When Your Identity Platform Becomes the Front Door: Critical Threats Facing State Government IT

Public Sector

Published on

April 6, 2026

Table of Contents

Threat Assessment Level: ELEVATED — Trending HIGH Changed from ELEVATED (stable) in the prior cycle to ELEVATED — Trending HIGH based on: (1) a second actively exploited critical vulnerability in FortiClient EMS within weeks, (2) three independent attack campaigns converging on Microsoft 365 identity flows, and (3) continued nation-state targeting of government networks by Chinese and North Korean actors. State government IT leaders face a threat environment this week that demands immediate attention on two fronts: perimeter appliance exploitation that continues to accelerate, and a fundamental shift in how attackers gain access — away from traditional network exploitation and toward abuse of legitimate cloud authentication mechanisms. This is not a theoretical warning. As of this writing, a critical Fortinet vulnerability is being exploited in the wild, a Chinese espionage group is using Microsoft's own OAuth consent flows to compromise government organizations, and a phishing-as-a-service platform has deployed over 1,000 domains targeting the device-code authentication that many state agencies rely on for shared kiosks and field devices. The common thread: your identity platform is now the perimeter, and it requires the same defensive rigor you apply to firewalls and VPN concentrators. <h2>What Changed This Week                 </h2> The past seven days brought a convergence of threats that individually would warrant attention and collectively demand coordinated action: <ul> <li>FortiClient EMS CVE-2026-35616 (CVSS 9.8) — A new critical improper access control vulnerability, confirmed actively exploited in the wild, affecting FortiClient EMS versions 7.4.5–7.4.6. This is the second critical FortiClient EMS vulnerability in recent weeks (following CVE-2026-21643, a SQL injection flaw). Unauthenticated attackers can achieve full server compromise.</li> <li>TA416 / Mustang Panda resumes government espionage — This China-linked group is actively targeting government organizations using OAuth consent phishing and the PlugX backdoor. Traditional email security controls will not catch this — the attack abuses legitimate Microsoft authentication flows.</li> <li>EvilTokens PhaaS goes live at scale; Tycoon 2FA pivots to new infrastructure — A new phishing-as-a-service platform has deployed 1,000+ domains targeting device-code and OAuth consent flows in Microsoft 365. It converts stolen tokens into Primary Refresh Tokens (PRTs), enabling persistent access that survives password resets. Separately, Tycoon 2FA operators pivoted to new proxy infrastructure following a recent takedown, demonstrating continued operational resilience.</li> <li>Ivanti EPMM exploitation expands — A new campaign (distinct from earlier activity) is exploiting CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8, both in CISA's Known Exploited Vulnerabilities catalog) against government targets.</li> <li>Three CISA ICS advisories affecting Siemens SICAM, Yokogawa CENTUM VP, and Hitachi Energy Ellipse — all systems found in state utility and facilities management environments.</li> <li>Ransomware surge against government targets — DragonForce, Akira, Qilin, and NightSpire all posted new victims within a 72-hour window (April 2–4), all groups with confirmed state and local government targeting profiles. The operational tempo shows no sign of decreasing.</li> <li>Kimsuky updates attack chain — The North Korean espionage group has refreshed its delivery chain (LNK→XML→VBS→PS1→Python backdoor) with Dropbox-based command-and-control staging, actively targeting government, construction, and telecom sectors.