Cybersecurity · Wednesday, 3 June 2026

01 · Briefing · what happened

A stock exchange spied on for five months, and a phishing kit that walks past your second check

Cybersecurity 7 min 8 sources

An espionage crew lived inside a finance executive's inbox for months using ordinary Windows tools. A phishing kit shows why your login code can be the weak link. Plus a half-million-person breach, an exploited Linux flaw, and a fight over who gets to report bugs.

Key takeaways

The strongest attacks don't break the locks: an espionage crew lived inside a finance executive's inbox for five months using ordinary Windows tools.
A phishing kit shows how attackers walk past your second login check, so a two-factor code isn't a guarantee.
Two breaches traced back to the same weak spot — third-party vendors — alongside actively exploited Linux and WordPress flaws.

A quiet pattern runs through today’s news: the strongest attacks don’t break the locks. They borrow legitimate tools, trusted logins, and ordinary-looking files, then walk straight in. Here’s what happened, how each one worked, and what it means for you.

Five months inside an inbox, using tools that were already there

Researchers at Symantec and Carbon Black, two threat-intelligence teams, disclosed this week that an unknown attacker spied on a senior executive at a major global stock exchange for at least five months [1][2]. The exchange wasn’t named.

The attacker didn’t smash anything. They got administrative control of the executive’s machine, then leaned on software the computer already trusted. One piece of their malware was disguised as Adobe software; another posed as OneDrive [2]. To stay hidden, they set a fake “Lenovo system health check” to run on a schedule — a detail that shows they knew the exact machine they were on [2]. Stolen data left through Dropbox, so it looked like normal traffic rather than an alarm [2].

This is called “living off the land” — using a system’s own legitimate tools so the activity blends in. It works because security software looks for strange new programs, and there were none to find. The first sign investigators caught likely came from “lateral movement” — the attacker hopping from an already-compromised device to this one [2]. By the time anyone noticed, they were already in.

The prize was the inbox itself. Months of one finance executive’s email — contacts, calendars, deal details. As the researchers put it, that access lets an attacker “build a near-complete picture of the target’s working life and the organization’s near-term direction” [2]. At a stock exchange, that can mean non-public information about listings and market-moving events [2].

What we still don’t know: who was behind it, and how they first got in [1][2]. The trail picks up on October 10, 2025, already deep inside [2].

For you: the lesson isn’t about exchanges — it’s that a quiet, patient intruder leaves almost no obvious trace. The defence is layers, not one wall: a separate login check on email, alerts when a new device signs in, and treating an unexpected “verify your account” prompt as suspicious until proven otherwise.

The FBI flagged a phishing kit called Kali365 last month, and a new report from security firm Arctic Wolf says it’s expanding fast [8]. It started by attacking Microsoft 365 accounts. Now it targets Amazon’s AWS, the login service Okta, and several Russian platforms — including MAX Messenger, a state-backed app with more than 80 million users [8].

Here’s the part worth understanding. Many people now use multi-factor authentication — a second check beyond your password, like a code from an app. It blocks attackers who only have your password. Kali365 gets around it with “device code phishing.”

Device codes are the short codes a smart TV or printer shows you, which you type into your phone to finish signing in [8]. The attack abuses that flow. The criminal starts a real login request, then tricks you — through a fake “shared OneDrive file” or a “security verification” email — into typing the code on the genuine login page [8]. You authenticate, you complete your second check, and the service hands the access to the attacker’s session [8]. They never needed your password, and your second check didn’t stop them, because you did the verifying for them [8].

The FBI’s warning put it plainly: Kali365 hands less-skilled criminals “AI-generated phishing lures, automated campaign templates,” and the tools to steal login tokens [8]. That’s “phishing-as-a-service” — a kit rented out so anyone can run a professional-grade scam.

For you: be suspicious of any message asking you to enter a code or “verify” a login you didn’t start. If you didn’t just try to sign in, don’t type the code. A real second-factor prompt only appears after you begin a login.

Two breaches, one weak spot: the third party

IMA Diligence Services, a US financial-consulting firm, is notifying 525,306 people that their personal data was stolen [4]. The company first noticed in mid-December, when a “legacy server managed by a third party” became unreachable [4]. Attackers had been inside that server for about eight days, from December 8 to 16, copying files [4].

The stolen data is sensitive: names, addresses, Social Security numbers, driver’s licence numbers, account and credit-card numbers, and in some cases passport numbers and health information [4]. A ransomware group calling itself Genesis claimed the attack and says it took 700 gigabytes [4]. That part is the gang’s claim, not confirmed fact — but the breach and its scale are confirmed by the company itself [4].

The detail that matters: the breach came through a third party’s server, not IMA’s own systems [4]. This is how a lot of breaches happen now — your data is only as safe as the least careful company that holds a copy of it. IMA is offering 12 months of free credit monitoring to those affected [4].

For you: if you get a breach notice, take the free credit monitoring — it’s worth the few minutes. And consider a credit freeze, which blocks new accounts from being opened in your name. It’s free and reversible.

Flaws under active attack: Linux and WordPress

Two vulnerability warnings landed today, and both are already being exploited — meaning attackers are using them right now, not just in theory.

The first is a Linux kernel flaw, an “improper authentication” bug [3]. It lets an attacker who already has a foothold escalate their privileges and “escape containers” — break out of the isolated box that’s meant to keep one program from touching the rest of the system [3]. That turns a small intrusion into full control. Organisations running affected Linux systems were urged to patch [3].

