Microsoft ecosystem exploited (SharePoint/Intune/Defender BlueHammer & Azure APIM/MFA bypass + Iran spraying + DogWalk)

Key Questions

What is the ToolShell vulnerability CVE-2026-20963?

CVE-2026-20963 in Microsoft SharePoint, listed in CISA KEV, is exploited for ToolShell attacks. It enables unauthorized access and is part of broader Microsoft ecosystem compromises.

What is Defender BlueHammer and its risks?

Defender BlueHammer is a public SYSTEM local privilege escalation exploit using path confusion and SAM dumps, with no patch available yet. It affects Windows Defender and poses high risks to endpoint security.

What is the DogWalk zero-day in Microsoft products?

DogWalk is a Microsoft zero-day vulnerability patched recently, with PoCs reported since 2019. It is part of escalating exploits in the Microsoft ecosystem including Intune and SharePoint.

How prevalent is the Azure APIM MFA bypass?

The Azure APIM vulnerability allows a 97.9% MFA bypass rate, alongside Railway M365 MFA issues and AI OAuth device code phishing for account takeovers.

What threats come from Iran-linked actors?

Iran-linked groups like Handala and Stryker conducted password-spraying on 300+ Israeli M365 organizations and Kerberos attacks. FBI and CISA mandate patching, rotations, MFA enforcement, and EDR hunts.

What are the recommendations from FBI/CISA?

FBI and CISA require immediate patching, credential rotations, MFA implementation, and EDR-based threat hunting following Patch Tuesday.

Are there public exploits for these Microsoft issues?

Yes, public exploits exist for Defender BlueHammer LPE, DogWalk zero-day, and ToolShell. Coverage includes researcher releases and warnings to 1 billion Microsoft users.

What other Microsoft-related threats are noted?

Additional threats include cookie-controlled PHP web shells on Linux, new phishing platforms targeting C-suite, and session hijacking MFA bypasses in M365.

CISA KEV CVE-2026-20963 ToolShell exploited + Defender BlueHammer public SYSTEM LPE PoC/GitHub (Chaotic Eclipse, no patch); DogWalk zero-day; Azure APIM 97.9% bypass; Railway M365 MFA; AI OAuth device code phishing ATO; Iran 300+ Israeli M365; Handala Stryker; Kerberos/Patch Tuesday. FBI/CISA mandates patching/rotations/MFA/EDR hunts.

Sources (15)

Updated Apr 8, 2026

Cyber Alert Security News Daily

Microsoft ecosystem exploited (SharePoint/Intune/Defender BlueHammer & Azure APIM/MFA bypass + Iran spraying + DogWalk)

Key Questions

What is the ToolShell vulnerability CVE-2026-20963?

What is Defender BlueHammer and its risks?

What is the DogWalk zero-day in Microsoft products?

How prevalent is the Azure APIM MFA bypass?

What threats come from Iran-linked actors?

What are the recommendations from FBI/CISA?

Are there public exploits for these Microsoft issues?

What other Microsoft-related threats are noted?

1 Billion Microsoft Users Warned As Angry Hacker Drops 0-Day Exploit

AI-enabled device code phishing campaign exploits OAuth flow for account takeover

Researcher Released Windows Defender 0-Day Exploit Code, Allowing Attackers to Gain Full Access | Cryptika Cybersecurity

Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations

Joomla's "public=true" Nightmare: Full Disclosure & Mitigation (CVE-2023-23752) #cybersecurity

How Scammers Bypass 2FA

One-Time Passcodes Are Gateway for Financial Fraud Attacks

Microsoft Patches Zero-Day DogWalk Vulnerability

Episode 38 — Standardize passwords and modern authenticator policies organization-wide

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

New Phishing Platform Used in Credential Theft Campaigns - Infosecurity Magazine

Apple Releases New iOS 18 Update To Patch DarkSword Exploit

MFA Bypass Risk: Session Hijacking in Microsoft 365

Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome - SecurityWeek

How to Analyze Event Logs in Defender | Defender Tutorial 2026