</li> <li>Iranian retaliatory operations active — Following a DOJ seizure of Iranian cyber infrastructure on March 19, APT42, CyberAv3ngers, MuddyWater, and Handala/Void Manticore have initiated retaliatory operations, with pre-positioning in U.S. critical infrastructure confirmed.</li> </ul> <h2>Threat Timeline                             </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Severity </th> </tr> </thead> <tbody> <tr> <td> Mar 19, 2026 </td> <td> DOJ seizure of Iranian cyber infrastructure triggers retaliatory operations by APT42, CyberAv3ngers, MuddyWater, and Handala/Void Manticore; pre-positioning in U.S. critical infrastructure confirmed </td> <td> CRITICAL </td> </tr> <tr> <td> Apr 1–2, 2026 </td> <td> CISA adds CVE-2026-1281 (Ivanti EPMM) to Known Exploited Vulnerabilities catalog; three ICS advisories published for Siemens SICAM, Yokogawa CENTUM VP, Hitachi Energy Ellipse </td> <td> HIGH </td> </tr> <tr> <td> Apr 2–4, 2026 </td> <td> DragonForce, Akira, Qilin, and NightSpire ransomware groups all post new victims within 72-hour window — all with confirmed government targeting profiles </td> <td> HIGH </td> </tr> <tr> <td> Apr 3–4, 2026 </td> <td> TA416 (Mustang Panda) campaign targeting government organizations with OAuth phishing and PlugX reported by multiple sources </td> <td> HIGH </td> </tr> <tr> <td> Apr 4, 2026 </td> <td> Ivanti EPMM exploitation escalates to four distinct campaigns including MISTBRICK malware; Cisco SD-WAN CVE-2026-20127 (CVSS 10.0) confirmed under active government-exclusive exploitation </td> <td> CRITICAL </td> </tr> <tr> <td> Apr 5, 2026 </td> <td> Kimsuky updates attack chain with Python backdoor and Dropbox staging; Tycoon 2FA pivots to new infrastructure after takedown; DeepLoad ClickFix fileless campaign reported </td> <td> HIGH </td> </tr> <tr> <td> Apr 6, 2026 </td> <td> FortiClient EMS CVE-2026-35616 (CVSS 9.8) confirmed actively exploited in the wild; EvilTokens PhaaS platform identified with 1,000+ phishing domains targeting M365 device-code flows </td> <td> CRITICAL </td> </tr> </tbody> </table> <h2>Critical Vulnerability Alert: FortiClient EMS Under Dual Exploitation</h2> State agencies running Fortinet's FortiClient Enterprise Management Server face an unprecedented situation: two distinct critical vulnerabilities in the same product, both actively exploited, within weeks of each other. <table> <thead> <tr> <th> CVE </th> <th> CVSS </th> <th> Attack Vector </th> <th> Affected Versions </th> <th> Status </th> </tr> </thead> <tbody> <tr> <td> CVE-2026-35616 </td> <td> 9.8 </td> <td> Improper access control — unauthenticated RCE via crafted requests </td> <td> 7.4.5 – 7.4.6 </td> <td> Actively exploited </td> </tr> <tr> <td> CVE-2026-21643 </td> <td> 9.8 </td> <td> SQL injection — unauthenticated RCE </td> <td> Earlier versions </td> <td> Actively exploited </td> </tr> </tbody> </table> Two critical vulnerabilities with different root causes in the same product in rapid succession suggests systemic code quality concerns. State CISOs should not only patch immediately but begin evaluating whether FortiClient EMS remains an acceptable risk for endpoint management, or whether migration planning should begin. ATT&CK Techniques: T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter) <h2>The Identity Perimeter: Three Converging Threats to Microsoft 365</h2> The most strategically significant development this week is the convergence of three independent attack campaigns all targeting Microsoft 365 identity and authentication flows. This is not coincidence — it reflects a fundamental shift in attacker tradecraft. <h3>1. TA416 / Mustang Panda — Nation-State OAuth Espionage</h3> Actor: TA416 (aliases: Mustang Panda, RedDelta, BRONZE PRESIDENT, STATELY TAURUS) — China-linked Target: Government and diplomatic organizations Technique: OAuth consent phishing to gain initial access to M365 tenants, followed by DLL sideloading to deploy the PlugX backdoor, with Dropbox used for staging This campaign uses web-bug