Critical Gravity SMTP WordPress Plugin Flaw Exploited in Mass Attacks Threat actors are actively exploiting a critical security vulnerability in the Gravity SMTP WordPress plugin, tracked as CVE-2026-4020 (CVSS 5.3), to extract sensitive configuration data from over 100,000 websites. The flaw, affecting all versions up to and including 2.1.4, stems from an improperly secured REST API endpoint (`/wp-json/gravitysmtp/v1/tests/mock-data`) that lacks authentication checks. Unauthenticated attackers can retrieve a 365 KB JSON system report by appending the query parameter `?page=gravitysmtp-settings`, exposing details such as PHP versions, active plugins, database configurations, and API credentials for third-party email services including Amazon SES, Google, Mailjet, Zoho, and Resend. Compromised OAuth tokens and API keys enable attackers to hijack email functionality, impersonate domains, or conduct further reconnaissance-driven attacks. The vulnerability was responsibly disclosed on March 30, 2026, after the vendor released a patched version (2.1.5) on March 17, 2026. Despite its moderate CVSS score, exploitation has surged, with Wordfence blocking over 17 million attack attempts. The most intense activity occurred between June 7–11, 2026, peaking at 4 million blocked requests on June 7 alone. The attack requires only a single unauthenticated HTTP GET request, making it trivial to exploit at scale. Wordfence deployed firewall protections for premium users on May 5, 2026, and extended coverage to free users on June 4, 2026, after observing real-world exploitation exceeding initial severity assessments. Key indicators of compromise (IOCs) include the targeted endpoint (`/wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings`) and multiple malicious IP addresses, such as 45.148.10.95 (linked to over 642,000 blocked attempts). Since the flaw does not modify files or inject payloads, evidence of compromise may only appear in web server access logs. Administrators are advised to update to Gravity SMTP 2.1.5 or later and rotate exposed API keys and OAuth tokens immediately. The incident highlights how low-severity vulnerabilities can escalate into high-impact threats when sensitive data is exposed on widely used platforms like WordPress.

APT37 Leverages Facebook, Telegram, and Tampered PDFelement Installer in Targeted Cyber Espionage Campaign North Korea-linked threat group APT37 has launched a sophisticated cyber espionage campaign, abusing Facebook, Telegram, and a trojanized Wondershare PDFelement installer to infiltrate defense-related targets and exfiltrate sensitive data. The operation demonstrates the group’s evolving social engineering tactics and evasion techniques, bypassing traditional signature-based defenses. ### Attack Flow and Tactics The campaign begins with Facebook friend requests from two accounts impersonating individuals in Pyongyang and Pyeongtaek, North Korea, used to identify and vet targets. After establishing trust via one-on-one Messenger chats, the attackers shift conversations to Telegram, claiming to share encrypted military documents that require a "dedicated PDF viewer." Victims receive a password-protected ZIP file (e.g., m.zip) containing: - A fake PDF viewer executable (a modified Wondershare PDFelement installer) - Military-themed decoy PDFs - A Korean-language instructions file with North Korean spelling variations (e.g., "콤퓨터," "프로그람") The tampered installer, named Wondershare_PDFelement_Installer(PDF_Security).exe, mimics the legitimate version but lacks a valid Wondershare digital signature, serving as a key indicator of compromise (IoC). While the installer appears functional, its entry point is hijacked shellcode injected into a code cave redirects execution to malicious routines before resuming normal installation. ### Malicious Execution Chain 1. Shellcode Execution: The injected code resolves APIs via PEB-based hash routines, launches dism.exe in a suspended state, and injects a decrypted payload into its memory using VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. 2. C2 Communication: The shellcode retrieves a second-stage payload from a Japanese real estate website (disguised as a .jpg file). The response is XOR-encrypted, requiring two decryption passes first validating the payload with a standard x86 function prologue (55 8B), then reconstructing a PE image in memory with stripped MZ/PE headers. 3. RokRAT Backdoor Deployment: The final payload, resembling APT37’s RokRAT malware, conducts system reconnaissance, captures screenshots, and exfiltrates files (DOC, XLS, PDF, HWP, M4A, AMR). It abuses Zoho WorkDrive’s OAuth2 APIs for command-and-control (C2), blending with legitimate traffic using hardcoded client IDs, secrets, and refresh tokens. ### Attribution and Evasion Techniques The campaign aligns with APT37’s known tradecraft, including: - North Korean-language decoys and spelling patterns - Abuse of Zoho WorkDrive for C2 (previously observed in 2025) - Fileless execution and multi-stage XOR encryption - Process injection into signed binaries (dism.exe) to evade detection The group’s tactics tampered installers, cloud-based C2, and image-disguised payloads highlight the limitations of signature-based defenses, emphasizing the need for behavior-based EDR monitoring parent-child process chains, unsigned binaries, and anomalous dism.exe activity. The operation underscores APT37’s continued focus on defense and military targets, leveraging social engineering, legitimate platforms, and stealthy malware delivery to maintain persistence and exfiltrate sensitive data.

