Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
ENG
ENG
%402x.svg){kind=icon}
An intense week on the threat landscape: an unpatched zero-day at the heart of corporate email, the inner workings of one of the world’s most active ransomware gangs exposed, a phishing platform that turns MFA into a non-factor, and Spain’s markets regulator knocked offline by a DDoS. Here’s the summary, no time wasted.
🔴 Microsoft Exchange OWA zero-day: active exploitation with no patch until June
Microsoft confirmed active exploitation of CVE-2026-42897, a zero-day in Outlook Web Access of Exchange Server on-premises (CVSS 8.1). A specially crafted email executes malicious JavaScript in the user’s browser when opened in OWA. No permanent patch is available — the next Patch Tuesday is 10 June. CISA added it to the KEV catalog on 15 May with a federal deadline of 29 May. Exchange Online and Microsoft 365 are not affected.
→ What you should do: Verify that the EEMS M2.1.x mitigation has been applied to your on-premises Exchange using the Exchange Health Checker (aka.ms/ExchangeHealthChecker). If EEMS is not enabled, run EOMT.ps1 -CVE “CVE-2026-42897”. Full analysis and checklist →
🔴 Inside The Gentlemen: the world’s #2 ransomware gang got hacked
Check Point Research obtained the internal dump of The Gentlemen following the breach of their infrastructure. The revelations are exceptional: 1,570 real victims versus 332 published on their portal (78% paid silently), ransoms calibrated to each company’s exact cyber insurance ceiling via ZoomInfo, and a documented chain-victimization case in which a UK consultancy was used to attack its own client in Türkiye. The administrator is a former Qilin affiliate who built his RaaS panel using AI. Affiliates take 90% of the ransom.
→ What you should do: Your cyber insurance limit must not appear in internal communications that could be exfiltrated. Monitor corporate credentials on the underground market. Audit the security of suppliers with access to your systems. Full analysis with IoCs →
🔴 EvilTokens: the phishing platform that renders your Microsoft 365 MFA useless
EvilTokens is a PhaaS platform active since February 2026 that has compromised over 340 Microsoft 365 organisations across 7 countries. It does not steal passwords or trigger MFA alerts: it abuses the OAuth Device Code flow so the victim themselves authorises the attacker on the real Microsoft page. The resulting token gives persistent access to email, OneDrive, SharePoint and Teams — and survives a password reset. Price on Telegram: from €299/month. Originally developed by state-sponsored APT groups such as Storm-2372 and APT29, now available to any operator.
→ What you should do: Block the Device Code Flow in Entra ID Conditional Access for users who do not need to authenticate IoT devices. Review active OAuth authorisations in the tenant. Full analysis and checklist →
🔴 Spain’s CNMC website knocked offline for hours by a DDoS
Spain’s National Markets and Competition Commission (CNMC) suffered a DDoS attack on 14 May that left its website offline for several hours with a 502 Bad Gateway error. The CNMC confirmed the incident in an official statement. No public attribution. The regulator oversees energy, telecoms, transport and audiovisual markets in Spain — thousands of businesses depend on its data and rulings. DDoS attacks against Spanish public institutions have been recurring since 2022, linked to pro-Russia hacktivist groups in the NATO context.
→ What you should do: Check whether active cloud DDoS mitigation (Cloudflare, Akamai, AWS Shield) is in place for your internet-facing web services. Include digital public body dependency in your continuity plan. Full analysis →
Every Friday we break down the news that really matters for your organisation’s security. If you want to know how exposed your business is to any of these threats, we’re one click away.
