{"id":5247,"date":"2026-05-24T14:09:52","date_gmt":"2026-05-24T19:09:52","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5247"},"modified":"2026-05-25T17:49:04","modified_gmt":"2026-05-25T22:49:04","slug":"security-operations-brief-may-24-2026","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5247","title":{"rendered":"Security Operations Brief &mdash; May 24, 2026"},"content":{"rendered":"<style>\n.single .entry-title,\n.single .entry-header .entry-title,\n.single .post-title,\n.single header.entry-header h1,\n.single h1.entry-title,\n.single .page-title,\n.post-template-default h1.entry-title,\n.post-template-default .entry-header,\narticle .entry-header,\narticle .entry-title { display: none !important; }\n.single .entry-header { margin: 0 !important; padding: 0 !important; }\n.single .entry-content { margin-top: 0 !important; padding-top: 0 !important; }\n<\/style>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"background-color:#f4f5f7;\">\n<tr>\n<td align=\"center\" style=\"padding:24px 12px;\">\n<table role=\"presentation\" width=\"680\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"max-width:680px;width:100%;background-color:#ffffff;border-radius:8px;overflow:hidden;box-shadow:0 1px 3px rgba(0,0,0,0.08);\">\n<tr>\n<td style=\"background-color:#0c4a6e;background:linear-gradient(135deg,#0c4a6e 0%,#0891b2 100%);padding:32px 28px 24px;color:#ffffff;\">\n<div style=\"font-size:12px;letter-spacing:2px;text-transform:uppercase;opacity:0.75;margin-bottom:8px;color:#ffffff;\">Security Operations Bulletin &middot; Issue May 24, 2026<\/div>\n<div style=\"margin:0;font-size:28px;line-height:1.2;font-weight:700;color:#ffffff !important;mso-line-height-rule:exactly;\">The SecOps Brief<\/div>\n<p style=\"margin:8px 0 0;font-size:14px;opacity:0.85;color:#ffffff;\">Running a SOC: tooling, automation, detection engineering, analyst workflows<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 4px;\">\n<h2 style=\"margin:0 0 12px;font-size:18px;color:#0f172a;border-bottom:2px solid #0891b2;padding-bottom:6px;\">This week at a glance<\/h2>\n<p style=\"margin:0 0 12px;font-size:15px;color:#374151;\">The week split between vendor-told AI-SOC outcomes and the messy operational reality underneath. <strong>Microsoft<\/strong> shipped two customer case studies &mdash; St.&nbsp;Luke&rsquo;s saving 200 analyst hours per month with Security Copilot, ManpowerGroup standing up an &ldquo;AI-ready SOC foundation&rdquo; &mdash; while <strong>Help Net Security<\/strong>&rsquo;s ransomware-confidence piece argued that the moment an incident hits, the gap between dashboard and recovered endpoint becomes painfully visible. Active CVE exploitation drove the operational thread: <strong>Microsoft Defender<\/strong> (CVE-2026-41091, -45498), the on-prem <strong>Exchange OWA<\/strong> CVE-2026-42897 with no patch and Emergency Mitigation as the only door, <strong>NGINX Rift<\/strong> (CVE-2026-42945) plus an 18-year-old NGINX rewrite-module RCE, the <strong>Drupal<\/strong> SQLi update, and Microsoft&rsquo;s <strong>YellowKey<\/strong> BitLocker bypass mitigation &mdash; all alerts your detection team is writing rules for this week. Supply chain kept feeding tickets: the <strong>TeamPCP<\/strong> \/ Nx Console VS Code extension breach landed in two write-ups and remains the cleanest case study of a poisoned IDE plug-in turning into a credential heist. Phishing and identity tightened too &mdash; the new <strong>Kali365<\/strong> PhaaS bypasses MFA by stealing OAuth tokens after the AiTM step, and a sharp piece argued most &ldquo;purple teams&rdquo; are just red and blue sitting closer together without the BAS validation loop that makes purple actually purple. Law enforcement booked a win with the <strong>First VPN<\/strong> takedown (<em>Operation Saffron<\/em>, 33 servers, 27 countries, used by 25 ransomware crews). And as a Friday gut-punch: <strong>Aikido Security<\/strong> found deleted Google API keys keep working for up to 23 minutes &mdash; revocation is not eviction, and your IR runbook probably says otherwise. Twenty articles this week.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:18px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Entity graph &mdash; vendors, CVEs, campaigns, and how they cross-correlate<\/h2>\n<div style=\"height:3px;width:48px;background-color:#0891b2;margin-bottom:14px;\"><\/div>\n<p style=\"margin:0 0 8px;font-size:11px;color:#64748b;\">Every named entity extracted from this week&#8217;s 20 articles, with the SOC at the center and edges showing direct relationships.