CISO Daily Briefing
ALT CISO BRIEFING
Cloud Security Alliance Intelligence Report — Decision-Support Edition
Driven by a critical, actively exploited SharePoint zero-day under a 3-day federal remediation deadline and an active credential/session-token theft campaign against Microsoft 365. No single item today rises to enterprise-crisis level on its own, but the combination of a hard compliance deadline, live exploitation, and a live token-theft campaign warrants same-week executive attention rather than routine patch-cycle handling.
1Executive Summary
Five priority items surface today. A critical, unauthenticated SharePoint deserialization flaw, CVE-2026-58644, is racing a rare 3-day federal patch deadline after confirmed active exploitation. A newly disclosed academic attack class, Agent Data Injection, bypasses most existing prompt-injection defenses across Claude, GPT, and Gemini-based agents. An active ACR Stealer ClickFix campaign is draining Microsoft 365 session tokens and OneDrive/SharePoint files from compromised endpoints — password resets alone do not remediate it. On governance, a binding EU Digital Markets Act ruling forces Google to open Android’s sensors and controls to rival AI assistants, expanding enterprise mobile attack surface ahead of a 2027 compliance deadline. Separately, a Schneier/Sanders essay reframes AI data center concentration as a board-level systemic risk beyond single-vendor exposure.
2Overall Risk Posture
Posture: Elevated. Three of five items today involve either active exploitation or active adversary campaigns rather than theoretical risk — the SharePoint KEV entry, the ACR Stealer token-theft campaign, and (to a lesser degree) the proof-of-concept exploitation demonstrated for Agent Data Injection against production agent tooling. The compliance clock on the SharePoint patch (July 19 FCEB deadline) is the single fastest-moving element and should anchor this week’s operational priorities. Governance and strategic-risk items (EU DMA, AI power concentration) are important for planning and board conversations but do not require this-week operational response.
3Top Priority Items
SharePoint Zero-Day CVE-2026-58644 Joins CISA KEV — 3-Day Patch Window
CONFIDENCE: HIGH
What happened: CISA added CVE-2026-58644, a CVSS 9.8 unauthenticated remote-code-execution deserialization flaw in on-premises SharePoint Server, to its Known Exploited Vulnerabilities catalog on July 16 after confirming active exploitation within roughly 24 hours of the patch shipping.
Why it matters: The flaw meets all four BOD 26-04 criteria — internet exposure, KEV listing, exploit automation, and full technical impact — triggering a rare 3-day federal remediation deadline of July 19. It is the fourth SharePoint CVE under active exploitation this quarter, and attackers are chaining it with related bugs to steal IIS machine keys, enabling persistence that survives patching alone.
Agent Data Injection Bypasses Prompt-Injection Defenses
What happened: Researchers from Seoul National University, UIUC, and Largosoft disclosed “Agent Data Injection” (ADI), which corrupts data an AI agent already trusts — UI element IDs, comment authorship, tool-call records — rather than embedding instructions, sidestepping defenses built for classic prompt injection.
Why it matters: Working exploits were demonstrated against six frontier models and real deployed agents, including Claude in Chrome, Antigravity, Nanobrowser, Claude Code, Codex, and Gemini CLI, with attack success rates up to 100% on unstructured web content. Input/output guardrails — the most common defense deployed today — showed no measurable improvement against it.
ACR Stealer’s ClickFix Campaigns Drain M365 Tokens and Files
What happened: Microsoft Defender Experts disclosed ACR Stealer campaigns delivered via ClickFix social-engineering lures (some impersonating AI tools), climbing steadily from late April through mid-June. Two intrusion chains — a WebDAV/DLL loader and a fileless steganographic HTA/PowerShell chain — harvest Chrome/Edge session tokens and exfiltrate OneDrive/SharePoint files and M365 documents.
Why it matters: Microsoft explicitly warns that password rotation alone is insufficient: a stolen live session token remains usable until explicitly revoked, regardless of password changes. A subset of the infrastructure uses EtherHiding — retrieving C2 addresses from public blockchain smart contracts — to evade takedown.