reconnaissance emails to identify active targets before delivering the phishing payload. Because it abuses legitimate Microsoft OAuth consent flows, traditional email filtering and URL reputation services will not detect it. ATT&CK Techniques: T1566.001/002 (Spearphishing), T1528 (Steal Application Access Token), T1574.002 (DLL Side-Loading), T1102 (Web Service — Dropbox) <h3>2. EvilTokens — Commoditized Token Theft at Scale</h3> Actor: Criminal (PhaaS operator) Scale: 1,000+ phishing domains deployed Technique: Device-code and OAuth phishing with Primary Refresh Token (PRT) conversion EvilTokens is particularly dangerous for state government because: <ul> <li>Many agencies use device-code authentication for shared kiosks, field devices, and conference room systems</li> <li>PRT theft enables persistent access that survives password resets and MFA re-enrollment</li> <li>Conditional Access policies in many state tenants do not explicitly block device-code flows</li> </ul> <h3>3. Tycoon 2FA — Resilient MFA Bypass Infrastructure</h3> Actor: Criminal (PhaaS operator) Technique: Real-time WebSocket-based MFA capture with proxy infrastructure After a recent takedown, Tycoon 2FA operators pivoted to new proxy infrastructure and ASNs, demonstrating operational resilience. The platform captures MFA tokens in real time, defeating time-based one-time passwords. ATT&CK Techniques: T1111 (Multi-Factor Authentication Interception), T1539 (Steal Web Session Cookie) The strategic implication is clear: Your Azure AD Conditional Access configuration is now your primary defensive control against initial access — not your firewall, not your email gateway. It needs the same rigor, review cadence, and change management as firewall rule sets. <h2>Nation-State Activity: What's Active and What's Notably Absent</h2> <h3>Active Campaigns Targeting Government</h3> <table> <thead> <tr> <th> Actor </th> <th> Origin </th> <th> Current Activity </th> <th> Target </th> </tr> </thead> <tbody> <tr> <td> TA416 / Mustang Panda </td> <td> China </td> <td> OAuth consent phishing + PlugX deployment </td> <td> Government, diplomatic </td> </tr> <tr> <td> Kimsuky </td> <td> North Korea (DPRK) </td> <td> Updated LNK→XML→VBS→PS1 chain delivering Python backdoor with Dropbox C2 </td> <td> Government, construction, telecom </td> </tr> <tr> <td> APT42 </td> <td> Iran (IRGC-IO) </td> <td> Retaliatory operations following DOJ infrastructure seizure </td> <td> U.S. critical infrastructure </td> </tr> <tr> <td> CyberAv3ngers </td> <td> Iran (IRGC) </td> <td> Pre-positioning in U.S. critical infrastructure </td> <td> Water, energy </td> </tr> <tr> <td> MuddyWater / Seedworm </td> <td> Iran (MOIS) </td> <td> Active operations </td> <td> Government </td> </tr> <tr> <td> APT28 / Fancy Bear </td> <td> Russia </td> <td> Active IOCs in intelligence feeds </td> <td> Government </td> </tr> <tr> <td> APT41 </td> <td> China </td> <td> Tracked activity </td> <td> Government, multiple sectors </td> </tr> </tbody> </table> <h3>Notable Absences</h3> Volt Typhoon and Salt Typhoon — the Chinese APTs previously considered the most prominent nation-state threat to U.S. government infrastructure — produced zero indicators this cycle. Combined with the emergence of TA416 diplomatic espionage activity, this may signal a strategic pivot in Chinese cyber operations from destructive pre-positioning to intelligence collection. This does not reduce the threat level — it changes what you need to detect, shifting the focus from network anomaly detection to identity and authentication monitoring. LockBit — no direct activity observed. The last Anomali ThreatStream Next-Gen update was December 2025. Law enforcement disruption appears to have lasting effects, but successor groups (DragonForce, NightSpire, Qilin) have absorbed the operational tempo. <h2>Ransomware: The SLTT Targeting Continues</h2> The ransomware threat to state and