<\/p>\n<div style=\"background-color:#ffffff;border:1px solid #e2e8f0;border-radius:8px;padding:14px;\">\n<img decoding=\"async\" src=\"https:\/\/www.cybersecurityinstitute.com\/blog\/wp-content\/uploads\/2026\/05\/topic-map-secops-2026-05-24-1.png\" alt=\"Topic map for security operations\" style=\"width:100%;max-width:880px;height:auto;display:block;margin:0 auto;\" \/>\n<\/div>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Article index<\/h2>\n<div style=\"height:3px;width:48px;background-color:#0891b2;margin-bottom:14px;\"><\/div>\n<h3 style=\"margin:14px 0 8px;font-size:15px;color:#0891b2;text-transform:uppercase;letter-spacing:1px;\">AI-SOC adoption and operational reality<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/22\/customer-stories-st-lukes-manpowergroup-ai-ready-soc\/\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft Security Customer Stories: St.&nbsp;Luke&rsquo;s &amp; ManpowerGroup AI-Ready SOC Foundations<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Microsoft Security Blog<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 22, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/18\/ransomware-confidence-endpoint-recovery\/\" style=\"color:#1d4ed8;text-decoration:none;\">When ransomware hits, confidence doesn&rsquo;t restore endpoints<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 18, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/20\/verizon-dbir-2026-vulnerability-exploitation\/\" style=\"color:#1d4ed8;text-decoration:none;\">Verizon DBIR 2026: vulnerability exploitation is dominant initial access<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 20, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/your-purple-team-isnt-purple.html\" style=\"color:#1d4ed8;text-decoration:none;\">Your purple team isn&rsquo;t purple &mdash; it&rsquo;s just red and blue in the same room<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 18, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#9333ea;text-transform:uppercase;letter-spacing:1px;\">Active CVE exploitation flowing into SOC alerts<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/21\/microsoft-defender-vulnerabilities-exploited\/\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft Defender vulnerabilities exploited in the wild (CVE-2026-41091, -45498)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 21, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/exchange-server-cve-2026-42897.html\" style=\"color:#1d4ed8;text-decoration:none;\">On-prem Microsoft Exchange Server CVE-2026-42897 exploited via crafted email<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 18, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/18\/nginx-rift-cve-2026-42945-exploited\/\" style=\"color:#1d4ed8;text-decoration:none;\">Attackers exploiting critical NGINX vulnerability (CVE-2026-42945 &mdash; &ldquo;NGINX Rift&rdquo;)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 18, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/18-year-old-nginx-rewrite-flaw-rce.html\" style=\"color:#1d4ed8;text-decoration:none;\">18-year-old NGINX rewrite module flaw enables unauthenticated RCE<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 18, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/drupal-urgent-core-security-updates.html\" style=\"color:#1d4ed8;text-decoration:none;\">Drupal to release urgent core security updates on May 20<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 20, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/20\/yellowkey-bitlocker-bypass-cve-2026-45585\/\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft mitigates &ldquo;YellowKey&rdquo; BitLocker bypass flaw (CVE-2026-45585)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 20, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#dc2626;text-transform:uppercase;letter-spacing:1px;\">Supply chain &mdash; SOC tickets feeding from upstream compromise<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/20\/teampcp-github-internal-codebase-breach-nx-console\/\" style=\"color:#1d4ed8;text-decoration:none;\">TeamPCP breached GitHub&rsquo;s internal codebase via poisoned VS&nbsp;Code extension<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 20, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/nx-console-1895-credential-stealer.html\" style=\"color:#1d4ed8;text-decoration:none;\">GitHub internal repositories breached via malicious Nx Console VS&nbsp;Code extension<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 18, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#1e3a8a;text-transform:uppercase;letter-spacing:1px;\">Phishing, identity, and IR runbook hygiene<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/22\/kali365-phishing-bypasses-mfa-microsoft-365\/\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft 365 users targeted by new phishing threat that bypasses MFA (Kali365)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 22, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/22\/google-api-keys-deletion-23-minutes-aikido\/\" style=\"color:#1d4ed8;text-decoration:none;\">Deleted Google API keys keep working for up to 23 minutes, researchers warn<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 22, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#16a34a;text-transform:uppercase;letter-spacing:1px;\">Law enforcement, OS, DevOps, and showcase tooling<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/21\/first-vpn-dismantled-operation-saffron\/\" style=\"color:#1d4ed8;text-decoration:none;\">Authorities dismantle First VPN, used by ransomware actors (Operation Saffron)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 21, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/20\/7-hard-truths-devops-threats-2026\/\" style=\"color:#1d4ed8;text-decoration:none;\">7 Hard Truths from the 2026 DevOps Threats Report<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 20, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/19\/canonical-ubuntu-core-26-15-years-security\/\" style=\"color:#1d4ed8;text-decoration:none;\">Canonical ships Ubuntu Core 26 with 15 years of security maintenance<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 19, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/18\/debian-13-5-point-release\/\" style=\"color:#1d4ed8;text-decoration:none;\">Debian 13.5 point release &mdash; security fixes &amp; bug patches<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 18, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/18\/mcafee-chatgpt-integration-showcase\/\" style=\"color:#1d4ed8;text-decoration:none;\">McAfee + ChatGPT integration product showcase<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 18, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#475569;text-transform:uppercase;letter-spacing:1px;\">Handler-authored content &amp; SOC commentary<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/isc.sans.edu\/diary\/32400\" style=\"color:#1d4ed8;text-decoration:none;\">ISC diary 2026-05-23 &mdash; red teaming tools and malware analysis (Xavier Mertens)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">SANS Internet Storm Center<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 23, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/cysecurity.news\/2026\/05\/soc-alert-overload-why-more-analysts-wont-help\/\" style=\"color:#1d4ed8;text-decoration:none;\">SOC alert overload: why more analysts won&rsquo;t help<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">CySecurity News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 2026<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Detailed write-ups<\/h2>\n<div style=\"height:3px;width:48px;background-color:#0891b2;margin-bottom:14px;\"><\/div>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Microsoft customer stories: St.&nbsp;Luke&rsquo;s and ManpowerGroup (May 22)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Two case studies from the Microsoft Security blog: St.&nbsp;Luke&rsquo;s Health System reports roughly <strong>200 analyst hours saved per month<\/strong> using Security Copilot for triage, summarisation, and KQL drafting; ManpowerGroup describes the underlying &ldquo;AI-ready SOC foundation&rdquo; work &mdash; identity, data lake, and incident-grade documentation &mdash; required before agents become useful. Useful as a counterweight to vendor demos: both pieces are explicit that the agentic surface only pays off after the data, identity, and process plumbing are in shape.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/22\/customer-stories-st-lukes-manpowergroup-ai-ready-soc\/\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft Security Blog<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Ransomware confidence vs. endpoint recovery (May 18)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Help Net summarises survey work showing the gap between perceived readiness and the actual speed and completeness of endpoint restore. Boards see green dashboards; the first night of an incident reveals stale image catalogs, missed identity dependencies, and EDR posture drift on the very machines you need back first. The piece reframes &ldquo;recovery readiness&rdquo; as a SOC operational metric &mdash; pair with a tabletop that ends not at <em>contain<\/em> but at <em>last endpoint restored to last-known-good<\/em>.