EU Forces Google to Open Android’s Sensors to Rival AI Assistants
What happened: The European Commission adopted binding Digital Markets Act measures on July 16 requiring Google to give rival AI assistants the same Android access Gemini holds — microphone, camera, screen, and background app control — with implementation required by mid-2027.
Why it matters: Google objects that this removes OEM-level vetting of sensitive permission requests, and the Commission’s certification regime meant to replace that vetting is not yet technically defined, leaving a governance gap enterprises will need to fill themselves in the interim.
4Vulnerability and Exposure Intelligence
CVE-2026-58644 (CVSS 9.8, SharePoint Server, on-premises) is the sole new KEV-listed vulnerability this cycle, but it continues a pattern: this is the fourth SharePoint CVE under active exploitation this quarter, following a distinct deserialization flaw (CVE-2026-45659) that CSA covered on July 3. Enterprises should treat recurring SharePoint deserialization bugs as a pattern requiring architectural review — WAF rules and network segmentation for on-prem SharePoint, not just patch-and-forget — rather than a series of isolated one-off CVEs. See the Top Priority Items entry above for remediation detail and deadline.
5Threat Landscape Changes
Agent Data Injection (see Top Priority Items and the AI/Agentic Risk section below) represents a genuine shift in attacker technique against agentic AI tooling, moving from the instruction channel to the data/context channel. Separately, Kaspersky documented GoSerpent, a previously undisclosed Go-based backdoor deploying SOCKS5 proxies and credential dumpers against government and diplomatic targets in Southeast Asia. This was set aside from full-paper coverage this cycle to avoid a second nation-state espionage note in the same week, but it is worth tracking if the campaign broadens beyond its current regional and sectoral focus.
6Cloud, SaaS, Identity, and NHI Risk
The ACR Stealer ClickFix campaign (see Top Priority Items) is fundamentally an identity and session-token risk: it targets Microsoft 365 session tokens and synced OneDrive/SharePoint content rather than credentials alone, and Microsoft’s guidance that password rotation is insufficient underscores a broader gap in how many organizations’ incident-response playbooks handle stolen-token scenarios versus stolen-password scenarios. No new non-human-identity (NHI) or service-account-specific findings surfaced this cycle beyond this token-theft pattern.
7AI, Automation, and Agentic Risk
Agent Data Injection (see Top Priority Items) is the defining agentic-AI risk item this cycle: a new attack class exploiting the data/context channel that agents already trust, confirmed working against widely deployed coding and browser agents including Claude Code, Codex, and Gemini CLI. This is distinct from — and currently uncovered relative to — CSA’s existing instruction-channel prompt-injection guidance, and organizations running agentic coding or browser-automation tools should treat it as a new category in their agentic AI threat model rather than an extension of known prompt-injection risk.
8Third-Party, Supplier, and Ecosystem Risk
No material update today.
9Regulatory, Legal, and Policy Developments
The EU’s binding Digital Markets Act decision on Android AI interoperability (see Top Priority Items) is this cycle’s clearest regulatory development — the first DMA-driven mobile-AI-interoperability mandate with direct device-security implications, distinct from CSA’s existing EU AI Act and US executive-order coverage. The certification regime intended to govern which third-party AI assistants receive sensitive Android permissions has not yet been technically defined by the Commission, which is itself a governance gap worth flagging to legal and mobility teams now.
10Sector and Peer Intelligence
No material update today.
11Geopolitical and Macroeconomic Cyber Risk
Bruce Schneier and Nathan Sanders argue in a July 14 essay that the real systemic risk from the AI data center buildout is not any single facility’s local impact, but the concentration of political, financial, and infrastructural power in a small number of AI companies — a monoculture-of-influence risk that compounds the technical monoculture risk (shared model and cloud dependencies) CSA has already documented. The Bank for International Settlements has separately flagged AI infrastructure financing — including circular vendor financing and undisclosed leverage — as a threat to global financial stability, and data center insurance premiums are projected to more than double by 2030. AI firms have also spent over $50 million shaping 2026 U.S. election races, adding a political-influence dimension to the concentration thesis. Separately, the GoSerpent campaign noted above (see Threat Landscape Changes) targeting Southeast Asian governments and diplomats is a reminder that nation-state espionage activity continues alongside these systemic/economic risk trends.