local government remains acute. Within a 72-hour window (April 2–4), DragonForce, Akira, Qilin, and NightSpire all posted new victims — all groups with confirmed government targeting profiles. State and local government continues to be viewed by ransomware operators as a high-yield, low-defense target environment. The summer of 2025 was described by multiple sources as "one of the most devastating periods for municipal cybersecurity in U.S. history," and the operational tempo has not decreased. Key ransomware-adjacent developments this cycle: <ul> <li>Yurei ransomware toolkit exposure reported in weekly threat recap</li> <li>DPRK modular malware with ransomware capabilities continues to evolve</li> <li>Phorpiex botnet continues delivering LockBit Black payloads (the primary remaining LockBit-adjacent threat)</li> </ul> <h2>ICS/OT: Advisories Affecting State Utility Infrastructure</h2> Three CISA ICS advisories published this week affect systems commonly found in state government utility and facilities management environments: <table> <thead> <tr> <th> Advisory </th> <th> Product </th> <th> Impact </th> <th> Relevance to State Gov </th> </tr> </thead> <tbody> <tr> <td> ICSA-26-092-01 </td> <td> Siemens SICAM 8 </td> <td> Denial of service in power grid protection/automation </td> <td> State utility partners </td> </tr> <tr> <td> ICSA-26-092-02 </td> <td> Yokogawa CENTUM VP </td> <td> Unauthorized login and permission modification in DCS </td> <td> Water treatment, power generation </td> </tr> <tr> <td> ICSA-26-092-03 </td> <td> Hitachi Energy Ellipse </td> <td> Jasper Report vulnerability in enterprise asset management </td> <td> Utility maintenance management </td> </tr> </tbody> </table> Intelligence reporting also notes that thousands of internet-exposed ICS/OT devices are being actively scanned. State agencies with OT environments — particularly water/wastewater utilities and building management systems — should verify that no ICS devices are directly internet-accessible. <h2>Predictive Analysis: What Comes Next</h2> <table> <thead> <tr> <th> Prediction </th> <th> Probability </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Additional exploitation of FortiClient EMS CVE-2026-35616 as PoC code circulates; CISA KEV addition within 48 hours </td> <td> HIGH (>75%) </td> <td> Active exploitation confirmed; vendor advisory published; pattern matches prior CVE-2026-21643 trajectory </td> </tr> <tr> <td> TA416 / Mustang Panda campaign expands beyond European targets to include U.S. state/local government </td> <td> MODERATE (50–75%) </td> <td> Historical Mustang Panda targeting patterns include U.S. government; OAuth technique is geography-agnostic </td> </tr> <tr> <td> EvilTokens or Tycoon 2FA infrastructure used in credential theft campaign specifically targeting government M365 tenants during spring tax season </td> <td> MODERATE (50–75%) </td> <td> Tax season phishing historically peaks in April; PhaaS platforms lower the barrier to targeted campaigns </td> </tr> <tr> <td> Ransomware group posts a U.S. state or local government victim within 14 days </td> <td> HIGH (>75%) </td> <td> Four groups posted victims in 72-hour window; SLTT targeting profile confirmed across all four </td> </tr> <tr> <td> Iranian retaliatory cyber operations escalate following DOJ infrastructure seizure </td> <td> MODERATE (50–75%) </td> <td> Historical pattern of escalation following law enforcement action; multiple IRGC-affiliated groups already active </td> </tr> </tbody> </table> <h2>SOC Operational Guidance               </h2> <h3>Detection Priorities</h3> <ol> <li> Microsoft 365 OAuth and Device-Code Abuse (CRITICAL)</li> </ol> <ul> <li>ATT&CK: T1528 (Steal Application Access Token), T1539 (Steal Web Session Cookie), T1078.004 (Valid Accounts: Cloud)</li> <li>Hunt Hypothesis: Adversaries are using OAuth consent phishing and device-code flows to obtain persistent access tokens to state M365 tenants. Look for anomalous consent grants and device-code authentications from unexpected locations.