Microsoft broke its own Patch Tuesday cadence today with an emergency fix for a CVSS 9.1 privilege escalation in ASP.NET Core. That alone would anchor the day — but it lands alongside Unit 42 research proving WPA2/3 enterprise encryption can be defeated at the radio layer, and Cisco Talos Q1 data confirming phishing has reclaimed the top initial access vector at 33% of incident response engagements.

In the News

Microsoft Ships Emergency OOB Patch for Critical ASP.NET Core Privilege Escalation (CVE-2026-40372)

Microsoft released an out-of-band security update for CVE-2026-40372, a CVSS 9.1 privilege escalation vulnerability in ASP.NET Core. The flaw stems from a cryptographic verification defect that allows an unauthenticated attacker to elevate privileges on affected .NET web applications. No active exploitation has been reported at time of publication, but the decision to ship outside the normal Patch Tuesday cycle signals that Microsoft’s internal assessment warranted immediate remediation.

Out-of-band patches are rare. Microsoft reserves them for vulnerabilities where the risk of waiting for the next scheduled release exceeds the operational disruption of an unscheduled update. For any organization running production .NET web applications, this means the patch window is now — not the next maintenance window.

The cryptographic verification failure is particularly concerning because it undermines a foundational trust boundary in the application stack. Privilege escalation flaws at the framework level affect every application built on that framework, not just a single product or service. The blast radius is proportional to the organization’s .NET footprint.

What defenders should do: Apply the Microsoft OOB update immediately. Inventory all ASP.NET Core deployments — including containerized workloads and cloud-hosted app services — and confirm the patched runtime version is deployed across all environments. If immediate patching is not possible, implement web application firewall rules targeting the specific vulnerability class until the update can be applied.

Source: BleepingComputer

AirSnitch Attacks Bypass WPA2/3 Enterprise Wi-Fi Encryption

Palo Alto Unit 42 published research on AirSnitch, a novel attack technique that defeats WPA2 and WPA3 enterprise wireless encryption and bypasses client isolation controls. The technique allows an attacker within radio range to intercept traffic between wireless clients and access points even when 802.1X authentication and per-session encryption keys are in place.

This is significant because enterprise WPA2/WPA3 with 802.1X has been the accepted standard for securing wireless networks in environments where wired connectivity is not feasible — manufacturing floors, healthcare facilities, dense office spaces. AirSnitch demonstrates that encryption at the Wi-Fi layer is not sufficient to guarantee traffic confidentiality between endpoints. The assumption that “we have WPA3 Enterprise, so wireless traffic is protected” no longer holds unconditionally.

The practical implication is a shift in defensive posture: wireless encryption becomes a defense-in-depth layer rather than a primary control. Organizations that rely on Wi-Fi as a primary transport for sensitive traffic need compensating controls — microsegmentation, zero-trust network access, and application-layer encryption — to maintain confidentiality guarantees independent of the wireless encryption state.

What defenders should do: Treat enterprise Wi-Fi encryption as a necessary but insufficient control. Implement microsegmentation to limit lateral movement between wireless clients. Deploy zero-trust network access to enforce identity-based access at the application layer. Audit environments where sensitive data traverses wireless segments without additional application-layer encryption (TLS, IPsec).

Source: Palo Alto Unit 42

Phishing Reclaims Top Initial Access Vector at 33% — Cisco Talos Q1 2026

Cisco Talos’s Q1 2026 incident response trends report confirms phishing has overtaken exploitation of public-facing applications as the number one initial access vector, accounting for 33% of all IR engagements. Public administration and healthcare are tied as the most-targeted verticals at 24% each. This is the first time phishing has held the top position since Q2 2025, reversing a trend toward exploit-based initial access that dominated the second half of 2025.

The data point is directionally important: organizations that invested heavily in perimeter hardening and vulnerability management over the past year may have shifted resources away from email security and anti-phishing controls. Phishing’s return to the top position suggests that attackers follow the path of least resistance — as public-facing exploit surfaces were hardened, social engineering against employees became the more reliable entry point again.

The vertical breakdown matters for practitioners in government and healthcare. A 24% targeting rate means roughly one in four Talos IR engagements in Q1 involved these sectors. For defenders in those verticals, phishing is not a theoretical risk — it is the statistically dominant mechanism by which their peers are being compromised right now.

What defenders should do: Deploy phishing-resistant MFA (FIDO2/passkeys) as the primary authentication control. Review email security gateway configurations — specifically, ensure DMARC enforcement is at p=reject for organizational domains. Conduct targeted phishing simulations against high-risk user populations (finance, HR, IT help desk). For government and healthcare organizations, treat phishing defense as the highest-priority initial access control.

Source: Cisco Talos Blog

GoGra Linux Backdoor Abuses Microsoft Graph API for Stealthy C2

A newly documented Linux backdoor called GoGra uses the Microsoft Graph API to conduct command and control operations through legitimate Outlook mailbox traffic. The malware communicates by reading and writing email drafts and inbox messages within a compromised Microsoft 365 mailbox. From a network monitoring perspective, the traffic appears as standard HTTPS calls to Microsoft infrastructure — indistinguishable from normal Office 365 activity.

