AKS Backup Flaw, Kali365 MFA Bypass, Claude Plugin & WC Scams

Microsoft fixed a high-severity privilege-escalation in Azure Backup for Azure Kubernetes Service (AKS) that could allow accounts with only the Backup Contributor Azure role to obtain cluster-admin access on AKS clusters. Security researcher Justin O’Leary reported the issue and assigned it a CVSS score of 9.9. Microsoft applied a quiet patch and added extra validation checks that were not present in March 2026. The vulnerability has no public CVE number.

An emerging Phishing-as-a-Service dubbed Kali365 has been marketed on Telegram since April 2026 and is designed to capture OAuth and device-code tokens to gain persistent access to Microsoft 365 accounts without stealing passwords. The FBI issued a warning that Kali365 enables attackers to bypass multi-factor authentication by capturing access and refresh tokens. Subscriptions for the service run from $250 for 30 days to $2,000 for a year. Security vendors detected a sharp rise in device-code phishing activity; one vendor recorded more than 7 million device-code attacks between March and April 2026. Captured tokens have been used to read mailboxes, create inbox rules to suppress alerts, and maintain long-term access.

Anthropic added two security features to its Claude assistant: an automated security-guidance plugin and a self-hosted sandbox for Claude Managed Agents. The plugin scans code Claude produces for common flaws such as injection and unsafe deserialization and can apply fixes during the same session. Anthropic described the feature with the following wording: “The security guidance plugin makes Claude review its own code changes for common vulnerabilities while it works and fixes what it finds in the same session.” The self-hosted sandbox lets organizations run Claude’s execution steps on their own infrastructure while keeping decision-making in the managed service.

Scam and malvertising campaigns tied to the FIFA World Cup 2026 increased on web and social platforms. Security researchers uncovered more than 4,300 fraudulent domains impersonating FIFA sites and identified over 55 football-related malvertising campaigns. A financially motivated operator using a phishing kit launched over 300 domains and built a close replica of the official FIFA site, including a replicated single sign-on flow that harvested credentials and processed fake ticket sales; social ads served as a major traffic source. Host countries and nearby regions reported higher attack volumes in April 2026, with Mexico showing a weekly average of 3,548 cyber attacks per organization.

Security advisories recommend applying the AKS backup validation patch, monitoring and revoking suspicious OAuth tokens, enforcing real-time certificate revocation checks for signed installers, and educating users to ignore unexpected device-code prompts and unsolicited event offers.