IT, Telecom & Cyber · International (Houston)

Strengthen Credential Controls and Supplier Playbooks Against Social Engineering

Published Apr 26, 2026, 5:06 AM CSTINTERNATIONALFull category signal
Ask AI
Threat actor uses Microsoft Teams to deploy new “Snow” malware

In 60 seconds

Top move

Voice-based phishing (vishing) campaigns are actively stealing employee credentials and enabling large extortion demands; callers impersonate IT using spoofed VoIP numbers, so credential compromise is a present operational risk for frontline staff

Key takeaways

  • Voice-based phishing (vishing) campaigns are actively stealing employee credentials and enabling large extortion demands; callers impersonate IT using spoofed VoIP numbers, so credential compromise is a present operational risk for frontline staff.[2]
  • Attackers are using collaboration tools (Microsoft Teams) to deliver custom malware that persists via browser extensions and tunneling, relying on social engineering and remote‑assistance workflows to establish domain footholds.[1]
  • Technology and regulation are aligning away from passwords: Microsoft is rolling Entra passkeys to Windows and EU rules (DORA) make credential controls a financial resilience requirement — procurement should treat passwordless and attestation as negotiation levers.[3]
  • For buyers, the immediate read is operational and contractual: expect IR and remediation exposure where supplier identities or remote‑support channels are used, and prepare renewals to require stronger proof of credential controls.[1]
  • Signal level: this is a normal/active reporting day (no platform‑wide outage). Prioritize verification and controlled contract updates rather than emergency sourcing.[2]

What changed since last run

  • New social‑engineering vectors (vishing and Teams‑delivered malware) shift near‑term focus from appliance eradication and patch propagation to telephony and collaboration channel defenses.
  • Microsoft's Entra passkey rollout provides a practical procurement lever for passwordless migration that was not actionable in the prior brief’s firewall/patch context.

Key facts

  • Attack flow: spoofed VoIP call → fake login page → credential theft → data leak site
  • Primary targets reported: retail and hospitality sectors
  • Mitigation advice: strengthen call‑handling and require multifactor caller verification
  • Malware components: dropper → AutoHotkey scripts → SnowBelt extension → SnowBasin backdoor
  • Lateral persistence: scheduled tasks, startup shortcuts, and tunneler‑based C2
  • Delivery method: email bombing followed by Teams contact posing as IT

Why it matters

Voice-based phishing (vishing) campaigns are actively stealing employee credentials and enabling large extortion demands; callers impersonate IT using spoofed VoIP numbers, so credential compromise is a present operational risk for frontline staff. Attackers are using collaboration tools (Microsoft Teams) to deliver custom malware that persists via browser extensions and tunneling, relying on social engineering and remote‑assistance workflows to establish domain footholds. Technology and regulation are aligning away from passwords: Microsoft is rolling Entra passkeys to Windows and EU rules (DORA) make credential controls a financial resilience requirement — procurement should treat passwordless and attestation as negotiation levers. For buyers, the immediate read is operational and contractual: expect IR and remediation exposure where supplier identities or remote‑support channels are used, and prepare renewals to require stronger proof of credential controls

Cost / money

  • Incident response and forensic costs are more likely to be passed through or contested when attackers use supplier or employee credentials to escalate — expect remediation bill exposure tied to account recovery and forensic containment.[1]
  • Adopting passkeys and updating device authentication policies will create implementation and device‑management costs for buyers as they move off legacy MFA and password recovery flows.[3]

Supplier / commercial

  • Managed SOCs and remote‑support vendors may narrow quote windows, require surge retainers, or seek SOW changes to cover rapid onboarding after Teams or vishing incidents.[1]
  • Identity and access vendors will promote passkey/FIDO2 migrations as a premium feature; use upcoming renewals to demand proof of implementation rather than accepting roadmap commitments.[3]

Safety / operations

  • Credential theft via vishing and Teams social engineering increases domain takeover and lateral movement risk — operational teams should treat successful impersonation as a likely precursor to data exfiltration.[2]
  • SOC playbooks need explicit steps for collaboration‑tool social engineering and remote‑assistance misuse, including isolation of sessions and validated remote‑support procedures to prevent persistent backdoors.[1]

What to watch

  • Watch for BlackFile techniques expanding beyond retail/hospitality; wider sector targeting would indicate a campaign shift and warrant supplier surge clauses and broader staff training.[2]
  • Watch Entra passkey admin controls and unmanaged device behavior during rollout; partial adoption can create mixed‑auth environments that complicate incident response and supplier attestations.[3]

Top stories

Story 1BleepingComputerApr 24, 2026

New BlackFile extortion group linked to surge of vishing attacks

Signal strongSource-grounded
Source notes [2]Read source

What happened

Researchers and sector groups report a new extortion gang (BlackFile) using voice‑based phishing to impersonate IT and harvest employee credentials. The actors call from spoofed VoIP numbers or fraudulent caller ID names and push victims to fake login sites, then publish exfiltrated documents and demand large ransoms. Watch whether the same vishing TTPs appear across non‑retail sectors — that would mean broader supplier and contact‑handling exposure

