M365 Android apps had a debug flag that handed any app on the phone your account token  ·  Windows Search leaks NTLMv2 hashes unpatched  ·  Burst Statistics WordPress plugin exploited alongside Kirki  ·  CYBERSIP.NET  ·  ISSUE 53
CYBERSIPTM
Daily Cyber Brief  ·  Intelligence Without the Noise
Issue No. 53June 4, 2026cybersip.net
Issue No. 53  ·  June 4, 2026  ·  3 active items  ·  Under 5 min read
Today’s picture
Researchers disclosed on June 3 that several Microsoft 365 Android apps shipped with a development debug flag left enabled in production builds. The flag disabled the check that restricts account token sharing to trusted Microsoft apps, meaning any other app installed on the same phone could silently request and receive a signed-in user’s M365 account token and use it to read email, open files, browse the calendar, and send messages. Microsoft has issued a fix. Huntress disclosed the same day that the Windows Search URI handler leaks NTLMv2 credential hashes to any attacker who can get a user to click a specially crafted link, with no patch yet available from Microsoft. SecurityWeek confirmed the Burst Statistics WordPress plugin is being actively exploited alongside Kirki from Issue 52, with attackers chaining both plugins to take over sites.
Threat snapshot
3 active items · 1 monitoring
1 M365 token exposure / fixed 1 NTLMv2 leak / unpatched 1 WordPress dual-plugin campaign 3 items this issue
June 3M365 AndroidToken Exposure
Microsoft 365 Android apps left a debug flag enabled in production. Any app on the same phone could silently steal a signed-in user’s M365 account token. Fix now available.
The flag disabled the inter-app token sharing restriction that limits credential handoff to trusted Microsoft apps. A malicious or compromised app on the same device could request the token without the user knowing. Microsoft has issued a fix. Update all M365 Android apps immediately and rotate credentials for accounts on affected devices.
June 3Windows SearchNo Patch Yet
Unpatched Windows Search URI handler leaks NTLMv2 hashes. One crafted link click. No other user interaction needed. Huntress confirmed June 3.
The search: URI handler triggers automatic NTLM authentication to an attacker-controlled server when a user clicks a specially crafted link in a browser or email. The resulting NTLMv2 hash can be cracked offline or relayed. Disable NTLM where possible as a compensating control while Microsoft prepares a patch.
June 3WordPressDual-Plugin Campaign
Burst Statistics WordPress plugin now exploited alongside Kirki in active site takeover campaign. Two plugins, one coordinated wave of attacks.
SecurityWeek confirmed attackers are chaining Kirki CVE-2026-8206 and a Burst Statistics vulnerability in the same campaign to elevate privileges and take over WordPress sites. Patch or disable both plugins immediately. This is the fourth WordPress plugin actively exploited this week.
Detailed intelligence
Full analysis
01 M365 Android Token Exposure
Microsoft 365 Android apps shipped with a debug flag that let any app on the device steal account tokens silently. Fix is available. Update immediately.
M365 Android · Debug Flag · June 3
A development flag left switched on in production builds disabled the inter-app trust check that restricts M365 token sharing to other Microsoft apps. Any app on the same Android device could request a signed-in user’s account token and receive it without any visible indication to the user.
Executive Impact
Any Android device with an affected M365 app installed and a malicious or compromised third-party app also present could have had M365 account tokens silently exfiltrated. Update all M365 Android apps today via Google Play. For high-value accounts, rotate credentials and review M365 sign-in logs for unexpected access from mobile clients since the affected version was released.
Don’t Miss
This is the third distinct M365 token exposure mechanism documented in this brief this month, after Kali365 AiTM in Issue 41 and the discussion of DBSC as the architectural response in Issue 48. Kali365 stole tokens via a proxy at the network layer. This debug flag exposed tokens at the OS inter-app layer. DBSC addresses the network replay problem but does not address intra-device app-to-app token theft. The M365 token surface is being attacked from multiple directions simultaneously. The fix here is an app update, but the broader implication is that M365 session token validity should be continuously re-evaluated rather than treated as long-lived trusted credentials.
CyberSip Take
A debug flag shipping in a production build of a widely deployed enterprise app is a basic quality control failure. The fix is an app update. The operational response is immediate: push the M365 Android update through MDM today. The broader response is to evaluate whether your conditional access policies would have caught or limited token reuse from an unexpected source app on the same device. Continuous Access Evaluation is the control that shortens the blast radius of stolen tokens regardless of how they were obtained.
What happened

Researchers disclosed on June 3 that several Microsoft 365 Android applications shipped with a development debug flag enabled in their production builds. The flag in question disabled the Android inter-app token sharing restriction that is intended to limit which apps can receive authentication tokens from other apps on the same device. Under normal operation, this restriction ensures that only other Microsoft apps can request and receive M365 account tokens shared between Microsoft applications on a device.

