HARDENED Cybersecurity Intelligence Daily Briefing · Tuesday, April 7, 2026 · hardened.news |
> The signal. Not the noise. — For teams that defend. |
Lead Story | Critical | Enterprise · IT Ops · Dev |
|
Your MFA Held the Door. OAuth Opened It Anyway — Device Code Phishing Is Now a Mass-Market Weapon.
Push Security documented a 37.5x surge in OAuth 2.0 device code phishing attacks since the start of 2026, with at least 11 competing phishing-as-a-service kits now targeting Microsoft 365 organizations. The EvilTokens kit alone operates over 1,000 infrastructure domains. More than 340 organizations — including Canadian enterprises — have been confirmed as targets. The attack completes MFA on behalf of the attacker. Your authentication logs will show a successful sign-in.
The OAuth 2.0 device authorization grant (RFC 8628) exists to authenticate devices that cannot display a browser — smart TVs, CLI tools, hardware tokens. Microsoft’s implementation works as follows: a device initiates a session and receives a user code from the authorization server; the user navigates to microsoft.com/devicelogin on any browser, enters the code, authenticates with MFA, and the device receives a persistent access token. Attackers have weaponized this flow by initiating the device code request themselves, obtaining the user code from Microsoft’s authorization server, and delivering it to victims via phishing email, a fake Microsoft Teams notification from an external tenant, or an SMS. The victim visits a legitimate Microsoft page, completes legitimate MFA, and the attacker’s session receives the resulting token. From Microsoft’s perspective, authentication succeeded — because it did. From the attacker’s perspective, they now hold a token with up to 90-day refresh capability, regardless of any password change the victim makes later.
EvilTokens launched as a phishing-as-a-service platform in mid-February 2026 and has since grown to more than 1,000 infrastructure domains. At least ten competing kits have followed. Push Security’s telemetry identifies more than 340 Microsoft 365 organizations confirmed as targets across the United States, Canada, Australia, New Zealand, and Germany — sectors including construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government. Delivery methods vary by kit: LinkedIn direct messages, Teams notifications from external tenants, and emails using Microsoft system branding are all documented. There is no sector or size profile that exempts an organization. Any organization that processes Microsoft 365 mail, Teams messages, or calendar invites is a viable target.
The mitigation is administrative, not user-facing. Microsoft Entra ID Conditional Access supports grant-type restrictions that block the device code flow for any user group or application scope. Organizations that have no operational requirement for device code authentication — and most do not — should block the flow entirely: create a Conditional Access policy targeting all cloud applications and all users, blocking the device code flow client grant type. Detection logic for SIEM teams: in Microsoft Entra ID sign-in logs, alert on any authentication where the flow type is recorded as “Device code flow” from IP addresses or geographic locations outside the user’s established pattern. User-awareness training is not a control here. The attack is designed to exploit a legitimate, MFA-completed authentication event, and no amount of training eliminates the effectiveness of a convincing fake Teams message from an external tenant.
→ Key Takeaway Block the device authorization grant flow in Microsoft Entra ID Conditional Access if your organization has no operational requirement for it — most do not. Create a Conditional Access policy targeting all users and all cloud applications that blocks the device code flow grant type. Audit existing named locations and exclusions for gaps. Add a SIEM alert in Entra ID sign-in logs for any authentication where the flow type is “Device code flow” from atypical IPs or locations. Rotate credentials for any account that received a suspicious Teams message or email requesting device code entry — access tokens may have been issued before the account owner recognized the attempt. |
Quick Hits
| 01 |
Langflow CVE-2026-33017: Unauthenticated RCE in the AI Workflow Builder That Holds Every API Key
CVE-2026-33017 (CVSS v3.1: 9.8) is an unauthenticated remote code execution flaw in Langflow, the open-source visual AI workflow builder used to chain LLM calls, API integrations, and agent pipelines. The vulnerability is as straightforward as it is severe: Langflow’s public flow execution endpoint (POST /api/v1/build_public_tmp/{flow_id}/flow) trusts the workflow definition it receives, executing any Python code it finds in node definitions via Python’s built-in exec(). No authentication gate protects the endpoint, no sandbox wraps the execution, and the resulting process runs with the privileges of the Langflow server — which in most deployments means access to every API key, database credential, and connected service the team has wired in. CISA added this to the Known Exploited Vulnerabilities catalog on March 25, 2026 (federal deadline: April 8). Exploitation began within 20 hours of disclosure. Upgrade to version 1.9.0 or later — and verify the exact build against Langflow’s security advisory: JFrog Research confirmed that an intermediate release previously marketed as patched remained exploitable. If immediate upgrade is not possible, restrict the Langflow server to trusted network segments. NVD →
| Critical | Dev · Cloud+DevOps · Enterprise |
|
| 02 |
North Korea Socially Engineered the Axios Maintainer and Published a Backdoored npm Package with 100 Million Weekly Downloads