Buyer takeaway

Treat vishing as an attack vector that intersects procurement — review third‑party support access, call routing, and attestation of staff training

Cost / money

Credential theft leads to IR and remediation costs that may be passed through unless contracts specify cost sharing or eradication obligations

Supplier / commercial

Helpdesk and outsourced support vendors may seek higher fees or surge retainer terms unless buyers lock in verified caller‑identity and training evidence

Safety / operations

Unchecked call‑handling allows attackers to obtain valid credentials and request remote assistance, increasing risk of domain compromise and data exfiltration

What to watch

Limited current sector targeting is actionable but watch for expansion beyond retail/hospitality; that expansion is an early‑signal of campaign scaling

Key facts

  • Attack flow: spoofed VoIP call → fake login page → credential theft → data leak site
  • Primary targets reported: retail and hospitality sectors
  • Mitigation advice: strengthen call‑handling and require multifactor caller verification

Source excerpts

"The attackers behind CL-CRI-1116 use voice-based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social engineering technique, typically posing as IT support staff," RH-ISAC said
In a Thursday report, RH-ISAC said that the group's attacks begin with phone calls to employees from spoofed numbers, in which the threat actors pose as IT support to lure staff to fake corporate login pages that ask them to enter their credentials and one-time passcodes. "The attackers behind CL-CRI-1116 use voice-based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social engineering technique, typically posing as IT support staff," RH-IS
A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026. The group, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, is impersonating corporate IT helpdesk staff to steal employee credentials and demand seven-figure ransoms, according to information shared by cybersecurity firm Palo Alto Networks' Unit 42 with the Retail & Hospitality Information Sharing and Analysis Cen
Story 2BleepingComputerApr 25, 2026

Threat actor uses Microsoft Teams to deploy new “Snow” malware

Signal strongSource-grounded
Source notes [1]Read source

What happened

Mandiant/Google report a group using Microsoft Teams social engineering to deliver a new malware family called 'Snow' that includes a browser extension, tunneler, and backdoor. Attackers use email bombing to create urgency and then message victims in Teams posing as IT, delivering a fake 'patch' that installs persistent components and a WebSocket‑based command channel. Operational teams should watch for similar collaboration‑tool workflows and ensure remote‑assistance steps are hardened

Buyer takeaway

Assume collaboration tools are exploitable delivery channels; require suppliers to demonstrate hardened remote‑assistance workflows and rapid forensic onboarding

Cost / money

Containment and cleanup after a domain compromise can generate unplanned supplier and buyer labor costs and potential chargebacks for emergency onboarding

Supplier / commercial

Vendors providing remote‑support or managed collaboration services may request SOW changes to cover session validation, faster onboarding, and surge support

Safety / operations

Successful social engineering into collaboration tools creates persistent footholds that can bypass perimeter controls and accelerate exfiltration

What to watch

Watch for attacker reuse of remote‑assistance workflows across other collaboration platforms; early signs would require broad supplier playbook updates

Key facts

  • Malware components: dropper → AutoHotkey scripts → SnowBelt extension → SnowBasin backdoor
  • Lateral persistence: scheduled tasks, startup shortcuts, and tunneler‑based C2
  • Delivery method: email bombing followed by Teams contact posing as IT

Source excerpts

Their goal is to steal sensitive data after deep network compromise through credential theft and domain takeover. According to Google’s Mandiant researchers, the attacker uses “email bombing” tactics to create urgency, then contact targets via Microsoft Teams, posing as IT helpdesk agents
A recent Microsoft report highlighted the growing popularity of this tactic in the cybercrime space, tricking users into granting attackers remote access via Quick Assist or other remote access tools
According to Google’s Mandiant researchers, the attacker uses “email bombing” tactics to create urgency, then contact targets via Microsoft Teams, posing as IT helpdesk agents
Story 3BleepingComputerApr 24, 2026

Microsoft to roll out Entra passkeys on Windows in late April

Signal strongSource-grounded
Source notes [3]Read source

What happened

Microsoft is rolling Entra passkey support to Windows devices to enable phishing‑resistant, passwordless sign‑in using Windows Hello (face, fingerprint, PIN) and FIDO2 credentials. The rollout will support corporate, personal, and shared devices with admin controls via Conditional Access, which makes it practical for buyers to start targeted migrations and require vendor support during renewals. Watch admin policy details and unmanaged device behavior during initial rollouts to avoid mixed‑auth gaps

Buyer takeaway

Use Microsoft's passkey rollout to require vendor attestations and migration plans for phishing‑resistant authentication in upcoming renewals

Cost / money

Initial rollout drives device and enrollment costs but reduces long tail phishing and account‑remediation spend over time

Supplier / commercial

Identity providers may monetize passkey support or migration services; capture commitments and testing artifacts in contracts

Safety / operations

Passkeys significantly reduce AiTM phishing and credential replay risks when properly provisioned and enforced via conditional access

What to watch

Partial or staggered adoption can produce mixed environments that complicate incident response and require interim compensating controls

Key facts

  • Feature: Entra passkeys on Windows using Windows Hello and FIDO2
  • Scope: supports corporate, personal, and shared devices with admin controls
  • Rollout implication: enables passwordless sign‑in to Entra‑protected resources