With the flag enabled, any app installed on the same Android device, including third-party apps with no relationship to Microsoft, could send a standard Android inter-app token request to the affected M365 apps and receive the signed-in user’s account token in response. The token grants full access to the user’s M365 environment including Exchange Online email, SharePoint files, Teams messages, OneDrive documents, and calendar data. The user receives no visible notification that the token has been shared. Microsoft has confirmed the issue and released a fix through updated app versions on Google Play.

The affected applications include multiple apps in the Microsoft 365 suite on Android. The specific app versions and the window during which the flag was present have not been fully detailed in public reporting as of today. Microsoft recommends updating all M365 Android apps to the latest versions available.

Recommended actions
Derived from WIU Cybersecurity Center reporting citing The Hacker News, June 3, 2026.
02 Windows Search Unpatched
Unpatched Windows Search URI handler leaks NTLMv2 hashes. A single crafted link click triggers NTLM authentication to an attacker-controlled server. No patch yet.
Windows Search URI · NTLMv2
Huntress disclosed the vulnerability on June 3. A specially crafted link in a browser, email, or document automatically initiates NTLM authentication and hands the user’s NTLMv2 hash to the attacker without any further steps required.
Executive Impact
NTLMv2 hashes can be cracked offline to recover plaintext passwords, or used directly in relay attacks to authenticate to other systems in the environment as the victim. Restrict outbound NTLM authentication as an interim control, block outbound SMB at the network perimeter, and apply the Microsoft patch when it ships.
Don’t Miss
CVE-2026-33829, which affected the Windows Snipping Tool, used the same mechanism and was patched by Microsoft in April 2026. Today’s disclosure targets a different URI handler using the identical technique. Patching one handler did not prompt a review of the others. The pattern of these vulnerabilities surfacing across separate Windows components in quick succession suggests the underlying issue class is broader than any single fix has addressed. Watch MSRC for further URI handler disclosures in the coming weeks.
CyberSip Take
No patch yet. Block outbound SMB on port 445 at the network perimeter so captured authentication attempts cannot reach an external attacker-controlled server. Where Kerberos is available, consider disabling NTLMv2 entirely. Both controls were worth applying after CVE-2026-33829 in April. If they were not applied then, they cover this flaw and the next one.
What happened

Huntress disclosed on June 3 that the Windows Search URI handler can be exploited to trigger automatic NTLM authentication to an attacker-controlled server when a user clicks a specially crafted link. The Windows Search URI handler processes links that open Windows Search. When such a link embeds a UNC path pointing to an external server, Windows initiates NTLM authentication against that server and the victim’s NTLMv2 credential hash is sent without any warning. The attacker needs no prior access to the environment and the link can arrive in a web page, email, or document.

The underlying mechanism is identical to CVE-2026-33829, a spoofing vulnerability in the Windows Snipping Tool patched by Microsoft in April 2026. That fix addressed one URI handler. The Search handler was not patched at the same time. Microsoft has been notified through responsible disclosure and a patch is expected in an upcoming security update.

No patch has been released by Microsoft for this specific URI handler vulnerability as of today’s reporting. Huntress has reported the vulnerability to Microsoft through responsible disclosure. Given the April precedent with CVE-2026-33829 affecting a similar URI handler mechanism, a patch is anticipated in an upcoming Patch Tuesday or out-of-band release.

