Catan and Mouse
Cisco Talos highlights ARToken, a phishing-as-a-service operator panel for Microsoft 365 focused on device code phishing, Primary Refresh Token (PRT) persistence, email access/BEC operations, and SharePoint exfiltration—capabilities exposed through 80+ API endpoints. Separately, Talos notes that a recently reported authentication bypass in SimpleHelp remote monitoring and management (RMM), tracked as CVE-2026-48558, has been exploited in the wild to obtain a fully authenticated technician session for malware delivery. These findings matter because they indicate both increasing maturity in credential/theft-driven phishing tooling and active exploitation of authentication weaknesses.
Thursday, July 2, 2026 14:00
Welcome to this week’s edition of the Threat Source newsletter.
“I do not know everything; still many things I understand.”
― Madeleine L'Engle, A Wrinkle in Time
“Don't try to comprehend with your mind. Your minds are very limited. Use your intuition.”
― Madeleine L'Engle, A Wind in the Door…