The second hits WordPress, which powers a large share of the web. Attackers are exploiting flaws in two plugins, Kirki and Burst Statistics, to gain higher privileges and take over websites [7]. Plugins are a recurring weak point: a site can be fully patched, but one outdated add-on is an open door.

For you: most people don’t run Linux servers, but plenty run small WordPress sites. If you do, update your plugins — or set them to update automatically. Outdated plugins are one of the most common ways small sites get hijacked.

The fight over who gets to report bugs

A quieter story shows the human side of security. Microsoft faced a backlash after threatening legal action against researchers who publicly disclose zero-day vulnerabilities — flaws the software maker doesn’t yet know about, so there’s no patch and attackers using them have a clear run [5]. Microsoft has now tried to calm those fears [5].

It matters because the whole system of finding and fixing flaws depends on researchers feeling safe to report them. Scare the people who find the bugs, and the bugs don’t stop existing — they just stay quiet until criminals find them instead.

The same week, at the Infosecurity Europe conference, the theme was speed. Vendors told Bayer’s group security chief, Kevin Jones, that the time between a patch being released and attackers exploiting the underlying flaw has dropped to about six hours and forty minutes [6]. It used to be a week or more [6]. In response, India’s national cyber team, CERT-In, now expects companies to patch actively exploited internet-facing flaws within 12 hours [6]. The EU’s Cyber Resilience Act takes a different route, pushing the legal burden onto the companies that write the software [6]. As one analyst noted, regulation “can move the needle on accountability, but it won’t replace sound architecture and resilient operations” [6].

For you: there’s nothing to “do” here, but it’s the backdrop to everything above. The window between a fix and an attack is now hours. Turning on automatic updates — for your phone, computer, and apps — is the single cheapest defence you have, because it closes that window without you watching the clock.

02 · Lesson · why it matters

The break-in that never broke anything

The strongest attacks don't beat your security — they borrow your trust, so the system helps the intruder along.

The lock was never the target

Picture a thief who wants into your house. The obvious move is to pick the lock or smash a window. But there’s a quieter way: wear a delivery uniform, carry a clipboard, and wait for you to open the door yourself.

That second thief is what today’s news is really about. An attacker spied on a stock-exchange executive for five months without breaking anything — they hid inside software the computer already trusted, and sent stolen data out through Dropbox so it looked normal. A phishing kit walks past people’s second login check by getting them to approve the login. A breach reached half a million people through a server a third party was supposed to be guarding.

None of these picked a lock. They borrowed trust that was already there.

Why borrowing trust works better than breaking in

Security spends most of its energy watching for things that look wrong: a strange program, an unknown device, a password that fails too many times. That’s the alarm system, and it’s good at catching the smash-and-grab.

But it has a blind spot. It can’t easily tell the difference between you and someone using your trust. When malware disguises itself as Adobe or OneDrive, the alarm sees trusted software. When stolen files leave through Dropbox, the alarm sees normal traffic. When you type a login code the attacker asked for, the system sees a successful, fully-verified login — because, technically, it was.

This is why the stock-exchange intruder went unnoticed for five months. There was no strange new program to flag. The attacker was “living off the land” — using the system’s own legitimate tools so the activity blended in. The defence that’s tuned to spot intruders is nearly blind to insiders, and borrowed trust makes an attacker look like an insider.

The second check that you defeat yourself

The clearest version of this pattern is the phishing kit that beats multi-factor authentication — that second check, like a code from an app, meant to stop anyone who only has your password.

On paper it should be impossible to get past. The attacker doesn’t have your phone. But device-code phishing doesn’t try to. It starts a real login, then tricks you into entering the device code — the kind a smart TV shows you to finish signing in. You type it. You complete your own second check. And the service hands access to the attacker’s session.

The security worked exactly as designed. The login was genuine, the second factor was satisfied, every box was ticked. The system wasn’t fooled — you were, and the system trusted you. That’s the whole move: don’t defeat the guard, get the person the guard protects to wave the intruder through.

Your trust is only as strong as the weakest copy

The half-million-person breach shows the same pattern at a different scale. The data wasn’t stolen from the company most people would blame. It was stolen from a third party’s server — a contractor holding a copy.

Your information rarely lives in one place. You hand it to a bank, which shares it with a consultant, who stores it on a server run by yet another firm. Each handoff is a small act of trust. And your data is only as safe as the least careful link in that chain — a chain you can’t see and didn’t choose.

This is why a breach can hit you from a company you’ve never heard of. You trusted one organisation; that trust quietly flowed to others. When the weakest one fails, the trust you extended is what gets spent.

Seeing the pattern

Once you see it, the same shape appears everywhere. The patch that’s safe today and exploited in six hours — attackers trusting that you won’t update fast enough. The researcher who’s afraid to report a bug — a system that depends on the trust between finders and fixers, and frays when that trust is threatened.

The thread is this: as locks get stronger, attackers stop attacking locks. They attack trust — the trust between you and your tools, between you and the prompt on your screen, between you and the companies holding your data. Trust is the part of any system that can’t be fully patched, because it’s the part that has to stay open for the system to work at all.

The point isn’t to trust nothing. It’s to notice where your trust flows, and to know that the most convincing thing on your screen is exactly what an attacker would build. A real login prompt only appears after you start a login. A real tool doesn’t ask you to approve something you didn’t begin. The intruder’s best disguise is the thing you were already going to trust.

03 · Lab · your turn

Where The Door Opens

Rehearse three trust decisions and watch how an attacker's path opens or closes without any lock being broken.

Across the beats

The weight-loss drugs keep doing things they weren't designed to do How compound interest actually works The games business in retreat: Bungie cuts, Steam goes to court, and a law that won't let you 'kill' a game