Today’s pattern is blunt: attackers are abusing trusted chat, trusted SaaS identity, and trusted AI infrastructure faster than most teams can patch or verify.
Top line: Three stories deserve immediate attention this morning: a Microsoft Teams social-engineering chain that ends in domain compromise, a real-world vishing-to-SaaS breach at ADT, and an AI-serving SSRF bug that was probed in under half a day.
Google’s Mandiant says UNC6692 is using email bombing and Microsoft Teams impersonation to pressure employees into installing a fake anti-spam patch. The victim actually gets a dropper that launches the Snow toolset: the SnowBelt browser extension, the SnowGlaze tunneler, and the SnowBasin Python backdoor. From there, the operators dump LSASS, move laterally, reach domain controllers, and exfiltrate Active Directory material. This is not just another phishing email. It is a chat-native intrusion path built to look like internal support.
ADT says attackers accessed and stole customer and prospective-customer information, including names, phone numbers, addresses, and, in a smaller set of cases, dates of birth and the last four digits of SSNs or tax IDs. ShinyHunters told BleepingComputer the intrusion started with a vishing attack against an employee’s Okta SSO account and then expanded into Salesforce. Whether every attacker claim holds or not, the operational lesson is obvious: once a trusted SaaS identity falls, connected business platforms become the blast radius.
The LMDeploy SSRF flaw, CVE-2026-33626, was reportedly exploited within 12 hours and 31 minutes of disclosure. Attackers used the vision-language image loader to probe AWS metadata, Redis, MySQL, local admin surfaces, and an external callback endpoint. That matters because LMDeploy is exactly the kind of LLM-serving component teams deploy quickly and review lightly. When advisories hand over the root cause and affected code path, attackers do not wait for your next sprint.
Bottom line: Today’s pattern is blunt: attackers are abusing trusted chat, trusted SaaS identity, and trusted AI infrastructure faster than most teams can patch or verify.
KENSAI helps teams surface exposed attack paths across identity workflows, SaaS platforms, collaboration tools, and AI infrastructure before attackers turn normal business trust into breach access.
Free Scan →Stay sharp.
🗡️ KENSAI Security Team