Palo Alto's Unit 42 and the Retail & Hospitality ISAC outed a new financially-motivated group tracked as BlackFile (CL-CRI-1116, UNC6671, Cordial Spider) running data-theft extortion against retail and hospitality since February 2026 with seven-figure ransoms. The playbook: spoofed-VoIP vishing, attackers posing as IT helpdesk, victims routed to phishing pages capturing Microsoft Entra/Okta/Google SSO credentials, attackers then register their own devices to bypass MFA and pivot into Salesforce and SharePoint. Unit 42 links the group to 'The Com' and notes it has used swatting against non-paying victims. TTPs overlap heavily with ShinyHunters and Scattered Spider.
Shadowserver data shows 1,300+ internet-exposed Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing flaw Microsoft confirmed as a zero-day and CISA added to its Known Exploited Vulnerabilities catalog the same day the fix dropped in April Patch Tuesday. Fewer than 200 systems have been patched since the update shipped last week. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. An unauthenticated attacker can perform network spoofing through improper input validation in a low-complexity attack that needs no user interaction, letting them view sensitive information and modify data, though not affect availability. Microsoft has not described the exploitation technique or attributed the attacks to a specific group, which is unusual for a zero-day and hints at an ongoing investigation. CISA ordered federal agencies to patch by April 28 under Binding Operational Directive 22-01, and given ongoing in-the-wild abuse, private-sector operators should treat that as their own deadline. SharePoint's habit of holding cached Office 365 tokens, SharePoint-signed refresh tokens, and IP on sensitive business processes makes any compromise a serious lateral-movement foothold, not a minor information disclosure.
TrustStrike Labs