Source excerpts

Users can register multiple passkeys for multiple work or school accounts on the same device. Primarily a device-bound sign-in method linked to device trust
Feature Microsoft Entra passkey on Windows Windows Hello for Business Standard base FIDO2 FIDO2 for authentication, first-party (1P) protocol for device sign-in Registration User-initiated, doesn't require device join or registration Automatically provisioned on some Microsoft Entra joined or registered devices during device registration Device sign-in and single sign-on (SSO) N/A Enables device sign-in and SSO to Microsoft Entra-integrated resources after device sign-in Credential binding Bound to the device a
" The new security feature will be available in organizations that have enabled 'Microsoft Entra ID with passkeys' in the 'Authentication Methods policy' for users who sign in to Windows devices that are not Microsoft Entra‑joined or registered, provided Conditional Access policies allow it (e
Story 4BleepingComputerApr 24, 2026

DORA and operational resilience: Credential management as a financial risk control

Signal strongSource-grounded
Source notes [4]Read source

What happened

Analysis of the EU's Digital Operational Resilience Act (DORA) highlights credential management as a binding financial‑risk control for financial institutions and stresses standards like FIDO2 for strong authentication. DORA's Article 9 maps to controls that buyers and suppliers must implement or demonstrate, linking credential failures to supervisory consequences. Procurement should treat DORA requirements as contract risk drivers when working with EU‑regulated entities or suppliers handling financial services

Buyer takeaway

Treat DORA as a procurement lever for tightening credential obligations, evidence of implementation, and notification/indemnity clauses in supplier contracts

Cost / money

Noncompliance or credential compromises can create supervisory fines and remediation costs that buyers must account for in supplier obligations

Supplier / commercial

Suppliers to EU financial entities should expect tighter contract language on authentication, attestations, and quicker notification requirements

Safety / operations

DORA frames credential compromises as operational resilience failures, increasing the need for demonstrable controls and tested recovery plans

What to watch

DORA is specific to financial entities; for non‑EU buyers it's a directional regulatory pressure that may still affect international suppliers

Key facts

  • Regulatory driver: DORA Article 9 requires strong authentication and access‑limiting policies
  • Standards pointer: FIDO2/WebAuthn maps to DORA's 'relevant standards' for phishing resistance
  • Operational cost note: credential failures have outsized financial and supervisory consequences

Source excerpts

On January 17, 2025, the Digital Operational Resilience Act (DORA) entered into application across the EU. Article 9 of the regulation makes credential security a binding financial risk control, with supervisory consequences for institutions that fall short
Cryptographic key management is a regulatory requirement
DORA compliance is as much an evidence problem as a technical one

VP Snapshot

Executive Risk & Action View

Voice-based phishing (vishing) campaigns are actively stealing employee credentials and enabling large extortion demands; callers impersonate IT using spoofed VoIP numbers, so credential compromise is a present operational risk for frontline staff.

Overall
74
Cost
61
Supply
25
Schedule
20
Compliance
15

Top signals

30-180dcost

Signal 1: Cost / money

Incident response and forensic costs are more likely to be passed through or contested when attackers use supplier or employee credentials to escalate — expect remediation bill exposure tied to account recovery and forensic containment.

Signal 2: Cost / money

Adopting passkeys and updating device authentication policies will create implementation and device‑management costs for buyers as they move off legacy MFA and password recovery flows.

30-180dcommercial

Signal 3: Supplier / commercial

Managed SOCs and remote‑support vendors may narrow quote windows, require surge retainers, or seek SOW changes to cover rapid onboarding after Teams or vishing incidents.

Signal 4: Supplier / commercial

Identity and access vendors will promote passkey/FIDO2 migrations as a premium feature; use upcoming renewals to demand proof of implementation rather than accepting roadmap commitments.

30-180dsupplier

Signal 5: Safety / operations

Credential theft via vishing and Teams social engineering increases domain takeover and lateral movement risk — operational teams should treat successful impersonation as a likely precursor to data exfiltration.

Signal 6: Safety / operations

SOC playbooks need explicit steps for collaboration‑tool social engineering and remote‑assistance misuse, including isolation of sessions and validated remote‑support procedures to prevent persistent backdoors.

Recommended actions

OpsDue 3d

Inventory helpdesk and remote‑support channels, including phone numbers, VoIP routing, and Teams admin settings; verify call‑handling and caller identity procedures.

Documented inventory of helpdesk phone/Teams endpoints and an updated caller‑verification checklist for frontline staff.

CategoryDue 3d

Identify high‑value accounts and critical Entra‑protected apps; enable stronger Conditional Access policies or restrict remote‑assistance flows for those targets during the roll...

List of prioritized apps/users with temporary tightened access policies and test results for passkey readiness.

ContractsDue 21d

Amend managed‑SOC and remote‑support SOWs to require validated remote onboarding playbooks, evidence of anti‑phishing training for support staff, and defined surge pricing for c...

Revised SOW language and at least one supplier attestation on remote‑support controls and surge terms.