This is a textbook example of living-off-the-land at the cloud service layer. Traditional network-based detection — firewall logs, proxy logs, IDS signatures — will not flag Graph API calls to graph.microsoft.com as malicious, because that domain is in every organization’s allow list. The C2 channel is hidden in plain sight inside sanctioned cloud traffic.

The operational implication is that defenders need API-layer visibility into cloud service interactions. Monitoring must extend beyond network flows to include Graph API audit logs, mailbox access patterns, and anomalous application consent grants. Organizations that rely solely on perimeter-based network monitoring have a structural blind spot that GoGra is designed to exploit.

What defenders should do: Enable Microsoft 365 unified audit logging and monitor for anomalous Graph API access patterns — particularly programmatic mailbox reads/writes from non-standard application IDs. Review OAuth application consent grants for unexpected permissions scoped to Mail.ReadWrite. Deploy cloud-native detection tools capable of correlating Graph API activity with endpoint telemetry. Consider restricting Graph API mailbox access to approved application registrations via Conditional Access policies.

Source: BleepingComputer

Today’s Deep Dive — Cloud API Abuse as a C2 Channel

GoGra is not an isolated case. The use of legitimate cloud APIs for command and control represents a structural shift in how threat actors maintain persistence and exfiltrate data. The pattern is consistent: rather than standing up dedicated C2 infrastructure that can be identified and blocklisted, attackers embed their communications within API calls to services the target organization already trusts — Microsoft Graph, Google Drive, Slack webhooks, Notion databases.

The technique maps to MITRE ATT&CK T1102 — Web Service and more specifically T1102.002 (Bidirectional Communication). The attacker establishes a covert channel by registering or compromising an OAuth application with mailbox or file access permissions, then uses the service’s API to send commands (via email drafts, file contents, or message bodies) and receive exfiltrated data through the same channel.

Why traditional detection fails: Network-layer tools see HTTPS traffic to graph.microsoft.com, www.googleapis.com, or api.slack.com — all domains that appear in legitimate traffic millions of times per day. Signature-based IDS cannot distinguish a Graph API call that reads an inbox for C2 instructions from a Graph API call that reads an inbox for a legitimate business workflow. The detection must happen at the application layer: which application ID is making the call, what permissions does it hold, and does the access pattern match known legitimate usage.

Real-world precedent: GoGra joins a growing list of malware families that have adopted this approach. SolarMarker used Google Forms for initial staging. BLUELIGHT used Microsoft OneDrive and Google Drive for exfiltration. GraphStrike, documented in 2024, was a red team tool specifically designed to demonstrate Graph API abuse for C2. The tooling is mature, the technique is documented, and defenders who have not built detection for it are operating with a known gap.

Primary mitigations:

  1. Audit OAuth application registrations — identify applications with Mail.ReadWrite, Files.ReadWrite, or equivalent high-privilege scopes that were not approved through a formal process.
  2. Restrict Graph API access via Conditional Access — limit which application IDs can access mailbox and file APIs. Block access from unmanaged devices and untrusted networks.
  3. Monitor unified audit logs for anomalous patterns — programmatic mailbox access at unusual hours, from unusual geographies, or at volumes inconsistent with the application’s stated purpose.
  4. Deploy cloud-native detection — tools that correlate API-layer telemetry with endpoint behavior, enabling detection of sequences like “endpoint spawns process → process authenticates to Graph API → process reads mailbox → process writes file to disk.”

The fundamental lesson is that the perimeter is no longer a useful boundary for C2 detection. When the C2 channel runs through the same API endpoints as legitimate business operations, detection must move to the identity and application layer.

Detection Spotlight

The following KQL query for Microsoft Sentinel detects anomalous Graph API mailbox access by identifying application IDs performing programmatic mail reads that are not on an approved allowlist. Adjust the approved_app_ids list to match your environment.

let approved_app_ids = dynamic(["app-id-1", "app-id-2", "app-id-3"]);
OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in ("MailItemsAccessed", "Send", "Update")
| where ClientAppId !in (approved_app_ids)
| where IsExternalUser == false
| summarize AccessCount = count(), DistinctMailboxes = dcount(MailboxOwnerUPN) by ClientAppId, AppDisplayName, bin(TimeGenerated, 1h)
| where AccessCount > 50 or DistinctMailboxes > 3
| sort by AccessCount desc

What this catches: Application IDs performing high-volume or multi-mailbox programmatic access that are not on your approved list. A legitimate business application typically accesses a predictable set of mailboxes at predictable volumes. GoGra-style malware — or any unauthorized OAuth application — will appear as an unknown application ID accessing mailboxes it should not be touching.

False positive guidance: Expect hits from newly deployed integrations, migration tools, and backup solutions that have not yet been added to the allowlist. Triage by verifying the application registration in Azure AD and confirming the business owner approved the access. Legitimate applications will have a registration record with an identifiable publisher; malicious or compromised applications will not.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.