Faisal MisleWhat's happening in email security: March 16-22, 2026
Email authentication passed. The phishing still landed. That's the uncomfortable headline from this week. It's about attackers using Microsoft's own infrastructure to send phishing emails that pass every authentication check you have.
Azure Monitor Alerts Weaponized for Callback Phishing
Threat actors are abusing Microsoft's Azure Monitor alert system to deliver phishing emails that impersonate the Microsoft Security Team. The messages pass SPF, DKIM, and DMARC checks because they genuinely originate from Microsoft's sending infrastructure.
The attack is telephone-oriented attack delivery (TOAD), sometimes called callback phishing. Victims receive what looks like a legitimate Microsoft security alert and are directed to call a phone number. That number connects to an attacker-controlled line, where voice-based social engineering takes over.
There's no content filter that catches this at the email layer. The sending domain is Microsoft's. The authentication is clean. The lure is believable.
This is a known limitation of DMARC. The protocol verifies that a message came from authorized infrastructure. It can't check whether the message content is malicious or whether the platform was abused to send it.
No patch is coming for this because it's not a vulnerability in the traditional sense. Azure Monitor's alert system is working as designed. Microsoft will likely tighten controls on how alert content can be customized, but no timeline has been announced. Voice social engineering leaves no URL to block and no attachment to scan.
**📢 Tell your teams:** If they receive an unexpected Microsoft security alert asking them to call a number, forward it to IT before picking up the phone.
CISA Flags Zimbra XSS Exploited in Operation GhostMail
CISA added CVE-2025-66376 to its Known Exploited Vulnerabilities catalog this week after confirming active exploitation in Operation GhostMail, a campaign targeting Ukrainian government organizations.
Phishing emails containing obfuscated JavaScript were opened in vulnerable Zimbra webmail sessions. The script executed within the browser, harvesting credentials and 2FA recovery codes without redirecting users anywhere. Standard email scanning wouldn't catch payload-in-rendering-layer attacks like this. The patch has been available since November 2025. Federal agencies have until April 1, 2026.
When Tax Season Becomes Cyberattack Season
Microsoft Threat Intelligence documented coordinated phishing campaigns using tax-related lures timed to the US and UK filing period. The campaigns use adversary-in-the-middle (AiTM) techniques paired with credential harvesting.
AiTM works by proxying authentication in real time. The victim logs in through an attacker-controlled page that relays credentials and session tokens to the real service. MFA codes are captured as they're used, producing a valid authenticated session the attacker controls. The tax lure works because filing season creates high volumes of legitimate email from unfamiliar senders, and urgency feels normal.
AI-Assisted Phishing Campaign Harvests Biometric Data via Browser Permissions
Cyble's research team uncovered a campaign impersonating TikTok, Telegram, Instagram, and Google/Chrome. The pages don't go after credentials. They go after live camera footage, microphone audio, IP geolocation, and device fingerprints.
The pages, hosted on edgeone.app domains, use AI-generated code to request browser hardware permissions. The lures frame the requests as identity verification or account recovery ("Telegram ID Freezing," "ID Scanner," "Health Fund AI"). Once permissions are granted, data is exfiltrated via Telegram's Bot API with no attacker-controlled backend required. The code carries structured annotations and emoji-based comment formatting consistent with AI-assisted development.
No credential form appears anywhere. Victims aren't tricked into typing a password. They're tricked into granting permissions that hand over far more.
Tycoon 2FA Takedown: 59% of Compromised Accounts Had MFA Enabled
We covered the Tycoon 2FA takedown when it happened on March 4. Hornetsecurity's monthly report this week added the numbers. The platform sent over 3 million malicious messages in February 2026 alone across roughly 100,000 compromised organizations. Of successfully hijacked accounts, 59% had MFA enabled at the time. The report also flags email fuzzing as an emerging evasion pattern, where attackers embed dynamic text randomization in email templates to generate unique per-message variants, fragmenting the campaign signals that clustering-based detection depends on.
- Intuitive Surgical Discloses Phishing Attack
Attackers stole employee credentials via phishing and accessed internal IT applications, with network segmentation preventing lateral movement to the company's surgical platforms.
- Konni Group Deploys EndRAT Through Spear-Phishing, Spreads via KakaoTalk
North Korean threat actor Konni used spear-phishing emails disguised as official appointment notices to deploy a remote access trojan, then distributed malicious files to the victim's contacts via compromised KakaoTalk accounts.
- Horabot Banking Trojan Returns with Email Spreader Targeting Mexico
A new Horabot campaign uses a PowerShell-based email spreading module to mass-distribute phishing PDFs from the victim's own mailbox contacts, with 93% of victims located in Mexico.
- Proton Mail Shared User Payment Metadata with Authorities
Under a Swiss legal order, Proton Mail disclosed subscriber payment information linked to an account that was subsequently passed to the FBI, though email content remained protected by encryption.