</li> <li>What to Monitor:</li> </ul> <ul> <li>M365 Unified Audit Log: Operation: Consent to application — alert on any new OAuth consent grants, especially from non-admin users</li> <li>Azure AD Sign-in Logs: filter for authenticationProtocol: deviceCode — baseline normal device-code usage and alert on deviations</li> <li>Azure AD Audit Logs: new Service Principal creation or credential additions (T1098.001)</li> <li>Impossible travel or anomalous location for token-based authentications</li> </ul> <ul> <li>Detection Rule: Alert when Consent to application is followed by Add service principal credentials within 24 hours from the same user or IP</li> </ul> <ol start="2"> <li> FortiClient EMS Exploitation (CRITICAL)</li> </ol> <ul> <li>ATT&CK: T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter)</li> <li>Hunt Hypothesis: Attackers are sending crafted requests to FortiClient EMS servers to achieve unauthenticated code execution. Compromised EMS servers may be used as pivot points into the managed endpoint fleet.</li> <li>What to Monitor:</li> </ul> <ul> <li>FortiClient EMS server access logs for anomalous or malformed HTTP requests</li> <li>Unexpected child processes spawned by EMS service processes</li> <li>Outbound connections from EMS servers to unknown external IPs</li> <li>Any new scheduled tasks or services created on EMS servers</li> </ul> <ol start="3"> <li> PlugX / DLL Sideloading (HIGH)</li> </ol> <ul> <li>ATT&CK: T1574.002 (DLL Side-Loading), T1204.002 (Malicious File)</li> <li>Hunt Hypothesis: TA416 delivers PlugX via legitimate executables that sideload malicious DLLs from ZIP/LNK delivery chains.</li> <li>What to Monitor:</li> </ul> <ul> <li>Execution of LNK files extracted from ZIP archives (especially from email)</li> <li>Known-good executables loading DLLs from unusual paths (e.g., %TEMP%, %APPDATA%)</li> <li>Outbound HTTPS connections to Dropbox API endpoints from non-browser processes</li> <li>Sysmon Event ID 7 (Image Loaded) for DLLs loaded from user-writable directories by signed executables</li> </ul> <ol start="4"> <li> PowerShell and Fileless Execution Chains (HIGH)</li> </ol> <ul> <li>ATT&CK: T1059.001 (PowerShell), T1059.006 (Python), T1047 (WMI), T1055 (Process Injection)</li> <li>Hunt Hypothesis: Kimsuky's updated chain (LNK→XML→VBS→PS1→Python) and DeepLoad ClickFix both rely on PowerShell for initial execution and in-memory payload delivery.</li> <li>What to Monitor:</li> </ul> <ul> <li>PowerShell Script Block Logging (Event ID 4104) for encoded commands, Invoke-Expression, DownloadString, and Base64 patterns</li> <li>WMI event subscriptions (T1546.003) for persistence</li> <li>Python process execution from non-standard paths</li> <li>USB device insertion events correlated with subsequent script execution (DeepLoad uses USB persistence via T1091)</li> </ul> <ol start="5"> <li> Ivanti EPMM Exploitation (HIGH)</li> </ol> <ul> <li>ATT&CK: T1190 (Exploit Public-Facing Application)</li> <li>What to Monitor:</li> </ul> <ul> <li>Ivanti EPMM server logs for unauthenticated API calls or code injection patterns</li> <li>Unexpected outbound connections from EPMM servers</li> <li>New mobile device enrollments or policy changes not initiated by administrators</li> </ul> <h2>Sector-Specific Defensive Priorities</h2> <h3>Government (State and Local Agencies)</h3> Primary threats: TA416 OAuth espionage, EvilTokens credential theft, ransomware (Qilin, DragonForce, Akira, NightSpire), Kimsuky espionage <ul> <li>Audit all Azure AD Conditional Access policies — specifically verify that device-code authentication is blocked for all users except those with documented operational need</li> <li>Review OAuth consent settings: set User consent for applications to "Do not allow user consent" or restrict to verified