CVE-2026-34611

WWBN AVideo prior to version 26.0 allows CSRF on the endpoint objects/emailAllUsers.json.php, enabling a mass HTML email sent to all users without a CSRF token. The issue arises because admin sessions are valid cross-origin, given SameSite=None on cookies, allowing an attacker to lure an admin to...

Inside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal operations

Over the past year, Microsoft Threat Intelligence observed the proliferation of RedVDS, a virtual dedicated server VDS provider used by multiple financially motivated threat actors to commit business email compromise BEC, mass phishing, account takeover, and financial fraud. Microsoft’s...

When spear phishing met mass phishing

Introduction Bulk phishing email campaigns tend to target large audiences. They use catch-all wordings and simplistic formatting, and typos are not uncommon. Targeted attacks take greater effort, with attackers sending personalized messages that include personal details and might look more like...