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/18\/ransomware-confidence-endpoint-recovery\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">The CVE wave hitting your alerts this week<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Five separate active-exploitation stories landed during the window and each one will show up in your alert queue with a different shape. <strong>Defender<\/strong> CVE-2026-41091 (link-following LPE to SYSTEM) and CVE-2026-45498 (DoS on Antimalware Platform) are on CISA KEV with a June&nbsp;3 federal deadline &mdash; ironic that the EDR is the persistence surface. <strong>Exchange OWA<\/strong> CVE-2026-42897 (CVSS 8.1, crafted-email XSS in OWA browser context) has <em>no patch<\/em>: the Emergency Mitigation Service M2.1.x URL-rewrite rule is the only door. <strong>NGINX Rift<\/strong> (CVE-2026-42945) is under active exploitation, and a separate 18-year-old NGINX rewrite-module flaw enables unauthenticated RCE &mdash; check both your edge and any embedded NGINX in appliances. <strong>Drupal<\/strong> shipped urgent core updates on May&nbsp;20 (the matching SQLi CVE-2026-9082 is on KEV with sub-48-hour exploit-to-patch). <strong>YellowKey<\/strong> (CVE-2026-45585) is the Chaotic Eclipse BitLocker bypass &mdash; Microsoft&rsquo;s mitigation is to remove <code>autofstx.exe<\/code> from WinRE BootExecute; long-term answer is TPM+PIN on Windows&nbsp;11 \/ Server 2022\/2025. Build a single ticket queue tagged by these five CVE IDs and watch hit-rate over the next two weeks.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/21\/microsoft-defender-vulnerabilities-exploited\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security (Defender CVEs)<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/05\/exchange-server-cve-2026-42897.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News (Exchange OWA)<\/a> &middot; <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/18\/nginx-rift-cve-2026-42945-exploited\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security (NGINX Rift)<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/05\/18-year-old-nginx-rewrite-flaw-rce.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News (NGINX rewrite)<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/05\/drupal-urgent-core-security-updates.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News (Drupal)<\/a> &middot; <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/20\/yellowkey-bitlocker-bypass-cve-2026-45585\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security (YellowKey)<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">TeamPCP \/ Nx Console: the poisoned IDE that became a credential heist<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Two complementary write-ups on the same incident: a malicious Nx Console v18.95.0 (VS&nbsp;Code Marketplace, ~2.2M installs) shipped a 498&nbsp;KB obfuscated payload pulled from a dangling orphan commit in <code>nrwl\/nx<\/code>, harvested <strong>1Password vaults, Claude Code configs, npm\/GitHub\/AWS secrets<\/strong> off developer endpoints, and ultimately let TeamPCP into GitHub&rsquo;s own internal codebase. SOC implication: developer endpoints are now a high-value target with a different telemetry surface than corporate laptops &mdash; look for new outbound destinations from VS&nbsp;Code helper processes, sudden reads of secret-manager files, and SSH-agent activity outside dev windows. If you don&rsquo;t collect EDR telemetry from engineering Macs, this incident is the budget justification.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/20\/teampcp-github-internal-codebase-breach-nx-console\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/05\/nx-console-1895-credential-stealer.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Kali365: another MFA-bypass PhaaS to add to the detection set (May 22)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Kali365 is the latest adversary-in-the-middle phishing-as-a-service kit aimed at Microsoft&nbsp;365. The novelty isn&rsquo;t the AiTM proxy &mdash; it&rsquo;s the post-auth step: the kit captures the <strong>OAuth refresh token<\/strong> after a successful MFA challenge, then registers a long-lived persistence path that survives password reset. Detection signal: anomalous device registration immediately after first sign-in from an unusual IP, plus token-issued events without matching user-agent changes. Entra ID Conditional Access on token-binding helps but only if you&rsquo;ve actually turned it on for the whole tenant, not just the pilot group.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/22\/kali365-phishing-bypasses-mfa-microsoft-365\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Your purple team isn&rsquo;t purple (May 18)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">The Hacker News argues most organisations describe themselves as &ldquo;purple&rdquo; when they simply put red and blue in the same Slack channel and called it integration. The missing ingredient is a <strong>continuous validation loop<\/strong> &mdash; BAS or attack-simulation telemetry feeding back into detection-engineering tickets with measurable rule-coverage outcomes. Worth quoting at your next program review when someone asks why &ldquo;we already have purple.