Morning Review in IT Security — May 18, 2026

The threat landscape continues to evolve rapidly as attackers refine their techniques across multiple vectors. Today's security briefing covers emerging threats targeting cloud infrastructure, critical vulnerabilities in widely-deployed systems, and novel physical attack methods that underscore the importance of multi-layered defense strategies.

Tycoon2FA Hijacks Microsoft 365 Accounts via Device-Code Phishing

The Tycoon2FA phishing kit has expanded its capabilities to include device-code phishing attacks, representing a significant escalation in threats targeting enterprise cloud environments. The malicious toolkit now abuses Trustifi click-tracking URLs to facilitate the hijacking of Microsoft 365 accounts, leveraging legitimate services to bypass security controls. This development demonstrates how threat actors continue to innovate their social engineering methods to circumvent authentication mechanisms. Source: Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing

PoC Code Published for Critical NGINX Vulnerability

A critical vulnerability in NGINX that has existed since 2008 has now been patched in both NGINX Plus and NGINX open source releases. The publication of proof-of-concept code for this vulnerability poses an immediate risk to organizations running affected versions of the widely-used web server. The timing of the PoC release significantly accelerates the window during which systems remain vulnerable to exploitation. Source: PoC Code Published for Critical NGINX Vulnerability

Critical Claw Chain Vulnerabilities Expose OpenClaw AI Servers

A series of critical vulnerabilities collectively known as Claw Chain have been identified in OpenClaw, placing thousands of AI servers at risk globally. These vulnerabilities enable multiple attack vectors including data theft, backdoor installation, and administrative-level compromise of affected systems. The widespread deployment of OpenClaw infrastructure means this vulnerability set poses a significant supply-chain risk to organizations relying on these AI services. Source: Critical 'Claw Chain' Vulnerabilities Put Thousands of OpenClaw AI Servers at Risk

Scammers Send Physical Phishing Letters to Steal Ledger Wallet Seed Phrases

A novel phishing campaign has emerged in Italy where threat actors are mailing fraudulent Ledger correspondence containing malicious QR codes to cryptocurrency wallet users. This physical phishing approach represents a departure from traditional digital-only attacks and demonstrates how attackers are blending offline and online tactics to compromise sensitive wallet credentials. The campaign specifically targets the extraction of seed phrases, which would grant complete access to victims' cryptocurrency holdings. Source: Scammers Send Physical Phishing Letters to Steal Ledger Wallet Seed Phrases

Organizations should prioritize patching critical vulnerabilities, implementing additional authentication protections for cloud services, and educating users about both digital and physical social engineering threats. The convergence of these threats underscores the need for comprehensive security strategies that address emerging attack methodologies across all channels.