Cybersecurity Roundup February 2026

From Kocho’s Security Operations Centre (SOC)

Published: 03 March 2026

Attackers in February continued to weaponise the tools organisations already trust. Browser extensions, legitimate Microsoft authentication flows and everyday workflows are all being turned against the businesses that rely on them.

Here’s the key threats and recommended actions identified by our SOC team this month.

Headlines:

Outlook add-in hijack steals Microsoft credentials
Vishing campaign abuses Entra device code sign-in
Malicious AI Chrome extensions harvest user data
BeyondTrust pre-auth flaw exploited in live attacks
Notepad++ update channel breached in targeted attack

Abandoned Outlook add-in hijacked to steal Microsoft credentials.

A legitimate Outlook add-in (AgreeTo) was hijacked after its backend domain expired and was taken over by an attacker. Once compromised, the add-in displayed a fake Microsoft login prompt inside Outlook, exfiltrating credentials and any additional data entered, including credit card details and banking security answers. Reports indicate that the attack captured over 4,000 Microsoft account credentials before the add-in was removed from the Microsoft store, though some environments may still have it installed.

What are the risks?

Credential theft inside a highly trusted application (Outlook)
Add-ins can retain powerful mailbox permissions, increasing potential impact
Legitimate tools can become risky later if ownership or maintenance lapses

Recommended actions

Remove the ‘AgreeTo’ add-in immediately and any other unused add-ins.

Reset Microsoft credentials impacted users and review Entra sign-in activity and Outlook for suspicious activity.

Move to an approved add-in list and introduce simple maintenance checks so abandoned add-ins can’t remain deployed unnoticed.

Vishing campaign abuse Microsoft Entra device code sign-in

Attackers are using phone-led social engineering to push users into completing the OAuth device code flow, typically by impersonating IT support or a trusted supplier.

The user is asked to visit the Microsoft device login page and enter a short code provided by the caller. Due to the authentication being completed on legitimate Microsoft pages, the attacker can obtain valid access tokens without classic password theft.

Once tokens are issued the attacker may be able to access Microsoft 365 services and other applications connected via SSO.

What are the risks?

Users grant attackers authorised access (tokens), often bypassing typical phishing cues
SSO means one successful interaction can unlock multiple connected apps
Detection can be harder unless you alert on device-code sign-in patterns

Recommended actions

Update service desk guidance, never complete device-code sign-ins on request, use call backs.

Monitor Microsoft Entra sign-in log for unusual device-code activity (location, devices and times).

Use conditional access to reduce impact.

Fake AI Chrome extensions harvest data at scale

Researchers identified a cluster of AI-themed Chrome extensions in the Chrome Web Store that presented themselves as helpful ‘AI assistants’ and used convincing chat style interfaces.

While they appeared to function normally, the extensions routed users prompts through attacker controlled servers, allowing them to capture data entered into the tool and in some cases from the browser sessions.

It has been reported that more than 260,000 users were affected.

What are the risks?

Sensitive data leakage such as emails, page content and API keys and credentials
Use of unapproved AI tools can create unmanaged data exposure through the browser
Distribution via a trusted platform can make malicious extensions appear legitimate and can lead to rapid spread before takedown

Recommended actions

Users should only download extensions from trusted publishers.

Review extension permissions regularly and remove anything unused or requesting broad access without clear need.

Set clear rules for AI tools in the browser, including not pasting credentials or API keys.

BeyondTrust CVE-2026-1731 actively exploited

CVE-2026-1731 is being actively exploited following the release of a public proof of concept targeting the /get_portal_info endpoint, affecting BeyondTrust Remote Support (v25.3.1 and earlier) and Privileged Remote Access (v24.3.4 and earlier). Self-hosted appliances are the priority risk.

What are the risks?

Pre-auth RCE on a perimeter appliance can lead to rapid compromise
Remote support/privileged access tooling is high-value due to proximity to admin workflows
Exposed appliances can be targeted quickly once exploit code circulates

Recommended actions

Patch or upgrade immediately in line with BeyondTrust guidance.

Prioritise self-hosted instances and validate versions and exposure across your estate.

Review appliance and network logs for suspicious requests and abnormal outbound traffic.

Notepad++ update mechanism compromised in targeted attack

Reporting indicates Notepad++ update infrastructure was compromised for around six months, allowing a backdoored version to be delivered to targeted users. The activity has been linked to suspected China state-backed hackers. Attackers exploited a weakness in the update verification process in older releases to redirect update traffic to attacker controlled servers.

What are the risks?

Supply chain compromise via a trusted update workflow
Targeted delivery may reduce ‘noise’ and delay recovery
Developer/admin endpoints can be high-impact footholds

Recommend actions

Update to 8.9.1 or later from official sources and avoid search ads or third-party download sites.

Monitor or restrict activity in enterprise environments, including outbound connections from gup.exe.

Use published indicators of compromise to assess whether endpoints show signs of suspicious update activity.

From our blog

Are you ready for April's Cyber Essentials updates?

From April 2026, organisations renewing Cyber Essentials Plus will face stricter requirements around MFA, cloud services and access management. Shared accounts, inconsistent MFA and loosely governed SaaS platforms are now squarely in scope.

The update reflects how organisations are actually being compromised, with identity controls under far greater scrutiny at assessment.

If certification underpins contracts or supplier frameworks, reviewing your readiness now could avoid disruption later.