OAuth Phishing Bypasses MFA, VMware Flaw Under Attack, and Anubis Hits AkzoNobel

Hackers Are Using Microsoft and Google Login Pages to Phish You

Microsoft published a warning this week about phishing campaigns abusing OAuth, the protocol that powers “Sign in with Google” and “Sign in with Microsoft” buttons across the web. The attacks are targeting government and public sector organizations, and they’re sneaky because the phishing links start at real Microsoft or Google login URLs.

Here’s how it works. Attackers register a malicious app in a tenant they control, then send phishing emails with links that kick off an OAuth authorization flow. They intentionally use invalid parameters to trigger an error redirect, which sends your browser from the legitimate login page to an attacker controlled landing page. You see a quick flash of a real Microsoft URL, then you’re somewhere else entirely. The lures included fake e-signature requests, Social Security notices, password resets, and meeting invitations to get people to click.

What makes this different from normal phishing: the attackers aren’t stealing OAuth tokens during the redirect itself. They’re using the redirect as a delivery mechanism to get you to a fake login page (powered by phishing kits like EvilProxy) or to trigger a malware download. Some payloads included ZIP files with shortcut files that ran PowerShell commands for reconnaissance before deploying a C2 backdoor.

Microsoft disabled the malicious OAuth apps it found but warned that related activity is ongoing. If you see a very long URL with “oauth2,” “authorize,” and lots of encoded text in it, especially from outside your organization, don’t trust it just because it starts with a Microsoft or Google domain. And if something immediately starts downloading after you click a link in an email, close the tab.

VMware Vulnerability Being Exploited in the Wild

CISA added a VMware Aria Operations vulnerability to its Known Exploited Vulnerabilities catalog on March 3, meaning attackers are already using it in real attacks. The flaw, tracked as CVE-2026-22719, is a command injection bug with a CVSS score of 8.1 that lets an unauthenticated attacker run arbitrary commands on the server, potentially leading to full remote code execution.

VMware Aria Operations (formerly vRealize Operations) is an enterprise monitoring platform used to track the health of servers, networks, and cloud infrastructure. The vulnerability specifically affects systems during support assisted product migration, which means organizations in the middle of migrating their Aria Operations setup are at the highest risk.

Broadcom (which now owns VMware) patched the flaw on February 24 along with two other vulnerabilities: a stored cross site scripting bug and a privilege escalation flaw that could grant admin access. Broadcom says it’s aware of exploitation reports but can’t independently confirm them, which is corporate speak for “we know it’s happening.” Federal agencies have until March 24 to patch.

If you run Aria Operations, check whether you’re on version 8.18.5 or earlier, or 9.0.1 or earlier, because those are vulnerable. Upgrade to 8.18.6 or 9.0.2. Broadcom also published a temporary workaround script if you can’t patch immediately, but don’t sit on it.

Anubis Ransomware Gang Breaches Paint Giant AkzoNobel

Dutch paint and coatings manufacturer AkzoNobel confirmed to BleepingComputer that hackers breached one of its U.S. sites after the Anubis ransomware gang posted stolen data on its leak site. The company, which makes brands like Dulux and Sikkens and has 35,000 employees across 150+ countries, said the incident was “contained” with “limited impact.”

Anubis claims it stole roughly 170GB of data containing about 170,000 files, including confidential client agreements, employee contact info, private emails, passport scans, and technical documents. So far only a partial leak has been posted, which usually means the ransomware group is still trying to get the company to pay up.

Anubis is worth paying attention to because it added a data wiper to its toolkit last summer that can irreversibly destroy all encrypted files on a victim’s system. That makes it one of the more aggressive ransomware operations out there, since most groups want their victims to be able to recover files (to incentivize paying the ransom). Destroying files removes that leverage but adds a whole new kind of pressure: pay us or we’ll nuke everything and publish what we already stole.

AkzoNobel hasn’t said whether it’s negotiating with the attackers. If you’re a vendor, supplier, or employee of the company, watch for targeted phishing emails using the stolen data (names, emails, passport info) and be skeptical of any unusual requests that reference real internal projects or contacts.