OpsDue 21d

Run targeted simulations covering vishing and collaboration‑tool social engineering for helpdesk and IT support teams; capture failure modes to drive focused training and controls.

Simulation results, prioritized remediation tasks, and scheduled follow‑up training for high‑risk groups.

ContractsDue 60d

Pilot Entra passkeys for a controlled group and update identity vendor contracts to require FIDO2/passkey support and attestation paths during renewals.

Passkey pilot completed and contract clauses that require vendor proof of passkey support and a migration plan.

Risk register

RiskTriggerMitigation
Watch for BlackFile techniques expanding beyond retail/hospitality; wider sector targeting would indicate a campaign shift and warrant supplier surge clauses and broader staff training.Watch for BlackFile techniques expanding beyond retail/hospitality; wider sector targeting would indicate a campaign shift and warrant supplier surge clauses and broader staff training.Confirm exposure with category, contracts, and operations before the next supplier commitment.
Watch Entra passkey admin controls and unmanaged device behavior during rollout; partial adoption can create mixed‑auth environments that complicate incident response and supplier attestations.Watch Entra passkey admin controls and unmanaged device behavior during rollout; partial adoption can create mixed‑auth environments that complicate incident response and supplier attestations.Confirm exposure with category, contracts, and operations before the next supplier commitment.

CM Snapshot

Category Manager Decision Detail

Today's priorities

Inventory helpdesk and remote‑support channels, including phone numbers, VoIP routing, and Teams admin settings; verify call‑handling and caller identity procedures.

because attackers are impersonating IT over spoofed VoIP/CNAM numbers and collaboration channels to harvest credentials, so you need an immediate map of the exposed support inte...

Due 3d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Identify high‑value accounts and critical Entra‑protected apps; enable stronger Conditional Access policies or restrict remote‑assistance flows for those targets during the roll...

because Microsoft is adding Entra passkeys and admins can reduce exposure by hardening conditional access for VIPs while migration planning proceeds.

Due 3d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Amend managed‑SOC and remote‑support SOWs to require validated remote onboarding playbooks, evidence of anti‑phishing training for support staff, and defined surge pricing for c...

because Teams‑based malware and vishing shorten containment windows and suppliers will need contractual clarity on onboarding, scope, and cost allocation during incidents.

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Run targeted simulations covering vishing and collaboration‑tool social engineering for helpdesk and IT support teams; capture failure modes to drive focused training and controls.

because attackers are using both phone and Teams impersonation to bypass controls, so simulation will surface real human and process gaps to fix.

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Supplier radar

BleepingComputer

high

Observed supplier signal

Managed SOCs and remote‑support vendors may narrow quote windows, require surge retainers, or seek SOW changes to cover rapid onboarding after Teams or vishing incidents.

Commercial implication

Managed SOCs and remote‑support vendors may narrow quote windows, require surge retainers, or seek SOW changes to cover rapid onboarding after Teams or vishing incidents.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

BleepingComputer

high

Observed supplier signal

Identity and access vendors will promote passkey/FIDO2 migrations as a premium feature; use upcoming renewals to demand proof of implementation rather than accepting roadmap commitments.

Commercial implication

Identity and access vendors will promote passkey/FIDO2 migrations as a premium feature; use upcoming renewals to demand proof of implementation rather than accepting roadmap commitments.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

Negotiation levers

Inventory helpdesk and remote‑support channels, including phone numbers, VoIP routing, and Teams admin settings; verify call‑handling and caller identity procedures.

When to use: because attackers are impersonating IT over spoofed VoIP/CNAM numbers and collaboration channels to harvest credentials, so you need an immediate map of the exposed support inte...

Expected outcome: Documented inventory of helpdesk phone/Teams endpoints and an updated caller‑verification checklist for frontline staff.

Commercial mechanism to carry into the next supplier conversation

Identify high‑value accounts and critical Entra‑protected apps; enable stronger Conditional Access policies or restrict remote‑assistance flows for those targets during the roll...

When to use: because Microsoft is adding Entra passkeys and admins can reduce exposure by hardening conditional access for VIPs while migration planning proceeds.

Expected outcome: List of prioritized apps/users with temporary tightened access policies and test results for passkey readiness.

Commercial mechanism to carry into the next supplier conversation

Amend managed‑SOC and remote‑support SOWs to require validated remote onboarding playbooks, evidence of anti‑phishing training for support staff, and defined surge pricing for c...

When to use: because Teams‑based malware and vishing shorten containment windows and suppliers will need contractual clarity on onboarding, scope, and cost allocation during incidents.

Expected outcome: Revised SOW language and at least one supplier attestation on remote‑support controls and surge terms.

Commercial mechanism to carry into the next supplier conversation

Run targeted simulations covering vishing and collaboration‑tool social engineering for helpdesk and IT support teams; capture failure modes to drive focused training and controls.

When to use: because attackers are using both phone and Teams impersonation to bypass controls, so simulation will surface real human and process gaps to fix.

Expected outcome: Simulation results, prioritized remediation tasks, and scheduled follow‑up training for high‑risk groups.

