Security teams face a contrasting operational environment this month. While the monthly Microsoft patch cycle offers a moment of relative calm, targeted campaigns against specialized business workflows and cloud configurations are increasing in complexity. Microsoft released updates for 83 vulnerabilities this morning, but security analysts advise defenders to shift their immediate focus toward hardening Salesforce guest access and protecting recruitment pipelines from sophisticated EDR-disabling malware.
The March security update from Microsoft is being described by researchers as a manageable lift, offering a welcome change from more volatile cycles. Of the 83 Common Vulnerabilities and Exposures (CVEs) addressed, only one received a CVSS score of 9.8, an AI-discovered remote code execution (RCE) flaw in the Microsoft Devices Pricing Program. Microsoft has already remediated this specific flaw on their end, requiring no action from customers. This update marks a significant milestone in the shift toward AI-driven vulnerability discovery, signaling a future where the speed of finding complex flaws may outpace traditional manual research.
While the overall patch volume is higher than last month, the distribution remains standard, with elevation of privilege (EoP) flaws accounting for more than half of the release. Security teams should prioritize testing over emergency deployment this cycle, though specific attention is warranted for two Office RCE vulnerabilities: CVE-2026-26113 and CVE-2026-26110. Both vulnerabilities utilize the Preview Pane as an access vector, meaning a system can be compromised without a user ever opening a file. If patching cannot happen immediately, disabling the Preview Pane in file explorers remains a potent mitigation strategy.
Beyond the routine patching of operating systems, a more pressing concern has emerged involving the unauthorized exposure of sensitive CRM data. Malicious actors, including groups like ShinyHunters, are currently mass-scanning Salesforce Experience Cloud sites for excessively permissive guest user configurations. This is not a platform vulnerability but a consequence of guest user profiles that allow unauthenticated visitors to query private Salesforce objects. Unauthorized parties are using a modified version of the Aura Inspector tool to extract data that should be restricted. This activity follows a pattern of high-profile extortion attempts seen over the last year, where actors leveraged misconfigured cloud environments to demand payments.
In tandem with these cloud-focused threats, a new campaign dubbed "BlackSanta" is specifically targeting human resources (HR) departments. Because hiring teams frequently interact with external attachments, they represent a soft target for initial access. BlackSanta utilizes a sophisticated multi-stage sequence that begins with resume-themed ISO files. The malware employs steganography—hiding unauthorized code within image files. To evade standard scanning. Its most complex feature is a "Bring Your Own Vulnerable Driver" (BYOVD) capability. By loading a legitimate but vulnerable kernel driver, the tool gains the low-level system access necessary to terminate antivirus and endpoint detection and response (EDR) agents. Once the security stack is neutralized, data is extracted via HTTPS with minimal risk of detection.
The return of custom engineering is also evident in the latest activities of the Sednit group, also known as APT28 or Fancy Bear. After several years of relying on simple scripts and phishing, the group has resumed the use of custom espionage toolkits in campaigns targeting Ukrainian infrastructure. Researchers have identified a dual-implant strategy utilizing two specialized tools: SlimAgent, a keylogger with a decade-long lineage, and BeardShell, a PowerShell interpreter.
To maintain persistence, Sednit is now abusing legitimate cloud storage services like Icedrive for command-and-control (C2) communications. By reverse-engineering the cloud provider's internal protocols, the group blends its unauthorized traffic with standard encrypted web traffic. The use of two different implants—each communicating through a separate cloud provider, creates a redundant fallback system. If a security team identifies and blocks one C2 channel, the other remains active, allowing the unauthorized party to maintain their foothold. This evolution suggests a strategic return to active software development by the group’s engineers, moving away from the living-off-the-land techniques that dominated their recent operations.
For defenders, these developments indicate a shift toward subverting trust in three distinct areas: the trust placed in legitimate kernel drivers, the trust inherent in cloud-based guest access, and the trust necessary for routine business workflows like recruitment.
We recommend organizations take the following protective measures:
BYOVD mitigation: Monitoring for BYOVD access requires strict kernel-mode code signing policies and the implementation of Microsoft’s driver blocklist.
Salesforce hardening: The principle of least privilege is paramount in CRM environments. Guest user profiles should be audited immediately to ensure they are restricted strictly to public-facing data.
Network visibility: The Sednit campaign demonstrates that relying on simple domain blocking is insufficient when legitimate cloud infrastructure is used for C2. Defenders should monitor for anomalous account access patterns and the unauthorized use of messaging platforms like Signal or WhatsApp on desktop environments, which Sednit frequently uses for initial social engineering.
As we move forward, the quiet nature of this month's Microsoft release should not lead to complacency. The emergence of AI-discovered vulnerabilities and the rise of EDR-disabling tools like BlackSanta suggest that the technical bar for successful intrusions is being raised. Security programs must evolve beyond a patch-everything mindset and begin implementing deeper defensive layers—such as stricter attachment sandboxing for HR teams and rigorous auditing of non-human identities and guest profiles in the cloud, to protect against these increasingly disciplined methodologies.
While the current Sednit operations heavily focus on regional geopolitical targets, the techniques they are refining, such as dual-implant cloud redundancy, often migrate to broader ecosystems. The defensive community should remain vigilant for these patterns appearing in wider enterprise targeting over the coming months.