&rdquo;<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/your-purple-team-isnt-purple.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Operation Saffron: First VPN dismantled (May 21)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">International takedown coordinated through Europol: 33 bulletproof servers seized across 27 countries, a Ukrainian admin arrested, and the full user database (~5,000 criminal accounts) recovered. <strong>First VPN<\/strong> had been used since 2014 by 25 ransomware groups &mdash; including Avaddon &mdash; for recon, intrusion staging, and C2 obfuscation. For SOC, the seized database is the part that matters: expect threat-intel feeds to ship updated IOCs and historical attribution data over the next two to four weeks &mdash; tee up retro-hunts against your six-month log retention.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/21\/first-vpn-dismantled-operation-saffron\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Aikido: deleted Google API keys keep working for up to 23 minutes (May 22)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Aikido Security tested revocation lag across GCP and found Google API keys remain valid for <strong>up to 23 minutes<\/strong> (median ~16 min) after deletion &mdash; across Gemini, BigQuery, Maps, and every GCP service that uses the API-key format. By contrast, Service Account keys revoke in roughly five seconds and the newer Gemini-specific key format in about a minute, so faster revocation is technically achievable. Google&rsquo;s response: this is a &ldquo;known property&rdquo; rather than a security issue. SOC implication is brutal and concrete: <strong>&ldquo;we revoked the key&rdquo; does not mean &ldquo;the attacker is locked out.&rdquo;<\/strong> Update IR runbooks to treat Google API-key revocation as a 30-minute window during which the SOC must keep watching the GCP &ldquo;Enabled APIs and services&rdquo; audit log, throttle access at the perimeter, rotate downstream service-account credentials, and only declare containment after the lag window closes. Add a runbook step that documents revocation timestamp and verification timestamp as two distinct fields.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/22\/google-api-keys-deletion-23-minutes-aikido\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">DBIR 2026 in the SOC seat (May 20)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Help Net&rsquo;s SOC-flavoured summary of Verizon&rsquo;s DBIR 2026: <strong>vulnerability exploitation overtook credential theft as the leading initial-access vector<\/strong> (31% vs. 13%) for the first time in 19 years, third-party-related breaches are up 60%, ransomware sits at 48%, and AI is now compressing time-to-exploit from months to hours. Critically: organisations patched only <strong>26% of CISA KEV<\/strong> entries this year (down from 38% in 2024). Use this to re-prioritise the patch SLA conversation with engineering, and to argue for a dedicated KEV-driven exposure-management workflow that doesn&rsquo;t depend on monthly vuln-management cycles.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/20\/verizon-dbir-2026-vulnerability-exploitation\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">ISC diary, structural critique, and the long-tail OS reading<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Xavier Mertens&rsquo;s ISC diary on May&nbsp;23 collects a handler-authored primer on red-teaming tools that frequently surface in malware analysis &mdash; useful for analysts who want to recognise the tooling on the other side of the keyboard. CySecurity News&rsquo;s &ldquo;SOC alert overload&rdquo; piece argues structurally that more analysts won&rsquo;t fix volume problems &mdash; only triage architecture will &mdash; and pairs well with the purple-team and DBIR items above. <strong>Canonical Ubuntu Core 26<\/strong> ships with 15 years of security maintenance (relevant for OT\/edge fleet planners), and <strong>Debian 13.5<\/strong>&rsquo;s point release bundles roughly 100 DSAs &mdash; standard housekeeping but worth flagging to whoever owns your Linux estate. The <strong>2026 DevOps Threats Report<\/strong> walks through AI-integrated DevOps surfaces (prompt injection through pipelines, RCE in agent-driven build systems) &mdash; required reading if your SOC has started taking tickets from engineering platforms. Finally, the <strong>McAfee + ChatGPT<\/strong> product showcase is worth a one-paragraph glance: a preview of how vendors will pitch conversational-AI front doors for SOC over the next 12 months.