Cybercriminals Exploit Microsoft 365 Mailbox Rules for Stealthy Email Theft and Fraud Attackers are increasingly leveraging Microsoft 365 mailbox rules to silently exfiltrate emails, suppress security alerts, and maintain persistent access in business email compromise (BEC) campaigns targeting enterprises worldwide. Unlike traditional malware-based attacks, this tactic abuses legitimate Outlook features such as auto-forwarding and message filtering to operate undetected. After gaining initial access via phishing, password spraying, or compromised OAuth tokens, threat actors create malicious mailbox rules to manipulate email flow. These rules automatically delete, forward, or redirect messages to hidden folders like Archive or RSS Subscriptions, allowing attackers to intercept financial communications, block security warnings, or hijack transaction threads without raising suspicion. Victims remain unaware as their inboxes are silently filtered in the background. Security telemetry from Q4 2025 revealed that 10% of compromised Microsoft 365 accounts had malicious mailbox rules created within seconds of a breach, with some deployed in as little as five seconds. Attackers often disguise these rules with innocuous names (e.g., “.”, “..”, or “;”), reflecting automation and confidence that administrators won’t inspect them. Even after password resets, these rules persist unless manually removed, enabling prolonged data theft or fraud. In one case, attackers set up a rule to move emails containing “Payment Receipt” to a hidden folder, then used the same subject line in a phishing campaign to divert verification messages including those from Zoho into an RSS Subscriptions folder. This allowed them to hijack a vendor payment thread, redirecting funds to attacker-controlled accounts without maintaining access to the original mailbox. The tactic has been automated at scale, with tools like ATOLS enabling attackers to deploy malicious rules across multiple accounts in seconds using stolen session tokens or PowerShell scripts. Researchers demonstrated how attackers could exploit Microsoft Graph to create rules immediately upon login, bypassing the need for credentials once tokens are compromised. To mitigate risks, Microsoft 365 administrators are advised to disable external auto-forwarding, enforce multi-factor authentication (MFA) and conditional access policies, and monitor new mailbox rules and OAuth consent changes particularly those with mail-read or write permissions. Without proactive audits, these seemingly harmless productivity tools can serve as invisible backdoors for BEC and espionage.

Zoho patched a high-severity vulnerability in its ADSelfService Plus software, resulting in potential risks before remediation. The flaw allowed attackers to bypass authentication, accessing sensitive enrollment data for password management and single sign-on services. This could have led to account takeovers and weakened organizational security. Zoho addressed the issue promptly with a software update, urging users to apply the patch. Although the flaw had a CVSSv3.1 score of 8.1, there were no customer data breaches reported. This incident highlights the importance of maintaining rigorous security measures, such as multi-factor authentication, to safeguard against identity management system compromises.