Security news weekly round-up - 19th June 2026
Defenders don't rest. They wake up every day thinking about how to protect the systems that they are charged to protect. Meanwhile, attackers are also looking for crafty ways to infect a system or break into computer networks. In the end, it's good for everyone if defenders are always one step ahead of the attackers. EvilTokens: A phishing attack that doesn’t steal your password A phishing attack that does not require creating fake login pages or stealing your passwords. I was speechless when I read the article's title and deservedly so when I read how the attackers executed the attack. The following should get you started: EvilTokens is a phishing-as-a-service (PhaaS) kit built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow. As attacks that use the kit rely on device code phishing, they sidestep the need for convincing replicas of genuine login pages where the victims would hand over their passwords. Instead, attackers get the victim to complete a legitimate authentication process – including two-factor authentication (2FA) – on a real Microsoft login page. One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes The good news is that MSFT mitigated the flaw. What's left for tenant admins is to watch and contain. The interesting thing is how the researchers pulled off the attack. Here is what they did: Researchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path they call SearchLeak. Because the link pointed to a real microsoft.com domain, traditional anti-phishing and URL filtering tools were unlikely to flag it. The entry point is the q parameter in the Copilot Enterprise Search URL. It is meant for a natural-language query, but Copilot reads whatever sits there as instructions, not just a search string. Varonis calls this Parameter-to-Prompt injection. Low-skilled attacker used Claude, Codex to breach 14 companies The barrier to entry into cybercrim