Citrix pushed six NetScaler patches today — and one of them has the same shape as CitrixBleed. Meanwhile, Cisco Talos published the most detailed teardown of a phishing-as-a-service operator panel to date, and Huntress quantified what may be the largest Azure CLI password spray ever recorded. Three stories, three different attack surfaces, one shared theme: the infrastructure defenders trust most — edge appliances, identity providers, CLI tooling — is where the blind spots live.

In the News

Citrix Patches 6 NetScaler Flaws Including HTTP/2 Bomb DoS and CitrixBleed-Style Info Disclosure

Citrix released patches for six vulnerabilities affecting NetScaler ADC and Gateway, the two highest-profile being a novel HTTP/2 Bomb denial-of-service vector and CVE-2026-8451 (CVSS 8.8), an information disclosure flaw with characteristics that echo the CitrixBleed vulnerability from 2023.

The HTTP/2 Bomb technique abuses stream multiplexing within a single HTTP/2 connection to exhaust appliance resources. Traditional rate-limiting operates at the connection or request level — but HTTP/2 allows hundreds of concurrent streams inside one TCP connection, each consuming memory and CPU. The result is resource exhaustion that looks like normal traffic to perimeter defenses. This is a distinct attack class from HTTP/2 Rapid Reset (CVE-2023-44487), which abused stream cancellation rather than multiplexing pressure.

CVE-2026-8451 is the more operationally dangerous of the two. Information disclosure from a session-brokering appliance can leak authentication tokens, session cookies, and TLS session state — exactly the pattern that made CitrixBleed (CVE-2023-4966) one of 2023’s most exploited vulnerabilities. NetScaler ADC and Gateway sit at the internet-facing edge of thousands of enterprise environments, brokering VPN, load balancing, and SSO. Any information leakage from these appliances has an outsized blast radius.

Citrix has not reported active exploitation of any of the six flaws, but the combination of a novel DoS vector and a high-severity info disclosure bug in edge infrastructure warrants accelerated patching. Organizations should verify their NetScaler firmware version against Citrix’s advisory and prioritize based on external exposure.

What defenders should do: Patch NetScaler ADC and Gateway immediately. Audit HTTP/2 configuration on all internet-facing appliances — consider disabling HTTP/2 on NetScaler if patching requires a maintenance window. Review session token handling and monitor for anomalous memory consumption patterns on ADC appliances.

Talos Exposes ARToken: PhaaS Panel With 80+ M365 Post-Compromise APIs

Cisco Talos published a detailed reverse-engineering of ARToken, an operator panel within the EvilTokens phishing-as-a-service ecosystem that targets Microsoft 365 environments. The platform is not just a phishing kit — it is a full post-compromise automation suite.

ARToken provides affiliates with 80+ Microsoft Graph API calls for mailbox enumeration, OneDrive exfiltration, OAuth app consent, and lateral movement through SharePoint and Teams. The platform’s most concerning capability is its Primary Refresh Token (PRT) persistence module. When an attacker captures a user’s PRT during the initial phishing flow, they maintain persistent access to the victim’s M365 tenant even after password resets and standard session revocation. This technique maps to MITRE ATT&CK T1550.001 (Application Access Token).

The seven-layer anti-analysis system Talos documented includes browser fingerprinting, JavaScript obfuscation, Cloudflare Turnstile integration, geographic filtering, and dynamic content rendering that shows different pages to automated scanners than to human victims. This layered evasion explains why many phishing infrastructure scanners fail to capture the actual credential-harvesting page.

What defenders should do: Enforce phishing-resistant MFA (FIDO2/WebAuthn) — it is the only authentication method that blocks token theft at the phishing stage. Implement conditional access policies that restrict PRT issuance to compliant, managed devices. Monitor Microsoft Graph API audit logs for bulk enumeration patterns (high-volume messages, files, and oAuth2PermissionGrants calls from a single identity within a short window).

81 Million Azure CLI Login Attempts — Largest Cloud Password Spray on Record

Huntress documented a massive password spray campaign targeting Azure CLI authentication, tracking 81 million+ login attempts from a single IPv6 range attributed to LSHIY infrastructure. At least 78 Microsoft accounts were confirmed compromised.

