Cyber Threat Brief — April 28 2026
⚠️ This report is AI-generated. Always validate findings.
1. APT28 Zero-Click NTLM Coercion via Windows Shell — CVE-2026-32202
TL;DR: Microsoft confirmed active exploitation of CVE-2026-32202 (CVSS 4.3), an incomplete patch for CVE-2026-21510 that lets APT28 steal Net-NTLMv2 hashes zero-click via malicious LNK files embedding UNC paths to attacker-controlled SMB servers. Patched in April 2026 Patch Tuesday.
What’s New:
- Akamai researcher Maor Dahan disclosed the incomplete patch: original RCE (CVE-2026-21510) was fixed, but Shell namespace parsing still auto-resolves UNC paths in LNK IDList data without network zone validation
- APT28 (Fancy Bear) campaign targeting Ukraine and EU since Dec 2025 uses weaponized LNK files with embedded Control Panel CLSID + UNC path to attacker CPL payload
- Zero-click trigger: opening a folder containing the LNK causes
explorer.exeto initiate outbound SMB, leaking Net-NTLMv2 hash for relay/cracking — no user click required - Microsoft revised advisory April 28 to acknowledge active ITW exploitation; patch available since April Patch Tuesday
- CERT-UA attributed campaign to APT28; credential theft enables lateral movement and NTLM relay attacks
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Malicious .lnk files with UNC paths in IDList | Initial access vector | T1566.001 | Email gateway / endpoint | Block inbound LNK files with embedded UNC paths |
Outbound SMB (445/tcp) from explorer.exe to external IPs | NTLM coercion indicator | T1187 | Network firewall / NDR | Alert on explorer.exe → external 445/tcp |
| Net-NTLMv2 hash exfiltration via SMB auth | Credential theft | T1003 | Windows Security Event 4648 | Hunt for anomalous outbound NTLM auth events |
Control Panel .cpl files loaded from UNC paths | Payload delivery | T1218.002 | Sysmon Event 7 (ImageLoad) | Block CPL loads from non-local paths |
\\<external_ip>\share\*.cpl UNC references in LNK metadata | IOC pattern | T1027 | Endpoint forensics | Scan LNK files on network shares for UNC references |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Windows Possible Credential Dumping (partial — covers post-relay) | No rule for explorer.exe outbound SMB to external IPs or LNK-triggered NTLM coercion |
| Elastic | NTLM Relay Attack Detected (partial) | No rule for Shell namespace UNC auto-resolution or CPL load from remote path |
| Sigma | Outgoing Logon with New Credentials (Event 4648) (partial) | No rule specific to explorer.exe → external SMB triggered by LNK parsing |
Sources: Akamai Research · THN · SecurityWeek · NVD
2. Entra ID Agent Administrator Role — Service Principal Takeover
TL;DR: Silverfort disclosed that the Entra ID “Agent ID Administrator” built-in role allowed takeover of arbitrary service principals (not just agent identities) by adding ownership + credentials, enabling tenant-wide privilege escalation. Microsoft patched April 9; retroactive audit of Feb–Apr activity required.
What’s New:
- Agent ID Administrator role (introduced for AI agent lifecycle management) had overly broad scope — could assign ownership over any service principal, not just agent-related ones
- Attack path: assign self as owner → add new client secret/certificate → authenticate as that principal → inherit all its permissions (potentially Global Admin equivalent)
- ~99% of tenants have at least one high-privileged service principal exploitable via this path
- Silverfort disclosed Feb 24, Microsoft confirmed Mar 26, fix deployed Apr 9 to all cloud environments
- Post-fix, ownership assignment to non-agent service principals returns “Forbidden” error
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Add owner to service principal audit events by Agent ID Administrator role | Priv esc indicator | T1098.001 | Entra ID Audit Logs | Query AuditLogs | where ActivityDisplayName == "Add owner to service principal" for Feb–Apr 2026 window |
Add service principal credentials events following ownership change | Persistence | T1098.001 | Entra ID Audit Logs | Correlate credential additions within minutes of ownership changes |
| Agent ID Administrator role assignments | Recon indicator | T1087.004 | Entra ID Directory Roles | Audit who holds this role; remove unnecessary assignments |
| New client secrets/certificates on high-privilege service principals | Credential abuse | T1552.004 | Entra ID Audit Logs | Alert on credential creation for service principals with Directory.ReadWrite.All, Application.ReadWrite.All, or RoleManagement scopes |
| Authentication events using newly added credentials | Lateral movement | T1078.004 | Entra ID Sign-in Logs | Hunt for sign-ins from service principals with credentials created Feb–Apr 2026 |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No coverage for Entra ID service principal ownership changes or Agent ID Administrator abuse |
| Elastic | Azure AD Service Principal Credential Addition (partial) | Does not correlate with prior ownership change or role context |
| Sigma | Azure Service Principal Credential Modification (partial) | No rule linking Agent ID Administrator role to ownership → credential chain |
Sources: Silverfort Research · THN · CSO Online
Status Updates
- CVE-2026-40372 (ASP.NET Core DataProtection): Patch 10.0.7 available since April 22. Rotate key rings if endpoints were exposed April 14–22. No new artifacts. Original brief.
- CVE-2026-34621 (Adobe Acrobat Reader): FCEB deadline passed April 27. Prototype pollution RCE via malicious PDF remains actively exploited. Patch to DC 26.001.21411. Original brief.
- RedSun/UnDefend (Windows Defender — CVE-2026-33825): Still unpatched in the wild. CISA KEV deadline May 7. Continue hunting
TieringEngineService.exereplacement. Original brief. - CVE-2024-57726/57728 + CVE-2024-7399 (SimpleHelp/Samsung KEVs): Federal deadline May 15. DragonForce ransomware and Mirai tuxnokill chains remain active. Original brief.