Microsoft, Drupal, Linux critical patches; OAuth phishing bypasses MFA on 340+ orgs

Severity● High

ThreatsVuln Exploit Phishing Ransomware Malware Mobile Malware

IndustriesTechnology Government Finance Education

How to read this briefing

Verified facts — NVD & CISA KEV Partially verified — awaiting NVD enrichment AI analysis — synthesis, verify before acting ^[1]Inline citations — click any [N] to view the source

Actionable · Verified facts

NVD-published · CISA KEV cross-checked

CVE	CVSS	Vendor · Product	Exploitation	Refs
🛡️CVE-2026-31635	7.5 NVD 3.1	Linux Linux Kernel	no reports	[1] [2]

Contextual · AI analysis Synthesized from 10 feeds · verify before acting

TL;DR

Microsoft disrupted a malware-signing service enabling ransomware distribution; Drupal releases critical patches May 20; OAuth phishing bypasses MFA on 340+ Microsoft 365 organizations. Patch immediately and enable additional authentication factors.

THREAT LEVEL: HIGH – Multiple critical vulnerabilities and active phishing campaigns targeting enterprise authentication require immediate patching and credential review.

Executive Summary

Microsoft disrupted Fox Tempest, a malware-signing-as-a-service platform that has operated since May 2025 and provided code-signing tools to ransomware gangs and other cybercriminals [7, 23, 28].
An OAuth-based phishing campaign using a platform called EvilTokens compromised more than 340 Microsoft 365 organizations across five countries since February 2026 by bypassing multi-factor authentication [3].
Drupal will release urgent core security updates on May 20, 2026, with researchers warning that exploits could be developed within hours or days [4, 27].
A proof-of-concept exploit has been released for CVE-2026-31635, a Linux kernel local privilege escalation vulnerability [2].
Android malware campaign dubbed Trapdoor used 455 malicious apps to generate 659 million daily bid requests in ad fraud operations [1].

Top Threats Today

1. Fox Tempest Malware-Signing Service Disrupted

Severity: HIGH Affected: technology

Microsoft has unsealed a legal case in U.S. District Court detailing the disruption of Fox Tempest, a malware-signing-as-a-service platform that has provided cybercriminals with code-signing tools ^[1]^[2]. The service has been operating since May 2025 and was used to distribute ransomware and other malware disguised as legitimate software ^[2]^[3]. This disruption removes a critical infrastructure tool relied upon by multiple ransomware gangs and cybercriminal groups.
Sources:[1] BleepingComputer[2] The Record[3] SecurityWeek

Recommended Action

Review logs for any suspicious code-signing certificates issued within your environment over the past year.
Implement application whitelisting and code-signing verification policies.
Monitor for malware samples signed with certificates issued between May 2025 and the disruption date.

2. EvilTokens OAuth Phishing Bypasses MFA on 340+ Organizations

Severity: HIGH Affected: technology

A phishing-as-a-service platform called EvilTokens went live in February 2026 and has compromised more than 340 Microsoft 365 organizations across five countries within five weeks ^[1]. The platform uses OAuth consent prompts directing users to enter short codes at microsoft.com/devi[cetype] to steal authentication tokens, bypassing traditional multi-factor authentication by obtaining legitimate OAuth consent ^[1]. This attack vector represents a significant evolution in credential theft methodology that standard MFA configurations may not prevent.
Sources:[1] The Hacker News

Recommended Action

Review Microsoft 365 audit logs for unusual OAuth consent grants, particularly those granting mail or calendar permissions.
Implement conditional access policies to restrict OAuth application consent from unfamiliar locations.
Deploy additional authentication context requirements (e.g., passwordless sign-in or hardware security keys) for sensitive operations.
Educate users on OAuth consent prompt verification and warn against entering codes on non-Microsoft domains.

3. Drupal Urgent Core Security Release May 20

Severity: HIGH Affected: technology

Drupal has announced a “core security release” for all supported branches scheduled for May 20, 2026, from 5–9 p.m. UTC ^[1]. The Drupal Security Team has stated that exploits might be developed within hours or days of the patch release ^[1]^[2]. Details of the vulnerability have not been disclosed in advance, but the urgency and scope indicate a highly critical flaw affecting all supported Drupal versions.
Sources:[1] The Hacker News[2] SecurityWeek

Recommended Action

Reserve maintenance windows immediately following the May 20 patch release window.
Test patches in a staging environment before deploying to production.
Apply updates to all supported Drupal installations within 24 hours of patch availability.
Monitor security advisories and public exploit repositories for any disclosed details between now and patch release.

4. CVE-2026-31635 Linux Kernel LPE PoC Released

Severity: HIGH Affected: technology

Proof-of-concept exploit code dubbed DirtyDecrypt (also known as DirtyCBC) has been released for CVE-2026-31635, a recently patched local privilege escalation vulnerability in the Linux kernel ^[1]. The flaw was discovered and reported by the Zellic and V12 security teams on May 9, 2026 ^[1]. Public availability of working exploit code significantly elevates risk for unpatched systems.
Sources:[1] The Hacker News

Recommended Action

Prioritize kernel updates on all Linux systems, especially those with local user access.
Review and restrict local shell access to trusted users only.
Monitor systems for signs of privilege escalation attempts.
Enable kernel security modules (AppArmor, SELinux) to restrict exploitation vectors.

5. Trapdoor Android Ad Fraud Campaign Targets 659M Daily Bid Requests

Severity: MEDIUM Affected: technology

Cybersecurity researchers from HUMAN's Satori Threat Intelligence and Research Team have disclosed details of Trapdoor, an ad fraud and malvertising operation targeting Android users ^[1]. The campaign encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control infrastructure, generating 659 million daily bid requests ^[1]. This represents a significant ad fraud operation, though impact is primarily limited to compromised device owners and advertiser fraud losses.
Sources:[1] The Hacker News

Recommended Action

Review Android device security: disable installation from unknown sources and enable Play Protect.
Audit installed applications for any from the list of 455 identified malicious apps.
Monitor for unusual data consumption or device slowdowns indicative of background ad fraud activity.
Keep Android OS and all applications up to date with latest security patches.

Today’s Action Checklist

☐ URGENT: Audit Microsoft 365 organizations for unusual OAuth consent grants and review conditional access policies.
☐ URGENT: Schedule maintenance windows for Drupal patches deploying May 20, 5–9 p.m. UTC.
☐ HIGH: Prioritize Linux kernel updates to patch CVE-2026-31635 on systems with local user access.
☐ HIGH: Review application whitelisting and code-signing verification policies post-Fox Tempest disruption.
☐ MEDIUM: Audit Android device inventory for the 455 identified malicious Trapdoor applications.

🤖 This briefing was compiled by defend.network using AI-powered analysis of multiple cybersecurity sources including CISA advisories, vendor security bulletins, and threat intelligence feeds. Always verify critical intelligence through official vendor channels before taking action.

TL;DR

Executive Summary

Top Threats Today

1. Fox Tempest Malware-Signing Service Disrupted

Recommended Action

2. EvilTokens OAuth Phishing Bypasses MFA on 340+ Organizations

Recommended Action

3. Drupal Urgent Core Security Release May 20

Recommended Action

4. CVE-2026-31635 Linux Kernel LPE PoC Released

Recommended Action

5. Trapdoor Android Ad Fraud Campaign Targets 659M Daily Bid Requests

Recommended Action

Today’s Action Checklist

Get Tomorrow’s Briefing in Your Inbox