Threat Briefing: February 20, 2026

Cyber threats are evolving, with phishing, identity attacks, tool abuse, and supply-chain weaknesses on the rise. GS7’s Operation DoppelBrand shows attackers impersonating Fortune 500 brands at scale, while RMM tool abuse has surged 277%, enabling stealthy, malware-free intrusions.

Attackers are exploiting trusted workflows, like device code vishing targeting Microsoft Entra, and AI platforms, such as a Microsoft 365 Copilot vulnerability exposing emails. Recent Notepad++ update improvements highlight the ongoing need for robust supply-chain and software-delivery security.

• Operation DoppelBrand Exploits Fortune 500 Brands for Phishing – GGS7 is running Operation DoppelBrand, a phishing campaign targeting Fortune 500 companies, including Wells Fargo and Citibank, as well as tech, healthcare, and telecom sectors. Using over 150 fake domains, the group harvests credentials via convincing login portals and Telegram, sometimes selling access to ransomware groups. Focused on U.S. and English-speaking markets, the campaign highlights the rising sophistication of phishing and the need for multifactor authentication. Dark Reading
• RMM Tool Abuse Surges 277%, Cybercriminals Shift Tactics – Huntress’ 2026 Cyber Threat Report reveals a 277% rise in the abuse of Remote Monitoring and Management (RMM) tools. Cybercriminals are increasingly using RMM for stealthy, malware-free attacks, turning them into command-and-control hubs while conventional hacking tools decline 53%. Healthcare and tech sectors are heavily affected, highlighting the need for stricter RMM controls and vendor accountability to counter this growing threat. Dark Reading
• Device Code Vishing Targets Microsoft Entra Accounts – Cybercriminals are increasingly using device code vishing to access Microsoft Entra accounts across tech, manufacturing, and finance. By abusing legitimate Microsoft OAuth client IDs, attackers trick users into providing authentication codes, granting access to Microsoft 365 and connected SSO apps without passwords or MFA. This shift to authentic login pages makes detection harder and shows growing social engineering sophistication. BleepingComputer
• Microsoft 365 Copilot Exposes Confidential Emails – A bug in Microsoft 365 Copilot allowed confidential emails to be accessed and summarized despite Data Loss Prevention (DLP) and sensitivity labels. Tracked as CW1226324, the issue affected emails in Drafts and Sent Items and could bypass protections in Teams and Copilot Chat. Microsoft began rolling out a fix earlier this month. The Register
• Notepad++ Update Strengthened Against Supply Chain Attacks – After a recent compromise, Notepad++ has reinforced its update mechanism with double-verification cryptographic checks, making it “effectively unexploitable,” according to its author. The improvements protect against supply chain attacks like SolarWinds, but experts stress continuous monitoring, credential management, and securing update delivery remain essential for overall software security. CSO Online