Threat Advisories

Top Middle East Cyber Threats – 08 June 2026

By Help AG

Help AG’s Managed Security Services (MSS) team delivers 24x7x365 monitoring across complex enterprise environments, providing continuous visibility into emerging cybersecurity threats across the region.

Large-Scale Smishing Campaign Targets Multiple Regions

Researchers have identified a large-scale Phishing-as-a-Service (PhaaS) smishing campaign, dubbed Smishing Error524, which has been active since the second half of 2025. The campaign impersonates more than 260 brands across sectors including telecommunications, financial services, logistics, and consumer rewards programmes.

Using SMS phishing messages, deceptive error pages, and a network of more than 4,300 phishing domains, the operation seeks to collect personal and payment card information. Activity has been observed across Latin America, Europe, Asia-Pacific (APAC), North America, the Middle East, and Africa.

The scale of the infrastructure and use of multiple evasion techniques highlight a mature and well-coordinated phishing operation.

RECOMMENDATIONS

Filter SMS messagescontainingknown smishing indicators.
Train users torecognisebrand impersonation attempts.
Verify payment requests through official channels.
EnableMulti-Factor Authentication (MFA).
Monitorfor unusual account activity.
ImplementDomain Name System (DNS)and web filtering controls.
Block access to known phishing infrastructure.
Educate users not to enter payment details through SMSlinks.
Monitor newly registered lookalike domains.

Recruitment-Themed Campaign Targets Aerospace and Defence Organisations

Researchers have identified a targeted phishing campaign attributed to the Advanced Persistent Threat (APT) group Nimbus Manticore (UNC1549 / Smoke Sandstorm), targeting aerospace and defence organisations across Europe and the Middle East.

The campaign used recruiter impersonation, job-related lures, and a spoofed hiring portal to encourage users to download a malicious application disguised as a two-factor authentication tool. The malware leveraged a legitimate Microsoft-signed application to establish persistence and communicate with attacker-controlled infrastructure.

The activity demonstrates the continued use of social engineering techniques and trusted applications to gain and maintain access within targeted environments.

RECOMMENDATIONS

Verify recruiter identities through official company channels.
Block access to newly registered and suspicious recruitment domains.
Raise awareness of recruitment-themed phishing attempts.
Restrict execution of applications fromAppData, Temp, and Downloads folders.
Monitorfor unusual scheduled tasks and persistence mechanisms.
Investigate suspicious communication with cloud-hosted infrastructure.
Deploy application allowlisting to preventunauthorisedexecution.
Monitorfor Dynamic Link Library (DLL) sideloading and application hijacking activity.

Google Chrome Addresses Multiple Security Vulnerabilities

Google Chrome has released six security fixes, including one Critical, three High, and two Medium severity vulnerabilities.

Key vulnerabilities addressed:

CVE-2026-11009 (Critical): A use-after-free vulnerability in USB that could potentially allow attackers to bypass browser security controls on Windows through a specially crafted HTML page.
CVE-2026-11002, CVE-2026-11010, CVE-2026-11012 (High): Use-after-free vulnerabilities in Autofill, WebShare, and Serial that could potentially allow attackers to bypass browser security controls through malicious web content.
CVE-2026-11004, CVE-2026-11006 (Medium): Out-of-bounds read vulnerabilities in ANGLE and Dawn that could expose sensitive memory information.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Microsoft Resolves Critical Vulnerabilities in Cloud and AI Services

Microsoft has released six security fixes, including two Critical, one High, and three Medium severity vulnerabilities.

The update addresses the following vulnerabilities:

[High] CVE-2026-45497 – Microsoft 365 Copilot – A vulnerability that could allow an authenticated user to execute code remotely.
[Critical] CVE-2026-48567 – Azure HorizonDB – A vulnerability that could allow an attacker to gain elevated privileges remotely.
[Critical] CVE-2026-48579 – Microsoft Exchange Online – A vulnerability that could allow unauthorised access to sensitive information.
[Medium] CVE-2026-47655 – Microsoft Graph – A vulnerability that could expose sensitive information to authorised users.
[Medium] CVE-2026-42824 – Microsoft 365 Copilot – A vulnerability that could allow unauthorised disclosure of information over a network.
[Medium] CVE-2026-47644 – Copilot Chat (Microsoft Edge) – A vulnerability that could allow unauthorised disclosure of information through crafted input and output interactions.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Cisco Addresses High-Severity Privilege Escalation Vulnerability

Cisco has released one High-severity security fix affecting Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) Manager.

CVE-2026-20245 (High): A vulnerability in the Command-Line Interface (CLI) of Cisco Catalyst SD-WAN Manager could allow an authenticated attacker with netadmin privileges to execute arbitrary commands as the root user by uploading a specially crafted file. Successful exploitation could allow an attacker to execute commands with elevated privileges on the affected system.

Cisco has reported limited observed exploitation of this vulnerability in targeted environments.