Commercial mechanism to carry into the next supplier conversation

Talking points

Voice-based phishing (vishing) campaigns are actively stealing employee credentials and enabling large extortion demands; callers impersonate IT using spoofed VoIP numbers, so credential compromise is a present operational risk for frontline staff.
Attackers are using collaboration tools (Microsoft Teams) to deliver custom malware that persists via browser extensions and tunneling, relying on social engineering and remote‑assistance workflows to establish domain footholds.
Technology and regulation are aligning away from passwords: Microsoft is rolling Entra passkeys to Windows and EU rules (DORA) make credential controls a financial resilience requirement — procurement should treat passwordless and attestation as negotiation levers.
For buyers, the immediate read is operational and contractual: expect IR and remediation exposure where supplier identities or remote‑support channels are used, and prepare renewals to require stronger proof of credential controls.

Supplier radar

SupplierSignalImplicationNext stepConfidence
BleepingComputerManaged SOCs and remote‑support vendors may narrow quote windows, require surge retainers, or seek SOW changes to cover rapid onboarding after Teams or vishing incidents.Managed SOCs and remote‑support vendors may narrow quote windows, require surge retainers, or seek SOW changes to cover rapid onboarding after Teams or vishing incidents.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high
BleepingComputerIdentity and access vendors will promote passkey/FIDO2 migrations as a premium feature; use upcoming renewals to demand proof of implementation rather than accepting roadmap commitments.Identity and access vendors will promote passkey/FIDO2 migrations as a premium feature; use upcoming renewals to demand proof of implementation rather than accepting roadmap commitments.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high

Negotiation levers

  • Inventory helpdesk and remote‑support channels, including phone numbers, VoIP routing, and Teams admin settings; verify call‑handling and caller identity procedures.because attackers are impersonating IT over spoofed VoIP/CNAM numbers and collaboration channels to harvest credentials, so you need an immediate map of the exposed support inte...Documented inventory of helpdesk phone/Teams endpoints and an updated caller‑verification checklist for frontline staff.

    high confidence

  • Identify high‑value accounts and critical Entra‑protected apps; enable stronger Conditional Access policies or restrict remote‑assistance flows for those targets during the roll...because Microsoft is adding Entra passkeys and admins can reduce exposure by hardening conditional access for VIPs while migration planning proceeds.List of prioritized apps/users with temporary tightened access policies and test results for passkey readiness.

    high confidence

  • Amend managed‑SOC and remote‑support SOWs to require validated remote onboarding playbooks, evidence of anti‑phishing training for support staff, and defined surge pricing for c...because Teams‑based malware and vishing shorten containment windows and suppliers will need contractual clarity on onboarding, scope, and cost allocation during incidents.Revised SOW language and at least one supplier attestation on remote‑support controls and surge terms.

    high confidence

  • Run targeted simulations covering vishing and collaboration‑tool social engineering for helpdesk and IT support teams; capture failure modes to drive focused training and controls.because attackers are using both phone and Teams impersonation to bypass controls, so simulation will surface real human and process gaps to fix.Simulation results, prioritized remediation tasks, and scheduled follow‑up training for high‑risk groups.

    high confidence

What to do / What to watch

What to do now

  • Inventory helpdesk and remote‑support channels, including phone numbers, VoIP routing, and Teams admin settings; verify call‑handling and caller identity procedures.

    Why: because attackers are impersonating IT over spoofed VoIP/CNAM numbers and collaboration channels to harvest credentials, so you need an immediate map of the exposed support inte...

    Owner: Ops

    Expected outcome: Documented inventory of helpdesk phone/Teams endpoints and an updated caller‑verification checklist for frontline staff.

    [2]
  • Identify high‑value accounts and critical Entra‑protected apps; enable stronger Conditional Access policies or restrict remote‑assistance flows for those targets during the roll...

    Why: because Microsoft is adding Entra passkeys and admins can reduce exposure by hardening conditional access for VIPs while migration planning proceeds.

    Owner: Category

    Expected outcome: List of prioritized apps/users with temporary tightened access policies and test results for passkey readiness.

    [3]

Next few weeks

  • Amend managed‑SOC and remote‑support SOWs to require validated remote onboarding playbooks, evidence of anti‑phishing training for support staff, and defined surge pricing for c...

    Why: because Teams‑based malware and vishing shorten containment windows and suppliers will need contractual clarity on onboarding, scope, and cost allocation during incidents.

    Owner: Contracts

    Expected outcome: Revised SOW language and at least one supplier attestation on remote‑support controls and surge terms.

    [1]
  • Run targeted simulations covering vishing and collaboration‑tool social engineering for helpdesk and IT support teams; capture failure modes to drive focused training and controls.

    Why: because attackers are using both phone and Teams impersonation to bypass controls, so simulation will surface real human and process gaps to fix.

    Owner: Ops

    Expected outcome: Simulation results, prioritized remediation tasks, and scheduled follow‑up training for high‑risk groups.

    [1]

Longer view

  • Pilot Entra passkeys for a controlled group and update identity vendor contracts to require FIDO2/passkey support and attestation paths during renewals.