The operational significance is not the volume — it is the authentication path. Azure CLI authenticates using Microsoft’s first-party application registration (04b07795-a71b-4346-a16a-28f2dbefc6d4). Many conditional access policies are scoped to user-facing applications or specific enterprise app registrations, which means first-party Microsoft app IDs like the Azure CLI client fall outside MFA enforcement by default. Attackers know this. The spray targeted accounts where interactive browser auth would have triggered MFA, but CLI auth did not.

This maps to MITRE ATT&CK T1110.003 (Password Spraying) and highlights a systemic gap in cloud identity configurations. The attack is not sophisticated — it is high-volume credential guessing against a policy blind spot.

What defenders should do: Audit conditional access policies to confirm they explicitly cover Azure CLI’s first-party app ID. Enable sign-in risk policies in Entra ID that trigger on spray patterns (high-volume failed auth from a single IP range). Block legacy authentication protocols and enforce MFA on all authentication flows, including programmatic/CLI access.

Today’s Deep Dive — Phantom Squatting: When AI Hallucinates Your Attack Surface

Palo Alto Unit 42 published research on “phantom squatting” — a novel supply chain attack where threat actors register domains that large language models hallucinate in their outputs. When LLMs generate URLs that point to non-existent domains — a well-documented behavior in current-generation models — attackers monitor those hallucinated domain names, register them, and host malware or phishing infrastructure to catch AI-directed traffic.

This is a fundamentally new attack surface creation mechanism. The threat actor does not need to compromise the LLM, poison its training data, or manipulate its prompts. The model’s inherent tendency to generate plausible-but-fictional URLs creates the attack surface on its own. The attacker simply listens and registers.

The practical risk is concentrated in automated pipelines. When AI coding assistants suggest installing a package from a hallucinated URL, or when AI-generated documentation includes a fabricated API endpoint, downstream systems may resolve those domains without human review. Unit 42’s research found active registrations of hallucinated domains serving both credential-harvesting pages and malware payloads. This maps to MITRE ATT&CK T1583.001 (Acquire Infrastructure: Domains).

Defenders should treat AI-generated URLs with the same skepticism as user-supplied input — validate domain ownership before any automated resolution, implement DNS filtering that blocks newly registered domains (most NRD feeds flag domains under 30 days old), and audit AI-assisted development pipelines for unvalidated external references.

Detection Spotlight

Detect Azure CLI password spray patterns in Entra ID sign-in logs. This Splunk SPL query identifies high-volume failed authentication attempts against the Azure CLI first-party app ID from a single source, which is the exact pattern Huntress observed in the 81M-attempt campaign.

index=azure sourcetype="azure:aad:signin"
    appId="04b07795-a71b-4346-a16a-28f2dbefc6d4"
    resultType!=0
| bin _time span=10m
| stats count as failed_attempts dc(userPrincipalName) as targeted_accounts by src_ip, _time
| where failed_attempts > 50 AND targeted_accounts > 5
| sort -failed_attempts

This query fires when a single source IP generates more than 50 failed Azure CLI login attempts against more than 5 distinct accounts within a 10-minute window. Tune the thresholds based on your environment — legitimate CI/CD pipelines using Azure CLI will generate failed auths, but they typically target a single service principal, not multiple user accounts. False positive rate is low in environments without heavy multi-account CLI automation.

Defender Action Items

  • Citrix NetScaler: Patch to the latest firmware immediately. If maintenance windows delay patching, consider disabling HTTP/2 on internet-facing NetScaler virtual servers as a compensating control. Audit for CVE-2026-8451 exposure by reviewing session handling configuration.
  • Microsoft 365 / ARToken PhaaS: Enforce FIDO2/WebAuthn MFA. Restrict PRT issuance to managed, compliant devices via conditional access. Monitor Graph API audit logs for bulk messages and oAuth2PermissionGrants calls.
  • Azure CLI spray: Verify conditional access policies explicitly cover app ID 04b07795-a71b-4346-a16a-28f2dbefc6d4. Enable Entra ID sign-in risk policies. Deploy the detection query above.
  • Phantom squatting: Add newly registered domain (NRD) blocking to DNS filtering. Audit AI-assisted development pipelines for unvalidated external URL references.

References


Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.