Cyber Threat Intelligence

Identity Abuse and Trusted-Link Phishing

Written by Kyle Gill, Information Security Officer | Mar 12, 2026 5:08:01 PM

1) Executive Summary

The most decision-relevant cyber activity since March 1 centers on identity abuse, active exploitation of enterprise management software, and the continued industrialization of phishing services. Microsoft documented OAuth redirect abuse that can move users from trusted login pages to attacker infrastructure. CISA added VMware Aria Operations and Ivanti Endpoint Manager vulnerabilities to KEV because they are being exploited in the wild. Europol announced disruption of the Tycoon 2FA platform, confirming that adversaries continue to operationalize MFA-bypass phishing at scale. Microsoft also published its March security release, increasing normal patch pressure across Windows and Microsoft 365 estates.

Key Developments

    • OAuth redirect abuse: Microsoft reported campaigns abusing legitimate OAuth redirection behavior to deliver phishing pages or malware. The technique can make malicious links appear to begin on trusted identity-provider domains and is relevant to employee mailbox compromise, session theft, and BEC-style staging.
    • VMware Aria Operations added to KEV: CISA added CVE-2026-22719 to the KEV catalog on March 3. The flaw can allow unauthenticated command execution in support-assisted migration workflows, making any reachable Aria Operations deployment an urgent review target.
    • Tycoon 2FA disruption: Europol announced a coordinated operation against Tycoon 2FA, a phishing-as-a-service platform designed to intercept live MFA sessions and enable large-scale account compromise. The disruption is positive, but the tradecraft remains valid and likely to reappear under new branding.
    • Ivanti Endpoint Manager added to KEV: CISA added CVE-2026-1603 to KEV on March 10. The vulnerability is described as an authentication bypass that could allow a remote unauthenticated attacker to leak stored credential data.
    • Microsoft March Patch Tuesday: Microsoft published its March 2026 security updates on March 10. Secondary reporting indicates 79 flaws were addressed, including two publicly disclosed zero-days, making this an important validation and patching cycle for Microsoft-heavy environments.

Reporting Window Timeline

    • March 2: Microsoft OAuth redirect abuse research published
    • March 3: VMware Aria Operations added to KEV
    • March 4: Tycoon 2FA takedown announced
    • March 10: Ivanti EPM added to KEV
    • March 10: Microsoft March updates published, including 79 flaws and 2 publicly disclosed zero-days

2) Why This Matters To a Regulated Bank

Theme Business Risk Control Emphasis
Identity Abuse Trusted-brand login flows can increase employee click-through and make phishing or malware delivery harder to detect early. Review Entra app consent, third-party app exposure, risky sign-ins, token/session revocation steps, and mailbox compromise playbooks.
Management-plane vulnerabilities Security or endpoint-management platforms can provide privileged reach across the estate if exploited. Prioritize KEV-listed vulnerabilities, validate internet exposure, and review vendor emergency patch procedures.
MFA bypass phishing Session theft can defeat traditional MFA even when passwords are not reused. Favor phishing-resistant authentication where feasible and improve AiTM/session anomaly detection.
Operational load March Microsoft updates add normal patch and testing demand across endpoint, server, and collaboration services. Track validation windows, emergency exceptions, and rollback readiness for critical systems.

 

Data visualizations

The following graphs translate the period’s reported facts into quick decision visuals for leadership and operational teams.
View full post