public disclosure on another in the same update cycle creates urgency for defenders who batch patches monthly.

What defenders should do: Prioritize CVE-2026-32201 for any on-premises SharePoint deployment this week — do not wait for a standard monthly window. Validate that Windows Defender definitions and platform updates land alongside the OS patches; CVE-2026-33825 is a privilege escalation in the security product itself. For organizations running automated patch orchestration, this cycle is the stress test: 167 patches in a single release strains any monthly cadence.

Attackers Weaponize n8n AI Workflow Platform for Phishing Infrastructure

Cisco Talos published research documenting a phishing campaign active from October 2025 through March 2026 that abused the n8n workflow automation platform as its primary infrastructure layer. n8n is a legitimate open-source tool used by DevOps and marketing teams to automate business workflows — which is precisely why it works as phishing infrastructure. Its domains carry neutral-to-positive reputation scores across most URL filtering databases.

The campaign used n8n-hosted workflows to serve phishing redirects and fingerprint victim devices before delivering the final credential harvesting page. This multi-stage approach means that security tools inspecting the initial URL see a legitimate automation platform, and the actual phishing content is served conditionally — only after the workflow confirms the visitor matches the target profile. Static URL scanning at the email gateway does not catch this because the redirect target changes dynamically.

The technique is not limited to n8n. Talos noted that similar abuse patterns apply to any automation platform (Zapier, Make, Power Automate) where an attacker can host a publicly accessible workflow URL. The common thread: legitimate SaaS infrastructure with established domain reputation serving as a trust proxy for malicious content.

What defenders should do: Audit email gateway and secure web gateway logs for n8n.io and similar automation platform domains appearing in inbound email links. Behavioral URL analysis that follows redirect chains and evaluates the final landing page — not just the initial domain — is the primary detection mechanism. Organizations relying solely on domain reputation for link filtering have a gap this campaign exploits by design.

Fake Ledger Live App Passes Apple Vetting, Drains $9.5M in Crypto

A counterfeit version of the Ledger Live hardware wallet management application was published on the Apple App Store and remained available long enough to steal approximately $9.5 million in cryptocurrency from an estimated 50 victims. The app replicated the legitimate Ledger Live interface and prompted users to enter their 24-word recovery seed phrases during an apparent “verification” step. Those seed phrases were exfiltrated to attacker-controlled infrastructure, giving the operators full access to the victims’ cryptocurrency wallets.

The incident is notable not for its technical sophistication — the mechanism is straightforward credential phishing — but for the trust layer it exploited. Apple’s App Store review is widely perceived as a security control. Users downloading an app from the official store have a reasonable expectation that it has been vetted for malicious behavior. That expectation failed here. The fake app’s ability to pass review and operate long enough to inflict $9.5 million in losses underscores a broader supply chain risk: curated app stores are a friction layer, not a guarantee.

What defenders should do: For enterprise environments, endpoint behavioral detection that flags applications exfiltrating high-entropy strings (such as seed phrases or private keys) to unknown endpoints is the compensating control. Mobile threat defense solutions that analyze app behavior post-install — not just at download — are relevant here. For personal security awareness, the principle is direct: recovery seed phrases are never entered into any application other than the hardware wallet itself during initial setup.

Mirax Android RAT Converts 220K Phones into Proxy Infrastructure via Social Media Ads

A remote access trojan designated Mirax has compromised approximately 220,000 Android devices after distribution through paid Facebook and Instagram advertisements targeting Spanish-speaking users. Once installed, the RAT silently registers the device as a SOCKS5 proxy node, routing attacker traffic through the victim’s residential IP address.

The proxy conversion is the strategic payload. A network of 220,000 residential IPs distributed across consumer ISPs provides attackers with infrastructure that is extremely difficult to block at the network level — each connection originates from a legitimate residential address. This infrastructure supports credential stuffing attacks, fraud operations, and further intrusion campaigns where the attacker needs to avoid IP-based blocking and reputation filtering. The distribution via Meta advertising platforms demonstrates that ad network abuse remains a viable and scalable initial access vector for mobile malware.

What defenders should do: Organizations with corporate-enrolled Android devices should confirm that mobile threat defense agents are deployed and actively scanning for RAT behavior — particularly SOCKS5 proxy registration and unexpected outbound connections to non-standard ports. On the network side, authentication and fraud detection systems should account for the possibility that login attempts from residential IPs may originate from compromised proxy infrastructure rather than legitimate users.

Today’s Deep Dive — Legitimate Platform Abuse: When Trusted Infrastructure Becomes Attack Infrastructure

Three of today’s stories share a structural pattern worth examining: attackers are not building their own infrastructure from scratch. They are renting, borrowing, or impersonating trusted platforms — and the trust those platforms carry is the weapon.

The n8n phishing campaign routes credential harvesting through a legitimate workflow automation platform whose domains pass URL filtering. The fake Ledger Live app laundered its malicious functionality through Apple’s App Store review process. The Mirax RAT distributed itself through Meta’s paid advertising platform — a channel explicitly designed to reach targeted audiences at scale.

This is not a new pattern, but the convergence in a single day’s reporting illustrates how deeply it has embedded itself across the attack lifecycle. MITRE ATT&CK captures pieces of this under T1583.006 — Acquire Infrastructure: Web Services and T1608.005 — Stage Capabilities: Link Target, but the operational reality is broader: attackers are exploiting the implicit trust that defenders, users, and security tools place in established platforms.

The detection challenge is significant. Traditional indicators of compromise — malicious domains, known-bad IPs, flagged file hashes — do not fire when the infrastructure is a legitimate SaaS platform, an official app store listing, or a paid social media ad. The signals are behavioral: redirect chains that land on credential harvesting pages, post-install data exfiltration patterns, and proxy traffic originating from consumer devices.

For defenders, the primary countermeasure is shifting detection from reputation-based to behavior-based at every layer where these attacks operate. Email security needs to follow redirect chains to the final landing page, not just evaluate the initial domain. Endpoint protection needs to flag post-install exfiltration of sensitive data, regardless of the app’s source. Network monitoring needs to identify proxy registration behavior on mobile endpoints. None of these are new capabilities — but the operational urgency for deploying them is reinforced every time a trusted platform becomes the delivery mechanism.

Detection Spotlight

The n8n phishing campaign documented by Cisco Talos relied on redirect chains through legitimate automation platform domains. The following Splunk SPL query identifies email-delivered URLs that redirect through common workflow automation platforms and terminate at domains not previously seen in your environment. Tune the automation_domains lookup to your organization’s sanctioned platforms and adjust the firstseen threshold based on your baseline.

index=proxy OR index=web
sourcetype=stream:http OR sourcetype=bluecoat OR sourcetype=zscaler
| where isnotnull(url)
| eval domain=mvindex(split(url, "/"), 2)
| lookup automation_domains domain AS referrer_domain OUTPUT is_automation
| where is_automation="true"
| eval final_domain=mvindex(split(dest_url, "/"), 2)
| stats earliest(_time) AS first_seen values(src_ip) AS source_ips dc(src_ip) AS unique_sources values(url) AS referrer_urls BY final_domain
| where first_seen > relative_time(now(), "-7d")
| where unique_sources < 5
| sort - unique_sources

This query surfaces cases where traffic referred by a known automation platform domain (n8n.io, zapier.com, make.com, etc.) lands on a destination domain that first appeared in your environment within the past 7 days and has been visited by fewer than 5 unique source IPs. Low-volume, recently-appeared destinations reached via automation platform redirects are high-fidelity candidates for phishing infrastructure. False positive rate is low in environments where the automation platform lookup is accurately populated with sanctioned domains.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.