publishers only</li> <li>Ensure all citizen-facing portals (tax, DMV, benefits) have WAF protections and are not running vulnerable Ivanti or Fortinet components</li> <li>Conduct tabletop exercise for ransomware scenario targeting a citizen services agency during peak tax season</li> </ul> <h3>Financial Services</h3> Primary threats: Ivanti EPMM exploitation (financial services explicitly listed as target), EvilTokens token theft, Tycoon 2FA MFA bypass <ul> <li>Verify Ivanti EPMM patching against CVE-2026-1281 and CVE-2026-1340 — financial services is an explicitly named target in the latest campaign</li> <li>Implement continuous access evaluation (CAE) for all financial transaction systems accessed via M365 authentication</li> <li>Monitor for anomalous API token usage patterns that could indicate PRT theft</li> </ul> <h3>Energy and Utilities</h3> Primary threats: Iranian APT pre-positioning (CyberAv3ngers, APT42), ICS/OT vulnerabilities (Siemens SICAM, Yokogawa CENTUM VP, Hitachi Ellipse), Volt Typhoon residual risk <ul> <li>Immediately assess exposure to ICSA-26-092-01 (Siemens SICAM), ICSA-26-092-02 (Yokogawa CENTUM VP), and ICSA-26-092-03 (Hitachi Energy Ellipse)</li> <li>Verify network segmentation between IT and OT environments — no ICS/SCADA devices should be directly internet-accessible</li> <li>Review access controls on CENTUM VP systems — the Yokogawa advisory specifically addresses unauthorized PROG user login</li> <li>Increase monitoring for Iranian APT indicators given confirmed retaliatory operations following DOJ infrastructure seizure</li> </ul> <h3>Healthcare</h3> Primary threats: Ransomware (all four active groups target healthcare adjacently), credential theft via EvilTokens/Tycoon 2FA, supply chain compromise <ul> <li>Healthcare agencies managing Medicaid and public health data should prioritize M365 Conditional Access hardening — stolen tokens provide access to protected health information</li> <li>Ensure backup and recovery procedures are tested for ransomware scenarios — healthcare data is high-value for both encryption and exfiltration</li> <li>Monitor for PowerShell-based fileless attacks (Kimsuky, DeepLoad) targeting clinical and administrative workstations</li> </ul> <h3>Aviation and Logistics</h3> Primary threats: TA416/Mustang Panda (transportation explicitly listed in Ivanti campaign targeting), supply chain compromise, nation-state espionage <ul> <li>Transportation agencies are explicitly named targets in the latest Ivanti EPMM exploitation campaign — verify patching status immediately</li> <li>Monitor for PlugX indicators and DLL sideloading patterns, particularly on systems handling logistics and supply chain data</li> <li>Review third-party vendor access to transportation management systems for supply chain risk</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>IMMEDIATE (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> CRITICAL </td> <td> IT Operations </td> <td> Patch FortiClient EMS against CVE-2026-35616 on ALL instances running versions 7.4.5–7.4.6. Review EMS server logs for anomalous requests since April 1 to determine if exploitation has already occurred. </td> </tr> <tr> <td> CRITICAL </td> <td> IT Operations </td> <td> Confirm Ivanti EPMM patching against CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8, CISA KEV). A new campaign is actively exploiting these against government networks. </td> </tr> <tr> <td> CRITICAL </td> <td> SOC / Identity Team </td> <td> Block device-code authentication in Azure AD Conditional Access policies unless explicitly required for documented use cases. Audit existing device-code grants for anomalous registrations. </td> </tr> <tr> <td> HIGH </td> <td> SOC </td> <td> Enable alerting on M365 Unified Audit Log for Consent to application events and Azure AD sign-in logs for deviceCode authentication protocol. </td> </tr> </tbody> </table> <h3>7-DAY