Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: spoofing (3 articles)Clear

Microsoft Exchange OWA zero-day actively exploited via crafted email, no patch yet (CVE-2026-42897)

Just two days after a 138-fix Patch Tuesday that listed no zero-days, Microsoft disclosed CVE-2026-42897, an Exchange Server XSS-to-spoofing flaw it has tagged 'Exploitation Detected.' The bug is rated CVSS 8.1 and reported by an anonymous researcher. An unauthenticated attacker emails a crafted message; if the victim opens it in Outlook Web Access and meets certain interaction conditions, arbitrary JavaScript runs in the browser session context, enabling spoofing and session abuse. On-prem Exchange Server 2016, 2019, and Subscription Edition are affected; Exchange Online is not. No permanent patch exists yet, only mitigation through the Exchange Emergency Mitigation Service.

Check
Inventory all on-prem Exchange Server 2016, 2019, and Subscription Edition instances; check Exchange EM Service is enabled and the May 14 mitigation shows 'Applied'; review OWA web access logs for unusual JavaScript-triggering email opens and crafted-message indicators.
Affected
Microsoft Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and Exchange Server Subscription Edition RTM. Exchange Online customers are not affected. Risk is highest for internet-facing OWA deployments.
Fix
Confirm Exchange Emergency Mitigation Service is enabled (default since Sep 2021) and 'Applied' for CVE-2026-42897. If disabled, run EOMT.ps1 with the CVE flag. Permanent updates are coming for SE RTM, 2016 CU23, and 2019 CU14/CU15.

Microsoft confirms a Windows Shell flaw that lets attackers spoof anything in File Explorer is being exploited - patch now (CVE-2026-32202)

Microsoft confirmed yesterday that a Windows Shell spoofing flaw, CVE-2026-32202, is being exploited in the wild. The bug lets an attacker craft files that appear in File Explorer with fake names, icons, and paths - so a malicious .exe can show up looking like a benign PDF, leading users to double-click and run it. Microsoft patched the bug in the April 14 Patch Tuesday but only confirmed in-the-wild exploitation on April 28, raising urgency for any environment that hasn't deployed April patches. The flaw is particularly dangerous on shared file servers, USB drops, and email attachments - any path where users trust File Explorer to tell them what's what.

Check
Confirm every Windows endpoint has the April 14 Patch Tuesday update installed, especially any host that opens shared drives, USB drives, or email attachments.
Affected
Windows endpoints without the April 14, 2026 patch installed. CVE-2026-32202 affects all currently supported Windows versions including Windows 10, 11, and Server. Acute risk on hosts that handle external files: receptionists, finance staff opening invoices, IT staff handling user-submitted USB drives, anyone receiving email attachments from outside the organization.
Fix
Deploy the April 14 Patch Tuesday update via your usual patching process, prioritizing user endpoints over servers. Verify deployment with MDM rather than trusting WSUS compliance numbers. Enable 'show file extensions' as a Group Policy default. Re-train staff on file-trust basics this month. Watch for unusual process spawns from explorer.exe.

Over 1,300 SharePoint servers still exposed to ongoing spoofing attacks a week after Microsoft's patch (CVE-2026-32201)

Shadowserver data shows 1,300+ internet-exposed Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing flaw Microsoft confirmed as a zero-day and CISA added to its Known Exploited Vulnerabilities catalog the same day the fix dropped in April Patch Tuesday. Fewer than 200 systems have been patched since the update shipped last week. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. An unauthenticated attacker can perform network spoofing through improper input validation in a low-complexity attack that needs no user interaction, letting them view sensitive information and modify data, though not affect availability. Microsoft has not described the exploitation technique or attributed the attacks to a specific group, which is unusual for a zero-day and hints at an ongoing investigation. CISA ordered federal agencies to patch by April 28 under Binding Operational Directive 22-01, and given ongoing in-the-wild abuse, private-sector operators should treat that as their own deadline. SharePoint's habit of holding cached Office 365 tokens, SharePoint-signed refresh tokens, and IP on sensitive business processes makes any compromise a serious lateral-movement foothold, not a minor information disclosure.

Check
Inventory every on-premises SharePoint instance in your environment (including dev and staging that may be exposed to the internet) and verify that the April 2026 Patch Tuesday update for CVE-2026-32201 is installed.
Affected
SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition (the 'continuous update' on-premises edition) without the April 2026 security update.
Fix
Install the April 2026 Patch Tuesday security updates for each affected SharePoint version. If a server cannot be patched immediately, pull it off the public internet and put it behind a VPN or Zero Trust gateway, and monitor authentication logs for unexpected token-generation patterns. After patching, audit the last 10 days of SharePoint auth logs and any connected Office 365 federated token issuance for anomalies, since the patch will not retroactively invalidate tokens minted during exploitation.