Cybersecurity Brief
Ransomware and credential phishing expand via AI-enabled PhaaS
Today’s reporting points to an adversary ecosystem optimizing for speed and scale: credential-theft phishing is evolving into AI-assisted phishing-as-a-service targeting Microsoft 365, while new vishing-driven groups combine AiTM/device code approaches and MFA abuse to reach high-value identity and collaboration systems.
At the same time, law-enforcement outcomes for Ryuk and BlackCat/ALPHV reinforce that ransomware groups continue to operate using repeatable processes (initial access, negotiation, deployment, extortion), and that individuals tied to these operations are being prosecuted. For executives, the combined signal is operational urgency: harden identity and session controls for Microsoft 365 and SharePoint, validate exposure paths for web/app supply chains, and ensure incident response and recovery readiness are aligned with the continuing criminal investment in ransomware activity.
Top Signals
1. AI-enabled phishing-as-a-service targets Microsoft 365 accounts
Signal strength: Early
Organizations relying on Microsoft 365 face higher risk of account takeover using AI-assisted lures plus AiTM and device code flows—meaning identity hardening, phishing-resistant controls, and rapid session/token revocation become decision-critical.
Supporting evidence
- New Forg365 phishing platform uses AI to target Microsoft 365 accounts — BleepingComputer, 2026-07-09. Describes a new PhaaS operation using AI-assisted lure generation and targeting Microsoft 365 accounts via AiTM and device code methods—directly indicating commoditized, scalable identity phishing against a major enterprise platform.
2. New vishing and MFA-abuse tactics drive SharePoint data theft
Signal strength: Early
Voice phishing and MFA abuse aimed at SharePoint environments increases likelihood of data-exfiltration incidents even when email-only controls are strong; executives should prioritize MFA implementation quality, user/telephony protections, and detection for device-code/AiTM-style patterns.
Supporting evidence
- New Helix vishing group emerges in SharePoint data theft attacks — BleepingComputer, 2026-07-09. Links identity-focused tactics (vishing, device code phishing, and MFA abuse) to theft from SharePoint—indicating an emerging playbook for collaboration-platform compromise.
3. Ransomware deployment remains active; Ryuk and BlackCat prosecutions highlight persistence
Signal strength: Strong
Multiple sentencing outcomes for Ryuk and BlackCat/ALPHV show these ransomware operations continue to cause consequential impacts; executives should validate that prevention, detection, and recovery plans reflect the same mature criminal workflow (initial access to encryption/extortion).
Supporting evidence
- Ryuk ransomware member pleads guilty in the US, faces 15 years in prison — BleepingComputer, 2026-07-10. Indicates ongoing criminal activity and use of Ryuk to encrypt victim systems after hacking U.S. companies—supporting continued threat relevance beyond isolated incidents.
- Former ransomware negotiator gets 4 years for BlackCat attacks — BleepingComputer, 2026-07-10. Documents sentencing tied to BlackCat attacks on U.S. companies, reinforcing that ransomware operations include coordinated roles such as negotiation and extortion.
- Ryuk operator pleads guilty; Blackcat/AlphV conspirator gets nearly 6-year sentence — The Record, 2026-07-10. Corroborates Ryuk and BlackCat/ALPHV plea and sentencing activity, supporting that these ransomware campaigns remain an enduring operational threat model.
4. Exploitable identity/auth bypass in Gitea Docker image enables admin impersonation
Signal strength: Early
If exploitable in common self-hosted deployment patterns, an auth bypass in the Gitea official Docker image can rapidly translate into high-privilege compromise of source code and supporting systems—executives should prioritize inventory and patching of Git platform deployments and container images.
Supporting evidence
- Hackers exploit critical auth bypass in Gitea Docker image — BleepingComputer, 2026-07-10. Reports active exploitation of a critical flaw in the official Gitea Docker image allowing impersonation of any user including administrators—indicating immediate risk to CI/CD-adjacent assets.
5. Critical web client XSS in Zimbra Classic Web Client requires fast patching
Signal strength: Early
A critical XSS affecting a widely used collaboration suite component can enable session theft and account compromise; executives should ensure web-client patch SLAs and compensating monitoring for suspicious sessions and script execution.
Supporting evidence
- Zimbra urges customers to patch critical web client XSS flaw — BleepingComputer, 2026-07-10. Calls out a critical XSS vulnerability in the Zimbra Classic Web Client, signaling a need for prompt remediation to reduce browser-based compromise risk.
Supporting Stories
Sources
- New Forg365 phishing platform uses AI to target Microsoft 365 accounts — BleepingComputer
- New Helix vishing group emerges in SharePoint data theft attacks — BleepingComputer
- Ryuk ransomware member pleads guilty in the US, faces 15 years in prison — BleepingComputer
- Former ransomware negotiator gets 4 years for BlackCat attacks — BleepingComputer
- Ryuk operator pleads guilty; Blackcat/AlphV conspirator gets nearly 6-year sentence — The Record
- Hackers exploit critical auth bypass in Gitea Docker image — BleepingComputer
- Zimbra urges customers to patch critical web client XSS flaw — BleepingComputer
- Dutch police trace Odido telco cyberattack to suspected local accomplice — The Record