    Why: because Microsoft’s passkey rollout makes passwordless practical and procurement leverageable; capturing vendor commitments now prevents later noncompliance and mixed‑auth risk.

    Owner: Contracts

    Expected outcome: Passkey pilot completed and contract clauses that require vendor proof of passkey support and a migration plan.

    [3]

What to watch

  • Watch for BlackFile techniques expanding beyond retail/hospitality; wider sector targeting would indicate a campaign shift and warrant supplier surge clauses and broader staff training
  • Watch Entra passkey admin controls and unmanaged device behavior during rollout; partial adoption can create mixed‑auth environments that complicate incident response and supplier attestations
  • Watch for BlackFile techniques expanding beyond retail/hospitality; wider sector targeting would indicate a campaign shift and warrant supplier surge clauses and broader staff training.: Watch for BlackFile techniques expanding beyond retail/hospitality; wider sector targeting would indicate a campaign shift and warrant supplier surge clauses and broader staff training
  • Watch Entra passkey admin controls and unmanaged device behavior during rollout; partial adoption can create mixed‑auth environments that complicate incident response and supplier attestations.: Watch Entra passkey admin controls and unmanaged device behavior during rollout; partial adoption can create mixed‑auth environments that complicate incident response and supplier attestations
  • Voice-based phishing (vishing) campaigns are actively stealing employee credentials and enabling large extortion demands; callers impersonate IT using spoofed VoIP numbers, so credential compromise is a present operational risk for frontline staff
  • Attackers are using collaboration tools (Microsoft Teams) to deliver custom malware that persists via browser extensions and tunneling, relying on social engineering and remote‑assistance workflows to establish domain footholds
  • Technology and regulation are aligning away from passwords: Microsoft is rolling Entra passkeys to Windows and EU rules (DORA) make credential controls a financial resilience requirement — procurement should treat passwordless and attestation as negotiation levers
  • For buyers, the immediate read is operational and contractual: expect IR and remediation exposure where supplier identities or remote‑support channels are used, and prepare renewals to require stronger proof of credential controls

Market pulse

IndexLatestChangeAs of
Palo Alto (PANW)320 +0.00 (+0.00%)Apr 26, 2026, 10:08 AM
CrowdStrike (CRWD)285 +0.00 (+0.00%)Apr 26, 2026, 10:08 AM
Zscaler (ZS)195 +0.00 (+0.00%)Apr 26, 2026, 10:08 AM
Fortinet (FTNT)72 +0.00 (+0.00%)Apr 26, 2026, 10:08 AM
  • Palo Alto: Palo Alto's Unit 42 authored research cited in vishing and extortion reporting — intelligence and prevention tooling procurement may need review
  • CrowdStrike: Endpoint detection and managed response providers face higher demand from Teams‑delivered persistent malware; consider MDR SOW and surge clauses

Sources

Inline citations jump here. Expand a source to read the excerpt, the AI interpretation, and the original link.

[1] Threat actor uses Microsoft Teams to deploy new “Snow” malware

bleepingcomputer.com · Apr 25, 2026

Expand

AI reading

Mandiant/Google report a group using Microsoft Teams social engineering to deliver a new malware family called 'Snow' that includes a browser extension, tunneler, and backdoor. Attackers use email bombing to create urgency and then message victims in Teams posing as IT, delivering a fake 'patch' that installs persistent components and a WebSocket‑based command channel. Operational teams should watch for similar collaboration‑tool workflows and ensure remote‑assistance steps are hardened

Buyer takeaway

Assume collaboration tools are exploitable delivery channels; require suppliers to demonstrate hardened remote‑assistance workflows and rapid forensic onboarding

Cost / money

Containment and cleanup after a domain compromise can generate unplanned supplier and buyer labor costs and potential chargebacks for emergency onboarding

Supplier / commercial

Vendors providing remote‑support or managed collaboration services may request SOW changes to cover session validation, faster onboarding, and surge support

Safety / operations

Successful social engineering into collaboration tools creates persistent footholds that can bypass perimeter controls and accelerate exfiltration

What to watch

Watch for attacker reuse of remote‑assistance workflows across other collaboration platforms; early signs would require broad supplier playbook updates

Key facts

  • Malware components: dropper → AutoHotkey scripts → SnowBelt extension → SnowBasin backdoor
  • Lateral persistence: scheduled tasks, startup shortcuts, and tunneler‑based C2
  • Delivery method: email bombing followed by Teams contact posing as IT

Source excerpts

Their goal is to steal sensitive data after deep network compromise through credential theft and domain takeover. According to Google’s Mandiant researchers, the attacker uses “email bombing” tactics to create urgency, then contact targets via Microsoft Teams, posing as IT helpdesk agents
A recent Microsoft report highlighted the growing popularity of this tactic in the cybercrime space, tricking users into granting attackers remote access via Quick Assist or other remote access tools
According to Google’s Mandiant researchers, the attacker uses “email bombing” tactics to create urgency, then contact targets via Microsoft Teams, posing as IT helpdesk agents

