CISO Daily Briefing
Cloud Security Alliance Intelligence Report
Executive Summary
Five priority items surface today. A critical, unauthenticated SharePoint deserialization flaw, CVE-2026-58644, is racing a rare 3-day federal patch deadline after confirmed active exploitation. A newly disclosed academic attack class, Agent Data Injection, bypasses most existing prompt-injection defenses across Claude, GPT, and Gemini-based agents. An active ACR Stealer ClickFix campaign is draining Microsoft 365 session tokens and OneDrive/SharePoint files from compromised endpoints. On governance, a binding EU Digital Markets Act ruling forces Google to open Android’s sensors and controls to rival AI assistants, expanding enterprise mobile attack surface ahead of a 2027 compliance deadline. Separately, a Schneier/Sanders essay reframes AI data center concentration as a board-level systemic risk beyond single-vendor exposure.
Overnight Research Output
SharePoint Zero-Day CVE-2026-58644 Joins CISA KEV — 48-Hour Patch Window
CRITICAL URGENCY
Summary: CISA added CVE-2026-58644, a CVSS 9.8 unauthenticated remote-code-execution flaw in on-premises SharePoint Server, to its Known Exploited Vulnerabilities catalog on July 16 after confirming active exploitation within roughly 24 hours of the patch shipping. The flaw meets all four BOD 26-04 criteria — internet exposure, KEV listing, exploit automation, and full technical impact — triggering a rare 3-day federal remediation deadline of July 19. It is the fourth SharePoint CVE under active exploitation this quarter; attackers are chaining it with related bugs to steal IIS machine keys, enabling persistence that survives patching alone.
Key Sources:
The Hacker News — CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV
CISA — CISA Adds Three Known Exploited Vulnerabilities to Catalog
Agent Data Injection (ADI) — A New Attack Class That Bypasses Prompt-Injection Defenses
HIGH URGENCY
Summary: Researchers from Seoul National University, UIUC, and Largosoft disclosed Agent Data Injection (ADI), which corrupts data an AI agent already trusts — UI element IDs, comment authorship, tool-call records — rather than embedding instructions, sidestepping defenses built for classic prompt injection. Working exploits were demonstrated against six frontier models and real deployed agents including Claude in Chrome, Antigravity, Nanobrowser, Claude Code, Codex, and Gemini CLI, with attack success rates ranging up to 100% on unstructured web content.
Key Sources:
ACR Stealer’s ClickFix Campaigns Are Draining Microsoft 365 Tokens and Files
HIGH URGENCY
Summary: Microsoft Defender Experts disclosed ACR Stealer campaigns delivered via ClickFix social-engineering lures impersonating Claude and other AI tools, climbing steadily from late April through mid-June. Two intrusion chains — a WebDAV/DLL loader and a fileless steganographic HTA/PowerShell chain — harvest Chrome and Edge session tokens via DPAPI, then exfiltrate OneDrive/SharePoint files and M365 documents. A subset of the infrastructure uses EtherHiding, retrieving C2 addresses from public blockchain smart contracts to evade takedown.
Key Sources:
The Hacker News — ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files
Microsoft Security Blog — ACR Stealer: Two Observed Intrusion Chains Amid Increased Threat Activity
EU Forces Google to Open Android’s Sensors and Controls to Rival AI Assistants
HIGH URGENCY
Summary: The European Commission adopted binding Digital Markets Act measures requiring Google to give rival AI assistants the same Android access Gemini holds — microphone, camera, screen, and background app control — across four capability layers, with implementation required by mid-2027. Google objects that this removes OEM-level vetting of sensitive permission requests; the Commission’s certification regime meant to replace that vetting is not yet technically defined.
Key Sources:
When the Concentration of AI Power Becomes the Systemic Risk
MEDIUM URGENCY
Summary: Bruce Schneier and Nathan Sanders argue that the real systemic risk from AI infrastructure buildout is not any single data center’s local impact, but the concentration of political, financial, and infrastructural power in a small number of AI companies — a monoculture-of-influence risk compounding the technical monoculture risks (shared model and cloud dependencies) CSA has already documented.
Key Sources:
Schneier on Security — AI Data Centers and the Concentration of Wealth
Fortune — BIS Flags $1 Trillion AI Investment Boom as Headed for a Reckoning
Notable News & Signals
GoSerpent: New Go-Based RAT Targets Southeast Asian Governments and Diplomats
Kaspersky documented a previously undisclosed Go-based backdoor deploying SOCKS5 proxies and credential dumpers against government and diplomatic targets in Southeast Asia. Set aside this cycle to avoid a second nation-state espionage note in the same week — worth tracking if the campaign broadens.
Topics Already Covered (No New Action Required)
- SharePoint RCE (CVE-2026-45659): A different SharePoint deserialization CVE, covered in a CSA research note on July 3, 2026.
- AI security market consolidation: Wiz/Google CNAPP (March 2026) and Cisco/Astrix agent identity (May 2026) already covered; this cycle’s cybersecurity M&A record-pace headline was intentionally passed over to avoid a third consolidation note.
- Sovereign AI / frontier-model dependency risk: Whitepaper and research note already published July 2, 2026.
- ShinyHunters OAuth/SaaS abuse: Covered July 16, 2026.
- SonicWall SMA1000 KEV listing: Covered July 15, 2026.
- SkillCloak agent-skill evasion: Covered July 6, 2026.