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/isc.sans.edu\/diary\/32400\" style=\"color:#1d4ed8;text-decoration:none;\">SANS ISC (May 23)<\/a> &middot; <a href=\"https:\/\/cysecurity.news\/2026\/05\/soc-alert-overload-why-more-analysts-wont-help\/\" style=\"color:#1d4ed8;text-decoration:none;\">CySecurity News<\/a> &middot; <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/19\/canonical-ubuntu-core-26-15-years-security\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security (Ubuntu Core 26)<\/a> &middot; <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/18\/debian-13-5-point-release\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security (Debian 13.5)<\/a> &middot; <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/20\/7-hard-truths-devops-threats-2026\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security (DevOps Threats)<\/a> &middot; <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/18\/mcafee-chatgpt-integration-showcase\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security (McAfee + ChatGPT)<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Calls to action for the next 7 days<\/h2>\n<div style=\"height:3px;width:48px;background-color:#0891b2;margin-bottom:14px;\"><\/div>\n<ol style=\"margin:0 0 12px 18px;padding:0;font-size:14px;color:#374151;\">\n<li style=\"margin-bottom:8px;\"><strong>Rewrite your Google Cloud IR revocation step.<\/strong> Treat API-key deletion as a 30-minute operation per the Aikido finding. Add two timestamp fields to the runbook (revoked-at, verified-effective-at) and a watch-step on the GCP audit log during the gap.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Stand up a five-CVE alert queue<\/strong> tagged by CVE-2026-41091, -45498, -42897, -42945, -45585, plus the 18-year-old NGINX rewrite flaw and the Drupal SQLi (CVE-2026-9082). Measure detection hit-rate, time-to-patch, and exception-list growth weekly for the next month.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Get developer-endpoint EDR telemetry under SOC review<\/strong> using the TeamPCP \/ Nx Console incident as your justification. Specifically look for VS&nbsp;Code helper processes spawning new outbound flows or reading 1Password \/ SSH-agent state outside business hours.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Update Microsoft 365 detections for Kali365-style AiTM PhaaS<\/strong> &mdash; anomalous device-registration immediately following sign-in, token-issued events without matching UA changes, and Conditional Access on token-binding switched on tenant-wide rather than only the pilot.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Queue retro-hunts<\/strong> for First-VPN-affiliated IOCs once the post-takedown intelligence feeds publish &mdash; aim to cover your full six-month log-retention window before the data goes cold.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Add a board-grade slide on patch reality<\/strong>: 26% of CISA KEV patched (DBIR 2026), 48% ransomware share, time-to-exploit collapsing. Pair with the ransomware-confidence piece for an honest readiness conversation.<\/li>\n<\/ol>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 32px;border-top:1px solid #e5e7eb;color:#6b7280;font-size:12px;text-align:center;\">\n<p style=\"margin:0 0 6px;color:#6b7280;\">The SecOps Brief &middot; a Newshunter publication<\/p>\n<p style=\"margin:0 0 6px;color:#6b7280;\">Weekly news items are from the previous seven days. Foundational reading is refreshed each week.<\/p>\n<p style=\"margin:0 0 10px;color:#6b7280;\"><a href=\"*|UNSUB|*\" style=\"color:#1d4ed8;text-decoration:none;\">Unsubscribe<\/a> &middot; <a href=\"*|ARCHIVE|*\" style=\"color:#1d4ed8;text-decoration:none;\">View in browser<\/a><\/p>\n<p style=\"margin:14px 0 4px;font-size:11px;color:#9ca3af;\">Newsletter design, layout, and editorial curation &copy; 2026 Security Radar LLC. All rights reserved.<\/p>\n<p style=\"margin:0;font-size:11px;color:#9ca3af;\">Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Security Operations Bulletin &middot; Issue May 24, 2026 The SecOps Brief Running a SOC: tooling, automation, detection engineering, analyst workflows This week at a glance The week split between vendor-told AI-SOC outcomes and the messy operational reality underneath. Microsoft shipped two customer case studies &mdash; St.&nbsp;Luke&rsquo;s saving 200 analyst hours&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[38],"tags":[],"class_list":["post-5247","post","type-post","status-publish","format-standard","hentry","category-security-operations"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5247"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5247\/revisions"}],"predecessor-version":[{"id":5253,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5247\/revisions\/5253"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}