Used in this brief

  • Safety / operations: Credential theft via vishing and Teams social engineering increases domain takeover and lateral movement risk — operational teams should treat successful impersonation as a likely precursor to data exfiltration
  • Next 2-4 weeks — Amend managed‑SOC and remote‑support SOWs to require validated remote onboarding playbooks, evidence of anti‑phishing training for support staff, and defined surge pricing for c.... Rationale: because Teams‑based malware and vishing shorten containment windows and suppliers will need contractual clarity on onboarding, scope, and cost allocation during incidents.. Owner: Contracts. KPI: Revised SOW language and at least one supplier attestation on remote‑support controls and surge terms
  • Next 2-4 weeks — Run targeted simulations covering vishing and collaboration‑tool social engineering for helpdesk and IT support teams; capture failure modes to drive focused training and controls.. Rationale: because attackers are using both phone and Teams impersonation to bypass controls, so simulation will surface real human and process gaps to fix.. Owner: Ops. KPI: Simulation results, prioritized remediation tasks, and scheduled follow‑up training for high‑risk groups
Open original source

[2] New BlackFile extortion group linked to surge of vishing attacks

bleepingcomputer.com · Apr 24, 2026

Expand

AI reading

Researchers and sector groups report a new extortion gang (BlackFile) using voice‑based phishing to impersonate IT and harvest employee credentials. The actors call from spoofed VoIP numbers or fraudulent caller ID names and push victims to fake login sites, then publish exfiltrated documents and demand large ransoms. Watch whether the same vishing TTPs appear across non‑retail sectors — that would mean broader supplier and contact‑handling exposure

Buyer takeaway

Treat vishing as an attack vector that intersects procurement — review third‑party support access, call routing, and attestation of staff training

Cost / money

Credential theft leads to IR and remediation costs that may be passed through unless contracts specify cost sharing or eradication obligations

Supplier / commercial

Helpdesk and outsourced support vendors may seek higher fees or surge retainer terms unless buyers lock in verified caller‑identity and training evidence

Safety / operations

Unchecked call‑handling allows attackers to obtain valid credentials and request remote assistance, increasing risk of domain compromise and data exfiltration

What to watch

Limited current sector targeting is actionable but watch for expansion beyond retail/hospitality; that expansion is an early‑signal of campaign scaling

Key facts

  • Attack flow: spoofed VoIP call → fake login page → credential theft → data leak site
  • Primary targets reported: retail and hospitality sectors
  • Mitigation advice: strengthen call‑handling and require multifactor caller verification

Source excerpts

"The attackers behind CL-CRI-1116 use voice-based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social engineering technique, typically posing as IT support staff," RH-ISAC said
In a Thursday report, RH-ISAC said that the group's attacks begin with phone calls to employees from spoofed numbers, in which the threat actors pose as IT support to lure staff to fake corporate login pages that ask them to enter their credentials and one-time passcodes. "The attackers behind CL-CRI-1116 use voice-based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social engineering technique, typically posing as IT support staff," RH-IS
A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026. The group, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, is impersonating corporate IT helpdesk staff to steal employee credentials and demand seven-figure ransoms, according to information shared by cybersecurity firm Palo Alto Networks' Unit 42 with the Retail & Hospitality Information Sharing and Analysis Cen

Used in this brief

  • Voice-based phishing (vishing) campaigns are actively stealing employee credentials and enabling large extortion demands; callers impersonate IT using spoofed VoIP numbers, so credential compromise is a present operational risk for frontline staff. Attackers are using collaboration tools (Microsoft Teams) to deliver custom malware that persists via browser extensions and tunneling, relying on social engineering and remote‑assistance workflows to establish domain footholds. Technology and regulation are aligning away from passwords: Microsoft is rolling Entra passkeys to Windows and EU rules (DORA) make credential controls a financial resilience requirement — procurement should treat passwordless and attestation as negotiation levers. For buyers, the immediate read is operational and contractual: expect IR and remediation exposure where supplier identities or remote‑support channels are used, and prepare renewals to require stronger proof of credential controls
  • Next 72 hours — Inventory helpdesk and remote‑support channels, including phone numbers, VoIP routing, and Teams admin settings; verify call‑handling and caller identity procedures.. Rationale: because attackers are impersonating IT over spoofed VoIP/CNAM numbers and collaboration channels to harvest credentials, so you need an immediate map of the exposed support inte.... Owner: Ops. KPI: Documented inventory of helpdesk phone/Teams endpoints and an updated caller‑verification checklist for frontline staff
  • Watch for BlackFile techniques expanding beyond retail/hospitality; wider sector targeting would indicate a campaign shift and warrant supplier surge clauses and broader staff training
Open original source

[3] Microsoft to roll out Entra passkeys on Windows in late April

bleepingcomputer.com · Apr 24, 2026

Expand

AI reading

Microsoft is rolling Entra passkey support to Windows devices to enable phishing‑resistant, passwordless sign‑in using Windows Hello (face, fingerprint, PIN) and FIDO2 credentials. The rollout will support corporate, personal, and shared devices with admin controls via Conditional Access, which makes it practical for buyers to start targeted migrations and require vendor support during renewals. Watch admin policy details and unmanaged device behavior during initial rollouts to avoid mixed‑auth gaps

