weekly
SIGNALS WEEKLY: Teams QR/callback phishing beats patching
KEV speedrun of the week 🏁: Office CVE-2026-21509 + WinRAR CVE-2025-8088. Patch anyway… then protect sessions 🍪 (Teams QR/callback lures 📱, SSO/SAML token abuse)
2026
identity
No malware required: device-code phishing + Teams as the intrusion surface
No malware. Still owned. 🧾🔑💬 Device-code phishing + Teams as the “lobby” + stolen OAuth tokens = API-speed SaaS exfil. If you’re hunting binaries, you’re late.
weekly
SIGNALS WEEKLY: When Management Planes Become the Battlefield
🛫 Your “management plane” is now the battlefield. Cisco Secure Email + HPE OneView are seeing active exploitation, and UAT-8837 is chasing CI targets. Patch like it’s a fire drill. 🔥🧯
![[FORECAST] Integrator CI/CD Compromise by End-2026?](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/01/z-6.png)
forecasts
[FORECAST] Integrator CI/CD Compromise by End-2026?
OWASP Top 10:2025 put Software Supply Chain Failures front-and-center. 🧩⚙️ Now the fun question: by end-2026, do we get public root-cause confirmation that an industrial integrator’s CI/CD/build/signing or update channel led to 2+ critical-infra intrusions? 😬
iran
Iran’s Internet Went to Zero on Jan 8—Will Account Takeovers Spike in the Next 2–3 Weeks?
Iran’s internet goes dark → attackers don’t stop. They speed-run creds and hit post-auth collection the moment connectivity blips back. ⏱️🔑👀
weekly
SIGNALS WEEKLY: Taiwan Critical Infrastructure: Reports of China-Linked Probing and Prepositioning
🧭 Taiwan CI pressure looks like recon + access maintenance, not a one-off headline. 🩹 Patch Tuesday + KEV = attacker shopping list. ☁️ And Salesforce Aura/Experience Cloud exposure? No patch… just “surprise, it’s public.”
PIR
Deepfake BEC & Payment Diversion: The Q1 2026 Fraud PIR You Can’t Defer
Deepfake BEC = the same old fraud… with a way better script. 🎭💸 If payroll/AP changes can happen on “sounds right,” you’re funding someone’s Q1 bonus.
![[FORECAST] CoPhish: The Microsoft Copilot Link That Hands Over Your OAuth Tokens](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/01/z-1.png)
forecasts
[FORECAST] CoPhish: The Microsoft Copilot Link That Hands Over Your OAuth Tokens
Will at least one publicly disclosed enterprise breach be confirmed where attackers used a Microsoft Copilot Studio..
weekly
SIGNALS WEEKLY: MongoBleed (CVE-2025-14847) Is in KEV: The Unauth MongoDB Leak You Need to Patch
MongoBleed is in KEV: unauth MongoDB memory leak = creds/tokens. Patch + find exposed hosts. Dolby fix + poisoned dev tools too. 🧯🧬👇
geopolitics
Geopatriation Is Coming: Sovereign Clouds Will Break Your Telemetry First
2026 prediction: “sovereign cloud” becomes the #1 way to accidentally create telemetry refugees 🛂☁️ Meanwhile: DPRK “IT workers” in the supply chain + OAuth consent hijacks that laugh at MFA 🔑🎭 What’s your log-clears-customs plan?
oauth
The Quiet Token Heist: Why 2026’s Biggest SaaS Breaches Won’t Start With Passwords
2026’s nastiest SaaS breaches will ride valid tokens + “trusted” apps. We already got the trailer with the Salesloft/Drift OAuth blast radius. And the browser? Yeah, it’s part of the perimeter now. 😬🔑💬
forecasts
Will Akira trigger a week-long hospital disruption by end of 2026?
20% odds Akira triggers a 7-day ambulance diversion at a 10+ hospital system by end of 2026. 🚑 Still feeling “low risk”?