Actions</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> HIGH </td> <td> SOC / Identity Team </td> <td> Audit Azure AD Service Principals for Global Administrator or Privileged Role Administrator role assignments. Cross-reference with Application Administrator assignments to identify privilege escalation paths. Remove unnecessary high-privilege assignments. </td> </tr> <tr> <td> HIGH </td> <td> SOC </td> <td> Deploy TA416/Mustang Panda detection rules: OAuth consent grant monitoring, LNK-from-ZIP execution alerts, DLL sideloading detection (signed executables loading DLLs from user-writable directories), and Dropbox API connections from non-browser processes. </td> </tr> <tr> <td> HIGH </td> <td> IT Operations / OT </td> <td> Coordinate with utility partners to verify patching for Siemens SICAM 8 (ICSA-26-092-01), Yokogawa CENTUM VP (ICSA-26-092-02), and Hitachi Energy Ellipse (ICSA-26-092-03). Confirm no ICS/OT devices are internet-exposed. </td> </tr> <tr> <td> MODERATE </td> <td> SOC </td> <td> Implement PowerShell Script Block Logging (Event ID 4104) and monitor for Kimsuky attack chain indicators: encoded PowerShell, Python execution from non-standard paths, and WMI persistence. </td> </tr> </tbody> </table> <h3>30-DAY Actions</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> HIGH </td> <td> CISO / Identity Team </td> <td> Commission comprehensive M365 Conditional Access review addressing EvilTokens, Tycoon 2FA, and TA416 OAuth abuse vectors. Evaluate: device-code flow restrictions, token lifetime policies, continuous access evaluation (CAE) enforcement, and user consent settings for applications. </td> </tr> <tr> <td> HIGH </td> <td> IT Operations </td> <td> Deploy PowerShell Constrained Language Mode across all endpoints to limit fileless attack chains (Kimsuky PS1 chains, DeepLoad ClickFix, and similar). </td> </tr> <tr> <td> MODERATE </td> <td> CISO </td> <td> Evaluate FortiClient EMS risk posture. Two critical vulnerabilities with different root causes in rapid succession warrants a formal risk assessment of continued use versus migration to an alternative endpoint management platform. </td> </tr> <tr> <td> MODERATE </td> <td> CISO / IR Team </td> <td> Conduct ransomware tabletop exercise simulating a Qilin or DragonForce attack against a citizen-facing agency during peak service demand. Test backup restoration, communication plans, and decision authority for ransom payment. </td> </tr> </tbody> </table> <h2>The Bottom Line                           </h2> This week's intelligence paints a picture of a threat environment that is shifting beneath our feet. The traditional security model — patch the firewall, filter the email, monitor the network — is necessary but no longer sufficient. When nation-state actors like TA416 and commoditized platforms like EvilTokens are both targeting the same Microsoft authentication flows that every state agency depends on, your identity infrastructure IS your security perimeter. The four critical CVEs demanding immediate patching (CVE-2026-35616, CVE-2026-21643, CVE-2026-1281, CVE-2026-1340) are urgent. But the strategic action that will determine your security posture for the next quarter is the Azure AD Conditional Access review. Device-code flows, OAuth consent grants, and token lifetime policies are the controls that stand between your agency's data and the adversaries described in this report. Patch today. Review your identity controls this week. Plan your architecture decisions this month. The adversaries are not waiting.

FEATURED RESOURCES

April 6, 2026

Anomali Cyber Watch

Iran’s Cyber War Machine Doesn’t Need the Internet to Attack You

April 6, 2026

Public Sector

Anomali Cyber Watch

When Your Identity Platform Becomes the Front Door: Critical Threats Facing State Government IT

April 3, 2026

Anomali Cyber Watch

Iran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now

Explore All