
Published by Jennifer Hudsen for The IT Guys. This July 3, 2026 5 PM recap focuses on practical technology news for home users, local businesses, and anyone responsible for Microsoft 365, servers, phones, routers, backups, and staff security.
Today’s theme is trust boundaries. Microsoft 365 phishing kits are getting better at stealing tokens instead of passwords, compromised Android devices are being used as residential proxies, active exploitation keeps hitting exposed business systems, and AI security policy is moving from abstract debate into day-to-day IT governance.
Fast Good And Bad Points
- Good: Google, the FBI, Lumen, Shadowserver, and partners disrupted NetNut, a residential proxy network tied to at least two million compromised Android devices.
- Bad: smart TVs, streaming boxes, and trojanized apps can still turn ordinary home or business internet connections into suspicious proxy exits.
- Bad: ARToken/EvilTokens-style Microsoft 365 phishing can steal tokens and bypass normal MFA workflows through device-code phishing.
- Good: these attacks leave useful clues: unusual sign-ins, device-code flows, hidden inbox rules, suspicious OAuth activity, and unexpected SharePoint or OneDrive access.
- Bad: SharePoint Server CVE-2026-45659 and Cisco Unified Communications Manager exploitation show that forgotten on-prem systems remain attractive targets.
- Good: Adobe patched critical ColdFusion and Campaign Classic issues before reporting known exploitation, giving administrators a chance to act early.
1. Microsoft 365 Phishing Is Moving Past Passwords
BleepingComputer reported today that Cisco Talos researchers analyzed ARToken, a phishing-as-a-service platform tied to EvilTokens. The important part for small businesses is not the brand name. It is the method: attackers use device-code phishing and token theft so the victim may authenticate on Microsoft’s real login page while the attacker receives usable access tokens.
That changes the conversation from “did the user type their password into a fake page?” to “did the user approve a login flow they did not understand?” Once inside, the kit reportedly supports mailbox access, SharePoint and OneDrive browsing, hidden inbox rules, attachment downloads, and business email compromise workflows.
Customer impact: MFA is still necessary, but it is not the finish line. Review Microsoft 365 sign-in logs, risky users, OAuth app consent, inbox forwarding rules, and impossible-travel alerts. Train accounting and office staff to stop when a vendor email asks them to enter a code on a Microsoft page, approve a device, or re-open an invoice through a strange SharePoint link.
2. NetNut Disruption Is Good News For Android And Smart-TV Owners
There is also useful good news today: NetNut, also known as Popa, was disrupted after a joint operation involving Google, the FBI, Lumen Technologies, The Shadowserver Foundation, and others. Google estimated the proxy network controlled at least two million infected devices globally, including smart TVs and streaming boxes.
Residential proxy networks matter because attackers can route traffic through normal-looking home and business IP addresses. That can make password spraying, fraud, and espionage traffic appear to come from ordinary customers instead of obvious data centers.
Practical next step: remove sketchy streaming apps, unknown VPN tools, and bargain Android TV boxes that cannot receive trustworthy updates. If your internet connection starts triggering CAPTCHAs, blocked logins, or fraud warnings, check the router’s device list before assuming your provider is the problem.
3. SharePoint Server Has A July 4 Patch Deadline For Federal Agencies
CISA added Microsoft SharePoint Server CVE-2026-45659 to the Known Exploited Vulnerabilities catalog after evidence of active exploitation. The Hacker News notes that the flaw is a remote code execution issue addressed in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, with federal agencies told to apply fixes by July 4, 2026.
Local-business takeaway: Microsoft 365 SharePoint Online customers are in a different operating model than companies running their own SharePoint Server. If you have an on-premises SharePoint box, confirm its patch level, check whether it is internet-facing, review IIS and SharePoint logs, verify backups, and remove stale accounts. If nobody can say who owns the server, treat that as the first finding.
4. Cisco Phone Systems Need The Same Attention As Servers
BleepingComputer also reported that Cisco confirmed exploitation of a Unified Communications Manager flaw patched in early June. Phone systems often sit in a blind spot because they are treated like appliances, but modern voice platforms have admin panels, web services, integrations, credentials, and patch cycles.
What to check: identify who manages the phone system, restrict admin panels from the public internet, remove old vendor accounts, document backup and restore steps, and confirm update status. The same review applies to firewalls, routers, NAS devices, camera systems, access-control panels, and printers.
5. Adobe Patches Critical ColdFusion And Campaign Classic Flaws
Adobe shipped fixes for multiple maximum-severity ColdFusion flaws and a critical Adobe Campaign Classic issue. Adobe says it has not found exploitation in the wild, which is good. The risk is that ColdFusion and marketing systems are often internet-facing, business-critical, and older than the people currently responsible for them.
Practical next step: if you host ColdFusion apps or run Adobe Campaign Classic on-premises, patch quickly, snapshot first, confirm vendor compatibility, and watch logs afterward. If a third party hosts the app, ask for the patch status in writing.
6. Ransomware Tradecraft Keeps Looking Like Normal IT
The Hacker News summarized reporting on ransomware groups abusing valid VPN logins, RDP, SMB, PsExec, remote monitoring tools, Cloudflare tunnels, and cloud-transfer utilities. This is why incident response is difficult: attackers deliberately use tools that resemble normal administration.
Small-business takeaway: keep a real inventory of remote access tools. If ScreenConnect, AnyDesk, Zoho Assist, MeshAgent, UltraVNC, cloudflared, WinSCP, rclone, or similar utilities appear on a machine, someone should know why. Unknown remote tools are not harmless clutter.
7. AI Governance Is Becoming An IT Operations Issue
AI policy stayed in the news this week as reports described the U.S. lifting export controls on Anthropic’s Fable and Mythos models after security concerns, while Anthropic discussed new safeguards and model access limits. For local businesses, the lesson is not to chase every model name. The lesson is to decide who may use AI tools for company data, which tools are approved, and what information must stay out of public chatbots.
Practical next step: write a short AI-use policy. Cover customer data, passwords, contracts, source code, HR information, financial records, vendor portals, and whether AI output can be used without human review. A one-page policy beats silence.
Today’s Checklist
- Review Microsoft 365 risky sign-ins, inbox rules, OAuth app consent, and device-code activity.
- Warn staff that MFA prompts and device codes can be abused, even on real Microsoft pages.
- Remove unknown streaming apps, Android TV boxes, VPN tools, and browser extensions.
- Patch on-premises SharePoint Server, Cisco Unified CM, ColdFusion, and Adobe Campaign Classic where applicable.
- Inventory remote access tools and remove anything nobody owns.
- Verify backups and restore paths before the holiday weekend.
- Create or refresh a simple company AI-use policy.
If you run a home office or small business around Port Saint Lucie, Jensen Beach, Fort Pierce, Vero Beach, or nearby Treasure Coast communities, The IT Guys can help review Microsoft 365 security, patch status, routers, phone systems, backups, remote access tools, and practical AI-use rules.
Sources
- BleepingComputer: ARToken PhaaS exposes EvilTokens’ Microsoft 365 phishing toolkit
- BleepingComputer: NetNut proxy network disrupted, 2 million infected devices cut off
- The Hacker News: SharePoint RCE CVE-2026-45659 added to CISA KEV
- CISA Known Exploited Vulnerabilities Catalog
- BleepingComputer: Cisco confirms attackers exploiting Unified CM flaw
- The Hacker News: Adobe patches ColdFusion and Campaign Classic flaws
- The Hacker News: Ransomware groups turn to Citrix Bleed 2, BYOVD, and supply chain credentials
- The Guardian: Anthropic Fable and Mythos access restored after export controls lifted