Executive Summary
- Microsoft released patches for 167 vulnerabilities including 2 zero-days; SharePoint Server zero-day already under active exploitation
- Russian state-sponsored hackers harvesting Microsoft Office authentication tokens via compromised routers in mass campaign
- Mirax Android RAT reached 220,000+ users via Meta platforms; converts devices into SOCKS5 proxies for further attacks
- Critical flaws in PHP Composer enable arbitrary command execution; supply-chain risk across development ecosystem
- Critical risk incidents surged 400% year-over-year despite only 52% increase in raw alert volume, driven by AI-assisted development velocity
Top Threats Today
1. Microsoft Patch Tuesday – 167 Vulnerabilities Including Exploited Zero-Days
Severity: CRITICAL Affected: Technology Government Finance
Microsoft released the April 2026 Patch Tuesday addressing 167 vulnerabilities across Windows, Office, and related products. Two zero-days are included, with the SharePoint Server zero-day already confirmed under active exploitation. Privilege escalation vulnerabilities account for more than half of all patches. This represents the second-largest Patch Tuesday by CVE count in Microsoft history. Adobe simultaneously released 55 patches, and SAP patched critical ABAP vulnerabilities.
Recommended Action
- Immediately prioritize deployment of KB5082200 and SharePoint Server patches to production systems
- Implement detection rules for SharePoint exploitation attempts in SIEM/EDR systems
- Audit SharePoint Server logs for signs of prior compromise (check for February 2026 onward)
- Patch Adobe and SAP products in parallel using change management windows
2. Russian State-Sponsored Token Harvesting Campaign via Router Compromise
Severity: CRITICAL Affected: Government Finance Defense
Russian military intelligence-linked threat actors are exploiting known vulnerabilities in older Internet routers to conduct mass harvesting of Microsoft Office authentication tokens. This campaign enables persistent, stealthy access to organizational email and cloud resources without triggering MFA on initial compromise. The attack chain leverages network-layer compromise to intercept authentication flows at scale.
Recommended Action
- Conduct urgent inventory of all routers and network edge devices; prioritize replacement of unsupported/legacy models
- Implement network segmentation to isolate router management interfaces
- Deploy token detection rules: monitor for Office token usage from anomalous geographic locations or unusual IP ranges
- Enable Enhanced Security Admin Environment (ESAE) for credential hygiene in high-value accounts
- Initiate threat hunt for lateral movement indicators from router compromise timeframes
3. Mirax Android RAT – 220,000+ Users Compromised via Meta Advertising
Severity: HIGH Affected: Technology Retail Finance
The Mirax Android remote access trojan has actively compromised over 220,000 users across Facebook, Instagram, Messenger, and Threads through malicious advertisements, primarily targeting Spanish-speaking regions. The malware converts infected devices into SOCKS5 proxies, enabling threat actors to route traffic through compromised phones for credential theft, lateral movement, and bypassing geographic restrictions. This represents a sophisticated supply-chain attack through social media advertising networks.
Recommended Action
- Deploy mobile threat defense (MTD) solutions across BYOD and corporate mobile fleets
- Distribute security awareness on malicious ads and app-store vetting procedures to employees
- Monitor for proxy traffic originating from residential IP ranges in SIEM logs
- Consider restricting social media app downloads to managed app stores only
4. PHP Composer Supply-Chain Vulnerabilities – Arbitrary Command Execution
Severity: HIGH Affected: Technology Finance Retail
Two high-severity command injection flaws in Composer (PHP package manager) affecting Perforce VCS integration have been disclosed with patches released. These vulnerabilities enable arbitrary command execution during dependency resolution, potentially compromising development environments and build pipelines across the PHP ecosystem. This represents a direct supply-chain risk for any organization using Composer.
Recommended Action
- Update Composer to patched version immediately across all development environments
- Audit PHP project dependencies for any suspicious recent changes or commits
- Implement code signing verification for all Composer packages in CI/CD pipelines
- Review build logs for evidence of command injection exploitation
5. Critical Risk Surge – 400% Year-Over-Year Increase Driven by AI-Assisted Development
Severity: HIGH Affected: Technology Finance Healthcare
Analysis of 216 million security findings across 250 organizations reveals critical risk incidents surged by 400% year-over-year, despite raw alert volume growing only 52%. The spike is attributed to velocity created by AI-assisted development tools that accelerate code generation without corresponding security review. This trend indicates a fundamental gap between development speed and security maturity.
Recommended Action
- Establish AI-assisted code generation review policies; require human security review before merge
- Deploy SAST/DAST tools tuned for AI-generated code patterns and common vulnerabilities
- Increase security awareness training for developers using AI coding assistants
- Implement risk prioritization frameworks to focus on exploitable critical vulnerabilities vs. noise
Today’s Action Checklist
- ☐ URGENT: Deploy Microsoft KB5082200 patch and SharePoint Server zero-day fix to all systems
- ☐ URGENT: Audit router inventory and replace unsupported models; segregate network management interfaces
- ☐ URGENT: Deploy mobile threat detection and monitor for SOCKS5 proxy activity from mobile devices
- ☐ HIGH: Update PHP Composer and audit development dependencies for supply-chain tampering
- ☐ HIGH: Conduct threat hunt for Office token usage anomalies and router-originated lateral movement
- ☐ HIGH: Review and update AI-assisted code generation policies; implement mandatory security gates
- ☐ Enhance detection rules for SharePoint exploitation, token harvesting, and privilege escalation
- ☐ Validate MFA enforcement on all high-value cloud and email accounts