Buyer takeaway

Use Microsoft's passkey rollout to require vendor attestations and migration plans for phishing‑resistant authentication in upcoming renewals

Cost / money

Initial rollout drives device and enrollment costs but reduces long tail phishing and account‑remediation spend over time

Supplier / commercial

Identity providers may monetize passkey support or migration services; capture commitments and testing artifacts in contracts

Safety / operations

Passkeys significantly reduce AiTM phishing and credential replay risks when properly provisioned and enforced via conditional access

What to watch

Partial or staggered adoption can produce mixed environments that complicate incident response and require interim compensating controls

Key facts

  • Feature: Entra passkeys on Windows using Windows Hello and FIDO2
  • Scope: supports corporate, personal, and shared devices with admin controls
  • Rollout implication: enables passwordless sign‑in to Entra‑protected resources

Source excerpts

Users can register multiple passkeys for multiple work or school accounts on the same device. Primarily a device-bound sign-in method linked to device trust
Feature Microsoft Entra passkey on Windows Windows Hello for Business Standard base FIDO2 FIDO2 for authentication, first-party (1P) protocol for device sign-in Registration User-initiated, doesn't require device join or registration Automatically provisioned on some Microsoft Entra joined or registered devices during device registration Device sign-in and single sign-on (SSO) N/A Enables device sign-in and SSO to Microsoft Entra-integrated resources after device sign-in Credential binding Bound to the device a
" The new security feature will be available in organizations that have enabled 'Microsoft Entra ID with passkeys' in the 'Authentication Methods policy' for users who sign in to Windows devices that are not Microsoft Entra‑joined or registered, provided Conditional Access policies allow it (e

Used in this brief

  • Cost / money: Adopting passkeys and updating device authentication policies will create implementation and device‑management costs for buyers as they move off legacy MFA and password recovery flows
  • What to watch: Watch Entra passkey admin controls and unmanaged device behavior during rollout; partial adoption can create mixed‑auth environments that complicate incident response and supplier attestations
  • Next 72 hours — Identify high‑value accounts and critical Entra‑protected apps; enable stronger Conditional Access policies or restrict remote‑assistance flows for those targets during the roll.... Rationale: because Microsoft is adding Entra passkeys and admins can reduce exposure by hardening conditional access for VIPs while migration planning proceeds.. Owner: Category. KPI: List of prioritized apps/users with temporary tightened access policies and test results for passkey readiness
Open original source

[4] DORA and operational resilience: Credential management as a financial risk control

bleepingcomputer.com · Apr 24, 2026

Expand

AI reading

Analysis of the EU's Digital Operational Resilience Act (DORA) highlights credential management as a binding financial‑risk control for financial institutions and stresses standards like FIDO2 for strong authentication. DORA's Article 9 maps to controls that buyers and suppliers must implement or demonstrate, linking credential failures to supervisory consequences. Procurement should treat DORA requirements as contract risk drivers when working with EU‑regulated entities or suppliers handling financial services

Buyer takeaway

Treat DORA as a procurement lever for tightening credential obligations, evidence of implementation, and notification/indemnity clauses in supplier contracts

Cost / money

Noncompliance or credential compromises can create supervisory fines and remediation costs that buyers must account for in supplier obligations

Supplier / commercial

Suppliers to EU financial entities should expect tighter contract language on authentication, attestations, and quicker notification requirements

Safety / operations

DORA frames credential compromises as operational resilience failures, increasing the need for demonstrable controls and tested recovery plans

What to watch

DORA is specific to financial entities; for non‑EU buyers it's a directional regulatory pressure that may still affect international suppliers

Key facts

  • Regulatory driver: DORA Article 9 requires strong authentication and access‑limiting policies
  • Standards pointer: FIDO2/WebAuthn maps to DORA's 'relevant standards' for phishing resistance
  • Operational cost note: credential failures have outsized financial and supervisory consequences

Source excerpts

On January 17, 2025, the Digital Operational Resilience Act (DORA) entered into application across the EU. Article 9 of the regulation makes credential security a binding financial risk control, with supervisory consequences for institutions that fall short
Cryptographic key management is a regulatory requirement
DORA compliance is as much an evidence problem as a technical one

Used in this brief

  • Analysis of the EU's Digital Operational Resilience Act (DORA) highlights credential management as a binding financial‑risk control for financial institutions and stresses standards like FIDO2 for strong authentication. DORA's Article 9 maps to controls that buyers and suppliers must implement or demonstrate, linking credential failures to supervisory consequences. Procurement should treat DORA requirements as contract risk drivers when working with EU‑regulated entities or suppliers handling financial services
  • Buyer bottom line: regulatory pressure makes credential controls a contractual and compliance requirement in financial services sourcing and supplier attestations
  • Treat DORA as a procurement lever for tightening credential obligations, evidence of implementation, and notification/indemnity clauses in supplier contracts
Open original source

[5] Palo Alto

finance.yahoo.com · n.d.

Expand
Open original source

[6] CrowdStrike

finance.yahoo.com · n.d.

Expand
Open original source
More from IT, Telecom & CyberBack to Executive View