CISO Daily Briefing – July 17, 2026

CISO Daily Briefing

Cloud Security Alliance Intelligence Report

Report Date
July 17, 2026
Intelligence Window
48 Hours
Topics Identified
5 Priority Items
Papers Published
5 Overnight

Executive Summary

Five priority items surface today. A critical, unauthenticated SharePoint deserialization flaw, CVE-2026-58644, is racing a rare 3-day federal patch deadline after confirmed active exploitation. A newly disclosed academic attack class, Agent Data Injection, bypasses most existing prompt-injection defenses across Claude, GPT, and Gemini-based agents. An active ACR Stealer ClickFix campaign is draining Microsoft 365 session tokens and OneDrive/SharePoint files from compromised endpoints. On governance, a binding EU Digital Markets Act ruling forces Google to open Android’s sensors and controls to rival AI assistants, expanding enterprise mobile attack surface ahead of a 2027 compliance deadline. Separately, a Schneier/Sanders essay reframes AI data center concentration as a board-level systemic risk beyond single-vendor exposure.

Overnight Research Output

1

SharePoint Zero-Day CVE-2026-58644 Joins CISA KEV — 48-Hour Patch Window

CRITICAL URGENCY

Summary: CISA added CVE-2026-58644, a CVSS 9.8 unauthenticated remote-code-execution flaw in on-premises SharePoint Server, to its Known Exploited Vulnerabilities catalog on July 16 after confirming active exploitation within roughly 24 hours of the patch shipping. The flaw meets all four BOD 26-04 criteria — internet exposure, KEV listing, exploit automation, and full technical impact — triggering a rare 3-day federal remediation deadline of July 19. It is the fourth SharePoint CVE under active exploitation this quarter; attackers are chaining it with related bugs to steal IIS machine keys, enabling persistence that survives patching alone.

Key Sources:

Why This Matters: SharePoint Server 2016 and 2019 exited extended support on July 14 — the same day the patch shipped — so any organization still running those versions has no future fix path and should treat migration as urgent, not just this single CVE.

Read Full Research Note

2

Agent Data Injection (ADI) — A New Attack Class That Bypasses Prompt-Injection Defenses

HIGH URGENCY

Summary: Researchers from Seoul National University, UIUC, and Largosoft disclosed Agent Data Injection (ADI), which corrupts data an AI agent already trusts — UI element IDs, comment authorship, tool-call records — rather than embedding instructions, sidestepping defenses built for classic prompt injection. Working exploits were demonstrated against six frontier models and real deployed agents including Claude in Chrome, Antigravity, Nanobrowser, Claude Code, Codex, and Gemini CLI, with attack success rates ranging up to 100% on unstructured web content.

Key Sources:

Why This Matters: Input and output guardrails — the most commonly deployed defense against prompt injection today — showed no measurable improvement against ADI; only strict data-flow tracking fully blocked it, and that came at a steep cost to agent task performance.

Read Full Research Note

3

ACR Stealer’s ClickFix Campaigns Are Draining Microsoft 365 Tokens and Files

HIGH URGENCY

Summary: Microsoft Defender Experts disclosed ACR Stealer campaigns delivered via ClickFix social-engineering lures impersonating Claude and other AI tools, climbing steadily from late April through mid-June. Two intrusion chains — a WebDAV/DLL loader and a fileless steganographic HTA/PowerShell chain — harvest Chrome and Edge session tokens via DPAPI, then exfiltrate OneDrive/SharePoint files and M365 documents. A subset of the infrastructure uses EtherHiding, retrieving C2 addresses from public blockchain smart contracts to evade takedown.

Key Sources:

Why This Matters: Microsoft explicitly warns that password rotation alone is insufficient — a stolen live session token remains usable until it is explicitly revoked, regardless of password changes.

Read Full Research Note

4

EU Forces Google to Open Android’s Sensors and Controls to Rival AI Assistants

HIGH URGENCY

Summary: The European Commission adopted binding Digital Markets Act measures requiring Google to give rival AI assistants the same Android access Gemini holds — microphone, camera, screen, and background app control — across four capability layers, with implementation required by mid-2027. Google objects that this removes OEM-level vetting of sensitive permission requests; the Commission’s certification regime meant to replace that vetting is not yet technically defined.

Key Sources:

Why This Matters: Enterprises managing corporate or BYOD Android fleets will need new governance models for third-party AI assistants holding system-level sensor and cross-app control access, and the compliance clock is already running.

Read Full Research Note

5

When the Concentration of AI Power Becomes the Systemic Risk

MEDIUM URGENCY

Summary: Bruce Schneier and Nathan Sanders argue that the real systemic risk from AI infrastructure buildout is not any single data center’s local impact, but the concentration of political, financial, and infrastructural power in a small number of AI companies — a monoculture-of-influence risk compounding the technical monoculture risks (shared model and cloud dependencies) CSA has already documented.

Key Sources:

Why This Matters: The Bank for International Settlements has formally flagged AI infrastructure financing — including circular vendor financing and undisclosed leverage — as a threat to global financial stability, giving CISOs a board-level framing that goes beyond single-vendor risk.

Read Full Research Note

Notable News & Signals

GoSerpent: New Go-Based RAT Targets Southeast Asian Governments and Diplomats

Kaspersky documented a previously undisclosed Go-based backdoor deploying SOCKS5 proxies and credential dumpers against government and diplomatic targets in Southeast Asia. Set aside this cycle to avoid a second nation-state espionage note in the same week — worth tracking if the campaign broadens.

Topics Already Covered (No New Action Required)

  • SharePoint RCE (CVE-2026-45659): A different SharePoint deserialization CVE, covered in a CSA research note on July 3, 2026.
  • AI security market consolidation: Wiz/Google CNAPP (March 2026) and Cisco/Astrix agent identity (May 2026) already covered; this cycle’s cybersecurity M&A record-pace headline was intentionally passed over to avoid a third consolidation note.
  • Sovereign AI / frontier-model dependency risk: Whitepaper and research note already published July 2, 2026.
  • ShinyHunters OAuth/SaaS abuse: Covered July 16, 2026.
  • SonicWall SMA1000 KEV listing: Covered July 15, 2026.
  • SkillCloak agent-skill evasion: Covered July 6, 2026.

← Back to Research Index