TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Weekly Threat Bulletin – March 11th, 2026

2026-03-11 · Read original ↗

ATT&CK techniques detected

17 predictions
T1190Exploit Public-Facing Application
94%
“bypass vulnerability, is present in the web interface due to an improperly configured system process, enabling an unauthenticated, remote attacker to bypass authentication and execute script files, thereby obtaining root access to the underlying operating system, by sending craft…”
T1566.002Spearphishing Link
93%
“##s ) platform, enabling campaigns that generated tens of millions of phishing messages monthly, impacting over 500, 000 organizations across various sectors. operated by the threat actor storm - 1747, this kit provided adversary - in - the - middle ( aitm ) capabilities, allowin…”
T1566.002Spearphishing Link
87%
“chains involving legitimate services like azure blob storage and firebase. phishing emails typically contained malicious attachments ( pdf, docx, svg, html ) or redirect links, often leveraging compromised accounts. captured credentials and session tokens were exfiltrated via enc…”
T1195.001Compromise Software Dependencies and Development Tools
74%
“github actions pipelines an automated campaign, dubbed " hackerbot - claw, " systematically scans public github repositories for misconfigured github actions workflows, particularly those utilizing ` pull _ request _ target ` with elevated permissions, to gain privileged access. …”
T1588.006Vulnerabilities
66%
“- exploits. html https : / / www. cyberkendra. com / 2026 / 03 / google - uncovers - coruna - ios - exploit - kit. html https : / / www. esecurityplanet. com / threats / coruna - ios - exploit - kit - compromises - thousands - of - iphones / https : / / www. helpnetsecurity. com …”
T1195.002Compromise Software Supply Chain
65%
“github actions pipelines an automated campaign, dubbed " hackerbot - claw, " systematically scans public github repositories for misconfigured github actions workflows, particularly those utilizing ` pull _ request _ target ` with elevated permissions, to gain privileged access. …”
T1566.002Spearphishing Link
59%
“. severity : critical threat details and iocs mitigation advice - in microsoft defender, run the provided kql query against ' aadsignineventsbeta ' logs to hunt for suspicious sign - in attempts that lack device trust information and have a medium or high risk level. - in microso…”
T1564.008Email Hiding Rules
59%
“. severity : critical threat details and iocs mitigation advice - in microsoft defender, run the provided kql query against ' aadsignineventsbeta ' logs to hunt for suspicious sign - in attempts that lack device trust information and have a medium or high risk level. - in microso…”
T1566.002Spearphishing Link
54%
“##s ' policy to detonate and scan all incoming email attachments in a sandbox environment before delivery. - verify that zero - hour auto purge ( zap ) is enabled in microsoft defender for office 365 to automatically remove phishing emails from user inboxes after delivery if they…”
T1588.006Vulnerabilities
48%
“- coruna - hack - targets - crypto - wallet - recovery - phrases / https : / / cyberinsider. com / google - uncovers - new - coruna - ios - exploit - kit - used - in - iphone - espionage / https : / / cyberpress. org / coruna - exploit - kit - leveraging - 23 - vulnerabilities / …”
T1556.006Multi-Factor Authentication
43%
“##s ' policy to detonate and scan all incoming email attachments in a sandbox environment before delivery. - verify that zero - hour auto purge ( zap ) is enabled in microsoft defender for office 365 to automatically remove phishing emails from user inboxes after delivery if they…”
T1587.004Exploits
40%
“update - fixes - 129 - vulnerabilities / https : / / cyberveille. esante. gouv. fr / alertes / android - cve - 2026 - 21385 - 2026 - 03 - 03 https : / / gbhackers. com / cisa - warns - qualcomm - chipsets - memory - corruption - vulnerability / https : / / securityonline. info / …”
T1204.002Malicious File
37%
“web application firewall ( waf ) in front of critical management interfaces that must remain accessible over the network to provide a virtual patching and defense - in - depth layer against web - based attacks. coruna : the mysterious journey of a powerful ios exploit kit the cor…”
T1556.006Multi-Factor Authentication
35%
“chains involving legitimate services like azure blob storage and firebase. phishing emails typically contained malicious attachments ( pdf, docx, svg, html ) or redirect links, often leveraging compromised accounts. captured credentials and session tokens were exfiltrated via enc…”
T1584.001Domains
32%
“##s ) platform, enabling campaigns that generated tens of millions of phishing messages monthly, impacting over 500, 000 organizations across various sectors. operated by the threat actor storm - 1747, this kit provided adversary - in - the - middle ( aitm ) capabilities, allowin…”
T1111Multi-Factor Authentication Interception
32%
“chains involving legitimate services like azure blob storage and firebase. phishing emails typically contained malicious attachments ( pdf, docx, svg, html ) or redirect links, often leveraging compromised accounts. captured credentials and session tokens were exfiltrated via enc…”
T1556.006Multi-Factor Authentication
31%
“that enforce the use of ' phishing - resistant ' authentication strength for user access to critical business applications and sensitive data. - establish a continuous security awareness training program that includes regular phishing simulations focused on credential harvesting,…”

Summary

These are the top threats you should know about this week.