Recommended actions
Derived from WIU Cybersecurity Center reporting on Huntress disclosure, June 3, 2026.
03 WordPress Dual-Plugin Campaign
Burst Statistics WordPress plugin exploited alongside Kirki in active site takeover campaign. Four WordPress plugins actively exploited this week alone.
Burst Statistics · Kirki · CVE-2026-8206
SecurityWeek confirmed attackers are exploiting both Kirki and Burst Statistics vulnerabilities in a coordinated campaign to elevate privileges and take over WordPress sites. The campaign extends the WordPress attack wave that began with WP Maps Pro on June 1.
Executive Impact
Any WordPress site running either Burst Statistics or Kirki is actively targeted. Patch or disable both plugins immediately. Run a user account audit for unexpected administrator accounts and check recently installed plugins or theme modifications for backdoors placed by an attacker who gained access before patching.
Don’t Miss
Four distinct WordPress plugin active exploits in four days: WP Maps Pro on June 1, Kirki on June 2, Burst Statistics confirmed today alongside Kirki, and a separate Kirki chaining campaign. The concentration of WordPress plugin exploitation in this window is not coincidence. When one campaign successfully exploits a WordPress plugin category at scale, other actors spin up similar campaigns against adjacent plugins. Organisations running multiple WordPress sites, or agencies managing client sites, should assume active scanning against their entire portfolio today and prioritise plugin patching across all managed sites, not just the ones where they have already seen activity.
CyberSip Take
WP Maps Pro. Kirki. Burst Statistics. Ghost CMS. Drupal. WordPress and adjacent CMS platforms have been under sustained, high-frequency active exploitation throughout May and into June. The action after patching is as important as the patch: audit user tables, check access logs, review recently modified files. A site that was compromised before the patch was applied is not clean because the plugin is now updated.
What happened

SecurityWeek confirmed on June 3 that threat actors are exploiting vulnerable Kirki and Burst Statistics WordPress plugin deployments to elevate privileges and take over websites. Burst Statistics is a popular WordPress analytics plugin used to track visitor traffic and site performance. The specific vulnerability in Burst Statistics being exploited allows privilege escalation on affected sites, consistent with the account takeover capability confirmed in the Kirki campaign.

The campaign targeting both plugins simultaneously suggests a coordinated actor or toolkit that is scanning for both vulnerabilities and exploiting whichever is present on a given target site. WordPress sites that have both plugins installed are being hit by a single attack pass that chains the two vulnerabilities for maximum access. Sites with only one of the two present are being targeted through whichever plugin is available.

The WordPress plugin active exploitation wave this week began with WP Maps Pro from Issue 50 on June 1 and expanded to Kirki in Issue 52 on June 2. The addition of Burst Statistics today represents continued escalation of the campaign rather than a separate unrelated attack. Patch both plugins and follow the post-compromise audit procedure even if patching appears timely.

Recommended actions
Derived from SecurityWeek reporting on Burst Statistics and Kirki exploitation, June 3, 2026.
Still watching
Aging items · days 2–5
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
CISA KEV supply chain triple (Issue 46). DAEMON Tools, TanStack, Nx Console. June 10 deadline — 6 days away. Update software, SCA for TanStack transitive dependencies, rotate developer credentials. Day 7
Windows Netlogon CVE-2026-41089 CVSS 9.8 (Issue 51). Active exploitation against domain controllers confirmed. Patch from May 12 Patch Tuesday. Apply immediately if not already done. Day 3
Cross-source standouts
01
M365 tokens are being attacked at every layer simultaneously
Kali365 stole M365 tokens at the network layer via AiTM proxy in Issue 41. DBSC was shipped as an architectural counter in Issue 48. The M365 Android debug flag exposed tokens at the OS inter-app layer today. Three separate attack vectors, one token target. DBSC addresses the network replay vector. The app update addresses the intra-device vector. The underlying principle is that M365 authentication tokens are high-value enough that multiple independent threat actors and researchers are investing in new ways to obtain them. Treating them as long-lived trusted credentials rather than credentials requiring continuous re-validation is the configuration choice that makes each of these attacks consequential.
02
The Windows URI handler vulnerability class is not resolved
CVE-2026-33829 affected the ms-screensketch: URI handler and was patched in April. The Search URI handler disclosed today uses the same NTLM coercion mechanism. Patching one URI handler did not prompt a review of other URI handlers for the same class of vulnerability. This is the software security equivalent of patching a specific SQL injection in one endpoint without reviewing whether the same pattern appears elsewhere in the same codebase. Microsoft will likely patch this specific handler. The question is whether the follow-on review catches the remaining ones before researchers or attackers find them.
Our methodology
  • Federal cybersecurity advisories
  • Law enforcement threat bulletins
  • National vulnerability databases
  • Major vendor security advisories
  • Cross-referenced for relevance and corroboration
About CyberSip
A cyber brief for leaders and practitioners who need signal, not noise. Intelligence without the noise, published on cybersip.net.

CyberSip aggregates cybersecurity information from publicly available sources for informational purposes only. CyberSip does not provide legal, technical, incident response, or compliance advice, and makes no guarantee regarding completeness, accuracy, or timeliness. Organizations should validate all findings within their own environments and consult qualified professionals as appropriate. Original advisories, remediation guidance, and technical details remain with the referenced source organizations. Items remain active for no more than 7 days from publication unless materially updated.