Welcome to this week’s edition of the Threat Source newsletter.  

“I do not know everything; still many things I understand.”
― Madeleine L'Engle, A Wrinkle in Time 
“Don't try to comprehend with your mind. Your minds are very limited. Use your intuition.”
― Madeleine L'Engle, A Wind in the Door 

The World Cup. The 4th of July as the US turns 250. Dungeon Crawler Carl. LeBron moving on. Wimbledon. AI. There are so many things that I could draw a parallel to farm for this week’s newsletter content. So let’s talk about board games.  
 
A lot of skills come and go, and your journey with cybersecurity will be full of tools that you learn and then are gone. It’s a never-ending journey of learning. And it’s honestly the best thing about this career path for the kind of minds that are drawn to it. Innate curiosity is the currency of our cyber family.  

Learning new and interesting board games (and I use the term broadly to circle in RPGs, card games, etc) is an incredible way to hone your mind and keep it focused on some of the most important tools that you will have.  

Games will harness your ability to highlight anomalous activity, by players, by rulesets, by structure. They will also highlight your personal brand of brain activity and allow you to leverage your singular style and intuition into a weapon.  

There are countless ways to win Ticket to Ride and your play style may be completely counter to someone you play with. That then creates patterns that you must learn to break. Nothing is more important to your defensive strategies than knowing yourself (know your environment!) and then breaking your tendencies to force your opponent to change their comfortable tactics (maybe, you’ve created some honeypot fake accounts to trigger identity alerts to track threat actors, to track their tooling and methodologies quietly).  

This is nothing compared to the chaotic variance of a game like Go with its simplistic ruleset yet cascading complexity of each stone’s placement.  
 
Learning a new game is a challenge and a great practice in and of itself, but learning how YOU and your strategies evolve as you learn the game will give you a microcosmic view into taking on new technologies, new coding languages, and new skill sets.  

You will have peaks and valleys. So often in the work world we let the complexities and our imposter syndrome keep us from taking a risk or next step in our learning evolutions – next steps that we boldly take in our gaming lives.  

So take what you learn from a Machi Koro, or Pathfinder, or Catan, or Wingspan, or ADnD 2e, or ... you get the idea, take that same aggressive inquisitive mindset to your current work, turn it on its head and find a new way to do something you are already good at. And then look at something you struggle with and treat it like the next level. In the end, the worst that can happen is you fail. Because that’s where we learn.  

"If the rule you followed brought you to this, of what use was the rule?"
– Cormac McCarthy, No Country for Old Men  

The one big thing 

Cisco Talos is highlighting research into ARToken a fully-featured phishing-as-a-service (PhaaS) operator panel, branded "ARToken," that shares infrastructure, API contracts, and operational patterns with the EvilTokens platform documented by Sekoia and Microsoft in early 2026, and features capabilites previously not documented. 

Why do I care? 

The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token (PRT) persistence, email access, business email compromise (BEC) operations, and SharePoint exfiltration — all accessible to operators through a React-based dashboard. These features indicate the platform is more mature than a simple device code phishing kit — it is a complete BEC operations environment. 

So now what? 

Defenders should be aware of the kind of capabilities that this panel gives and use the IOCs provided by Talos to block malicious activity and use them as pivots for their internal hunts if they are present.

Top security headlines of the week 

An aggressive password-spraying campaign targeting Microsoft 365 environments generated more than 81 million login attempts over a two-week period
The threat actor tried to authenticate via Microsoft's Azure command-line interface (CLI) using still valid username and password combinations that had been exposed in past breaches. (BleepingComputer)

Threat actors are trying to leverage organization-owned AI agents to power complex threat activity
By exploiting misconfigured or exposed AI endpoints, adversaries are increasingly turning enterprise-grade automation tools against their owners to facilitate more sophisticated and evasive cyberattacks. (DarkReading)

A recent authentication bypass vulnerability in the SimpleHelp remote monitoring and management (RMM) software has been exploited for malware delivery
Tracked as CVE-2026-48558, the bug impacts SimpleHelp’s OpenID Connect authentication flow and allows a remote attacker to obtain a fully authenticated technician session. (Security Week)

Can’t get enough Talos? 

Martin Lee: Running through the Arctic (and the threat landscape)
Ever wonder how someone goes from studying human viruses to leading cybersecurity teams? How about running through the Arctic for fun?  In this Humans of Talos you get to hear from Martin and that’s ALWAYS worth pulling up a seat. 
 
Beers with Talos has an updated format, which includes making Hazel a hacker and “Reasons not to Quit”, listener questions (yes, that means YOU) - as well as a guest appearance from Nick Biasini who is always worth the price of admission. 

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: VID001.exe 
Detection Name: Win.Worm.Coinminer::1201**  

SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f
MD5: 38de5b216c33833af710e88f7f64fc98 Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
Example Filename: sample.exe 
Detection Name: Win.Tool.Procpatcher::1201  

SHA256: afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638
MD5: cc4d231df34e57f59eb970353c7d9de2 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
Example Filename: AutoPico.exe 
Detection Name: PUA.Win.Tool.Kmsactivator::1201  

SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe
MD5: bf9672ec85283fdf002d83662f0b08b7 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe 
Example Filename: f_000cd7.html
Detection Name: W32.C0AD494457-95.SBX.TG  

SHA256: 853baab97b1f3b03c1ffa55797e87867f5fb7ce33457411f56afd270cb395453
MD5: 41acb30b9d662d48b7b4fc0ac3d4b79f Talos Rep: https://talosintelligence.com/talos_file_reputation?s=853baab97b1f3b03c1ffa55797e87867f5fb7ce33457411f56afd270cb395453 
Example Filename: SignInfoConsole.exe
Detection Name: W32.853BAAB97B.in12.Talos