1) Executive Summary
The most decision-relevant cyber activity since March 1 centers on identity abuse, active exploitation of enterprise management software, and the continued industrialization of phishing services. Microsoft documented OAuth redirect abuse that can move users from trusted login pages to attacker infrastructure. CISA added VMware Aria Operations and Ivanti Endpoint Manager vulnerabilities to KEV because they are being exploited in the wild. Europol announced disruption of the Tycoon 2FA platform, confirming that adversaries continue to operationalize MFA-bypass phishing at scale. Microsoft also published its March security release, increasing normal patch pressure across Windows and Microsoft 365 estates.
Key Developments
- OAuth redirect abuse: Microsoft reported campaigns abusing legitimate OAuth redirection behavior to deliver phishing pages or malware. The technique can make malicious links appear to begin on trusted identity-provider domains and is relevant to employee mailbox compromise, session theft, and BEC-style staging.
- VMware Aria Operations added to KEV: CISA added CVE-2026-22719 to the KEV catalog on March 3. The flaw can allow unauthenticated command execution in support-assisted migration workflows, making any reachable Aria Operations deployment an urgent review target.
- Tycoon 2FA disruption: Europol announced a coordinated operation against Tycoon 2FA, a phishing-as-a-service platform designed to intercept live MFA sessions and enable large-scale account compromise. The disruption is positive, but the tradecraft remains valid and likely to reappear under new branding.
- Ivanti Endpoint Manager added to KEV: CISA added CVE-2026-1603 to KEV on March 10. The vulnerability is described as an authentication bypass that could allow a remote unauthenticated attacker to leak stored credential data.
- Microsoft March Patch Tuesday: Microsoft published its March 2026 security updates on March 10. Secondary reporting indicates 79 flaws were addressed, including two publicly disclosed zero-days, making this an important validation and patching cycle for Microsoft-heavy environments.
Reporting Window Timeline
- March 2: Microsoft OAuth redirect abuse research published
- March 3: VMware Aria Operations added to KEV
- March 4: Tycoon 2FA takedown announced
- March 10: Ivanti EPM added to KEV
- March 10: Microsoft March updates published, including 79 flaws and 2 publicly disclosed zero-days
2) Why This Matters To a Regulated Bank
| Theme |
Business Risk |
Control Emphasis |
| Identity Abuse |
Trusted-brand login flows can increase employee click-through and make phishing or malware delivery harder to detect early. |
Review Entra app consent, third-party app exposure, risky sign-ins, token/session revocation steps, and mailbox compromise playbooks. |
| Management-plane vulnerabilities |
Security or endpoint-management platforms can provide privileged reach across the estate if exploited. |
Prioritize KEV-listed vulnerabilities, validate internet exposure, and review vendor emergency patch procedures. |
| MFA bypass phishing |
Session theft can defeat traditional MFA even when passwords are not reused. |
Favor phishing-resistant authentication where feasible and improve AiTM/session anomaly detection. |
| Operational load |
March Microsoft updates add normal patch and testing demand across endpoint, server, and collaboration services. |
Track validation windows, emergency exceptions, and rollback readiness for critical systems. |
Data visualizations
The following graphs translate the period’s reported facts into quick decision visuals for leadership and operational teams.
Figure 4. Quantified security signals from the March 1-10 reporting window
This chart highlights the scale of patch pressure relative to the other material developments observed in the reporting period.
Graph data:
- Microsoft flaws fixed: 79
- Publicly disclosed zero-days: 2
- KEV additions in window: 2
- Major Phishing-as-a-Service disruption: 1
Figure 5. Event chronology and clustering of high-priority developments
The event pattern shows significant clustering from March 2-4 and renewed urgency on March 10 as new KEV and Microsoft update activity landed.
Graph data:
- Mar 2: Microsoft OAuth redirect abuse research
- Mar 3: VMware Aria Ops added to KEV
- Mar 4: Tycoon 2FA takedown
- Mar 10: Ivanti EPM added to KEV
- Mar 10: Microsoft March updates - 79 flaws / 2 zero-days
Figure 6. Action matrix derived from the reporting window
This chart highlights the scale of patch pressure relative to the other material developments observed in the reporting period.
Graph data:
- Patch KEV assets — Business impact: 8.9 / Urgency: 9.2
- Review OAuth app consent — Business impact: 8.0 / Urgency: 8.4
- Hunt redirect-abuse IOCs — Business impact: 7.0 / Urgency: 8.0
- User advisory on trusted-login phishing — Business impact: 6.0 / Urgency: 6.5
- Validate token/session revocation — Business impact: 5.4 / Urgency: 7.4
Quadrant labels:
- Highest priority
- Strategic / monitor
- Planned execution
- Lower urgency