SIGNALS WEEKLY: ShinyHunters, Vishing, and the MFA Hijack Problem in SaaS

MFA isn’t “done.” It’s now the excuse attackers use on the phone. ☎️😈🔑 Vishing → MFA reset/re-enroll → post-login SaaS data grabs. Plus: selective Notepad++ updater abuse + proxy traffic making IP rep cry.

[FORECAST] ShinyHunters SaaS Data Theft: Why Non-Ransom Monetization Looks Increasingly Attractive

Our new forecast asks: will ShinyHunters make more in 2H 2026 by selling SaaS access/data than by getting paid? Signals say yes. 🕵️‍♂️💸☁️

The Next AI Security Frontier: “Agents With Hands” Are Becoming a Board-Level Risk

Your new “AI helper” is basically shadow IT with hands 🤖🧨 Untrusted content → model decides → tools execute. That’s the breach loop.

SIGNALS WEEKLY: Teams QR/callback phishing beats patching

KEV speedrun of the week 🏁: Office CVE-2026-21509 + WinRAR CVE-2025-8088. Patch anyway… then protect sessions 🍪 (Teams QR/callback lures 📱, SSO/SAML token abuse)

If your “AI Coworker” Gets Targeted, What Tips You Off First?

Your “AI coworker” isn’t the breach. The OAuth trust event is. 🔥🕵️‍♂️ Device-code phishing + consent traps = “approve to exfil.” (And yes, AI agents are already being used as the wrapper.)

No malware required: device-code phishing + Teams as the intrusion surface

No malware. Still owned. 🧾🔑💬 Device-code phishing + Teams as the “lobby” + stolen OAuth tokens = API-speed SaaS exfil. If you’re hunting binaries, you’re late.

SIGNALS WEEKLY: When Management Planes Become the Battlefield

🛫 Your “management plane” is now the battlefield. Cisco Secure Email + HPE OneView are seeing active exploitation, and UAT-8837 is chasing CI targets. Patch like it’s a fire drill. 🔥🧯

[FORECAST] Integrator CI/CD Compromise by End-2026?

OWASP Top 10:2025 put Software Supply Chain Failures front-and-center. 🧩⚙️ Now the fun question: by end-2026, do we get public root-cause confirmation that an industrial integrator’s CI/CD/build/signing or update channel led to 2+ critical-infra intrusions? 😬

Iran’s Internet Went to Zero on Jan 8—Will Account Takeovers Spike in the Next 2–3 Weeks?

Iran’s internet goes dark → attackers don’t stop. They speed-run creds and hit post-auth collection the moment connectivity blips back. ⏱️🔑👀

SIGNALS WEEKLY: Taiwan Critical Infrastructure: Reports of China-Linked Probing and Prepositioning

🧭 Taiwan CI pressure looks like recon + access maintenance, not a one-off headline. 🩹 Patch Tuesday + KEV = attacker shopping list. ☁️ And Salesforce Aura/Experience Cloud exposure? No patch… just “surprise, it’s public.”

Deepfake BEC & Payment Diversion: The Q1 2026 Fraud PIR You Can’t Defer

Deepfake BEC = the same old fraud… with a way better script. 🎭💸 If payroll/AP changes can happen on “sounds right,” you’re funding someone’s Q1 bonus.

[FORECAST] CoPhish: The Microsoft Copilot Link That Hands Over Your OAuth Tokens

Will at least one publicly disclosed enterprise breach be confirmed where attackers used a Microsoft Copilot Studio..