Firm Breach + Active Threats

A breach at a security company is colliding with a surge in live attack campaigns, leaving incident-response teams to handle vendor risk and active intrusions at the same time. (securityweek.com) Aura, a consumer cybersecurity company based in Burlington, Massachusetts, said on March 19 that attackers got into an employee account through a phone-phishing call and accessed about 900,000 records for roughly one hour. Aura said most of the exposed data came from a marketing tool tied to a 2021 acquisition, and about 35,000 current and former customers had names, addresses, phone numbers, or email addresses exposed. (securityweek.com) At the same time, Microsoft said on April 18 that attackers are using external Microsoft Teams chats to impersonate internal help-desk staff and persuade employees to grant remote access through Quick Assist or similar tools. Microsoft said the intrusions then move with built-in administration tools such as Windows Remote Management and commercial remote-management software, and in some cases use Rclone to stage data for theft. (microsoft.com) That tactic overlaps with a new ReliaQuest report published April 14 on former Black Basta affiliates. ReliaQuest said 77% of the incidents it observed in March 2026 targeted senior leaders, up from 59% in January and February, and said 56% of its Teams-phishing observations since the group’s decline happened in 2026 alone. (reliaquest.com) Black Basta is a ransomware-for-hire operation first identified in April 2022, and a joint Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency advisory said the group had hit more than 500 organizations globally as of May 2024. The same advisory said Black Basta affiliates had affected at least 12 of 16 U.S. critical-infrastructure sectors. (cisa.gov) Another pressure point is ClickFix, a social-engineering trick that tells users to “fix” a fake problem by running commands or clicking through a staged prompt. Microsoft said in August 2025 that ClickFix campaigns were targeting thousands of enterprise and consumer devices globally every day, and Palo Alto Networks said attackers use the lure to get victims to launch malicious commands that bypass normal email-based defenses. (microsoft.com) (unit42.paloaltonetworks.com) Software patching is also in the mix. Adobe said on April 11 that CVE-2026-34621, a critical Acrobat and Reader flaw, was being exploited in the wild, and the affected versions included Acrobat and Reader DC 26.001.21367 and earlier on Windows and macOS. (helpx.adobe.com) Adobe’s bulletin said the bug could lead to arbitrary code execution and pushed users to version 26.001.21411 on the continuous track, while Adobe 2024 Classic moved to 24.001.30362 on Windows and 24.001.30360 on Mac. Adobe revised the vulnerability’s severity details on April 12, changing the attack vector in its CVSS entry while keeping the issue classified as critical. (helpx.adobe.com) The through line is that attackers are leaning on ordinary business tools — phones, Teams chats, remote-support software, cloud storage, and PDF readers — instead of custom malware alone. Microsoft and CISA both told defenders to tighten remote-access controls, require phishing-resistant multifactor authentication where possible, and verify help-desk requests outside the original channel before granting access. (microsoft.com) (cisa.gov) For security teams, that means April’s workload is not one story but several at once: third-party exposure, executive-targeted social engineering, live Teams impersonation, and an actively exploited Adobe flaw. The immediate job is narrower than the threat list — patch the software, lock down remote support, and assume the next “help desk” message may be the intrusion. (helpx.adobe.com) (microsoft.com)