12Incident and Crisis Watch
Two items carry active, in-progress adversary activity rather than static risk: the SharePoint CVE-2026-58644 exploitation (confirmed active, 3-day federal deadline) and the ACR Stealer ClickFix campaign (confirmed active since late April, still climbing as of mid-June per Microsoft). Neither has been declared an enterprise-wide crisis by CSA’s sources as of this report, but both warrant elevated monitoring through the coming week given live exploitation.
13Recommended Actions
- Immediate (this week): Patch SharePoint CVE-2026-58644 by July 19 and rotate IIS machine keys on affected servers; confirm SOC playbooks support session-token revocation (not just password reset) for suspected ACR Stealer compromise.
- Short-term (this month): Refresh phishing/ClickFix awareness training; inventory agentic AI tools (coding agents, browser agents) that process untrusted content and assess Agent Data Injection exposure.
- Planning horizon (this quarter/year): Draft a governance model for third-party AI assistant permissions on managed Android devices ahead of the 2027 EU DMA compliance deadline; begin migration planning for any SharePoint 2016/2019 instances (extended support ended July 14).
- Board-level: Use the AI-industry power-concentration thesis as a lens for vendor and industry concentration conversations that go beyond single-CSP risk framing.
14CISO Talking Points
“We have a critical, actively exploited SharePoint vulnerability with a federal 3-day patch deadline — patching is underway, and we are also rotating credentials because patching alone does not remove attacker persistence.”
“A new research disclosure shows AI coding and browser agents can be manipulated through data they already trust, bypassing typical safeguards — we are assessing our own agentic AI tooling against this before treating it as a live incident.”
“An active credential-theft campaign is targeting Microsoft 365 session tokens industry-wide; our response plan already accounts for token revocation, not just password resets.”
“A new EU ruling will require Android to open device sensors to more AI assistant vendors by 2027 — we are getting ahead of the governance question for our managed device fleet now.”
15Metrics and Risk Indicators
| Indicator | Value | Trend |
|---|---|---|
| New KEV-listed CVEs this cycle | 1 (CVE-2026-58644) | Recurring pattern — 4th SharePoint CVE exploited this quarter |
| Federal remediation deadline | July 19, 2026 (3 days) | Rare short-tier BOD 26-04 deadline |
| Active credential/token-theft campaigns tracked | 1 (ACR Stealer) | Climbing since late April; still active as of mid-June |
| New agentic-AI attack classes disclosed | 1 (Agent Data Injection) | New — first cycle of coverage |
| New binding regulatory actions | 1 (EU DMA — Android AI access) | New — compliance clock started July 16 |
16Rolling Watchlist
- GoSerpent Go-based RAT: Currently regional (Southeast Asia, government/diplomatic targets); watch for broader targeting or sector expansion.
- EU DMA certification regime: The Commission has not yet published technical certification criteria for which AI assistants qualify for sensitive Android permissions; watch for publication ahead of the Android 18 rollout (August 2027).
- Agent Data Injection defenses: Only strict data-flow tracking fully blocked ADI in testing, at a real cost to agent utility; watch for vendor-published mitigations from Anthropic, OpenAI, and Google that don’t require this trade-off.
- SharePoint deserialization pattern: Fourth exploited CVE this quarter; watch for whether Microsoft addresses the underlying deserialization architecture rather than issuing further point patches.
17Sources, Confidence, and Unknowns
Confidence basis: High confidence on the SharePoint KEV entry, ACR Stealer campaign, and EU DMA ruling — all three are grounded in official advisories (CISA, Microsoft Security Blog, European Commission) or named-source reporting (Bloomberg). Medium confidence on Agent Data Injection — sourced to a single arXiv preprint (not yet peer-reviewed) plus one news write-up; exploit demonstrations are described as researcher-conducted, not observed in the wild. Medium confidence on the AI-power-concentration framing — this is an opinion/analysis essay, not an incident report, though it cites BIS and financial-market data points.
Known unknowns: The EU Commission’s technical certification criteria for third-party Android AI assistants are not yet published. The full scope of ACR Stealer’s victim base and total token/data exfiltration volume has not been disclosed by Microsoft. Whether Agent Data Injection has been exploited outside of the researchers’ own demonstrations is unknown as of this report.