The Axios npm supply chain compromise, confirmed by Google Threat Intelligence Group on March 31, 2026, is a lesson in what well-resourced state actors look like when they have time and patience. UNC1069 — a North Korea-nexus group — did not find a vulnerability in the npm registry. They found a person. Over several weeks they cultivated a relationship with Axios maintainer Jason Saayman, impersonating a company founder through a fabricated Slack workspace and a staged Microsoft Teams meeting before convincing him to run what appeared to be a software update. It was WAVESHAPER.V2, a remote access trojan. With his machine compromised, publishing malicious versions axios 1.14.1 and 0.30.4 was simply a matter of running npm publish. Both were live in a package with over 100 million weekly downloads — present in roughly 80 percent of JavaScript cloud environments — for three hours before removal. UNC1069 simultaneously targeted maintainers of Lodash, Fastify, and dotenv. Audit your dependency lock files for resolved installs of those specific versions and rotate any secrets accessible from affected build environments. Google TIG →
| Critical | Dev · Cloud+DevOps |
|
CVE Watch
|
Patch of the Day
| CVE-2026-2699 + CVE-2026-2701 | CVSS 9.8 / 9.1 |
watchTowr Published a Working PoC for Pre-Authentication RCE in Progress ShareFile — 30,000 Instances Are Exposed
Progress ShareFile Storage Zones Controller holds enterprise file-sharing infrastructure: financial documents, legal files, HR records, client data, and the authentication credentials used to access them. That context matters for understanding what watchTowr disclosed on April 2, 2026. CVE-2026-2699 (CVSS 9.8) is an authentication bypass stemming from how the application handles HTTP redirects — an attacker can reach the restricted administrative configuration interface at /ConfigService/Admin.aspx without credentials. CVE-2026-2701 (CVSS 9.1) takes it further: once past the authentication control, a file upload function can be abused to write an ASPX webshell to a web-accessible directory, achieving full remote code execution on the server. watchTowr published a working proof-of-concept that chains both steps. An attacker reaching the server does not just get the server — they get everything behind it. Approximately 30,000 Storage Zones Controller instances are internet-reachable. Progress patched this in version 5.12.4 on March 10, seven weeks before public disclosure. No in-the-wild exploitation confirmed as of publication, but a public PoC and 30,000 exposed instances is not a combination that stays quiet for long.
| Vendor: Progress · Patched: ShareFile SZC 5.12.4 (March 10, 2026) · PoC: Published April 2, 2026 (watchTowr) · Exploited: No confirmed in-the-wild exploitation; treat as imminent |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — PR.AA — Protect: Identity Management, Authentication & Access Control
MFA Is Not Enough if the OAuth Grant Type Is Still Open
PR.AA-01 requires organizations to manage identities and credentials for authorized users and services. What constitutes a “managed credential” extends beyond usernames and passwords to the authentication flows and grant types that are permitted in your environment — because a flow that is permitted but not operationally needed is a credential surface that exists for no reason. The device code phishing surge reveals a gap that PR.AA-01 directly addresses: MFA was enabled, credentials were never exposed, and authentication succeeded — but the wrong party holds the resulting token. The device authorization grant was never designed for general Microsoft 365 user authentication; it was built for input-constrained devices such as smart TVs and hardware appliances. Permitting it for all users without restriction creates an authentication pathway that bypasses the intent of every other access control in place. Action: Inventory the OAuth grant types permitted in your Microsoft Entra ID tenant. For most organizations, the device code flow should be disabled for all users via Conditional Access policy. If any use case genuinely requires it — kiosk deployments, physical security devices, legacy hardware — scope the permission to a named group or named device, not the full directory. Document permitted grant types alongside your access control matrix and review them at least quarterly.
|
|
HARDENED | This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organization. Consult a qualified security professional for implementation guidance specific to your environment. How we work: HARDENED uses AI agents for research, drafting, and automation. Every issue is reviewed by humans before publication. If you spot an error, reply directly — we correct the record promptly. Sources: Push Security (device code phishing 37.5x surge, EvilTokens PhaaS, April 2026), pushsecurity.com · BleepingComputer (EvilTokens phishing-as-a-service, April 4, 2026), bleepingcomputer.com · The Hacker News (EvilTokens, 340 orgs targeted, March 2026), thehackernews.com · Help Net Security (EvilTokens Microsoft 365 targeting, March 31, 2026), helpnetsecurity.com · NVD (CVE-2026-33017), nvd.nist.gov · CISA KEV catalog (CVE-2026-33017, added March 25, 2026, deadline April 8), cisa.gov/kev · Sysdig (CVE-2026-33017 exploitation within 20 hours), sysdig.com · The Hacker News (Langflow RCE coverage), thehackernews.com · Google Threat Intelligence Group (UNC1069 Axios npm supply chain compromise, March–April 2026), cloud.google.com/blog/topics/threat-intelligence · The Hacker News (UNC1069 Axios), thehackernews.com · Microsoft Security Blog (Axios npm mitigation guidance), microsoft.com/security/blog · watchTowr Labs (CVE-2026-2699 / CVE-2026-2701 ShareFile PoC, April 2, 2026), labs.watchtowr.com · NVD (CVE-2026-2699), nvd.nist.gov · NIST CSF 2.0, nist.gov/cyberframework |
|
|
