Threat Analysis: FortiClient EMS Exploitation, Phoenix PhaaS, and AI-Assisted Attacks, What UK SMBs Need to Know
Hello, Mauven here.
This is your Daily Threat Analysis for 29th May 2026.
Three threads worth your attention today. One actively exploited vulnerability in endpoint management software that is likely already inside your IT providerβs stack. One phishing-as-a-service operation that has been quietly expanding its UK reach for the better part of eighteen months. And a Russia-linked group demonstrating that AI-assisted attack campaigns are no longer theoretical. Each of these has direct relevance to UK SMBs. Let me take them in order of urgency.
CVE-2026-35616: FortiClient EMS Is Being Actively Exploited Right Now
Arctic Wolf published research this week confirming that threat actors are actively exploiting CVE-2026-35616, an improper access control vulnerability in Fortinetβs FortiClient Endpoint Management Server. The attack bypasses API authentication entirely, allowing unauthenticated requests to execute privileged operations. Attackers have used this access to push malicious PowerShell scripts to managed endpoints, disguised as legitimate Fortinet patch packages.
The payload in the observed campaign is the EKZ infostealer. Once deployed, it harvests credentials, session tokens, and browser-stored data from across the affected estate. Because it arrives via the endpoint management platform, the same channel your IT team uses to push legitimate updates, it is unlikely to trigger user-level suspicion and may bypass endpoint controls that trust management traffic.
What the advisory does not say explicitly, but what matters operationally: if your IT provider manages your endpoints via FortiClient EMS, the trust relationship between that management server and your devices is the attack surface. You do not need to do anything wrong. You need your IT provider to have patched CVE-2026-35616. If they have not, every device they manage is potentially reachable.
This also pairs with CVE-2026-0300, a second FortiClient EMS vulnerability referenced in the same campaign research. Neither should be on unpatched systems at this point.
What to do today: Contact your IT provider or MSP and ask specifically whether FortiClient EMS has been patched against CVE-2026-35616 and CVE-2026-0300. Do not accept a general reassurance about patching schedules. Ask for confirmation that this specific product is on the current version. If they cannot answer the question today, that tells you something about your patch visibility.
Phoenix PhaaS: MFA Bypass Infrastructure Targeting UK-Relevant Sectors
Group-IB published detailed analysis of the Phoenix phishing-as-a-service kit this week. Since January 2025, researchers have identified over 2,500 phishing domains linked to this infrastructure, targeting more than 70 organisations across financial services, telecommunications, and logistics sectors globally.
Two campaign themes dominate. The first impersonates banks and telecoms providers with reward points lures. The second runs fake parcel delivery notifications mimicking logistics companies. Both are consistent with the kind of message volumes UK consumers receive daily, which is precisely why the conversion rates are high enough to make the operation commercially viable.
The detail that matters here is not the volume of domains. It is the MFA bypass capability built into the kit. Phoenix uses adversary-in-the-middle techniques to intercept session tokens in real time, meaning that users who correctly enter their credentials and their one-time code are still compromised. The attacker captures the authenticated session before the user reaches the legitimate site.
Your staff awareness training that teaches people to check URLs and look for HTTPS is not wrong. It is just insufficient against a kit that proxies a perfect replica of the legitimate login page and validates the MFA code before passing the session to the attacker. The NCSC has published guidance on phishing-resistant authentication, hardware security keys and passkeys, since well before this kit emerged. The fact that most UK SMBs are still relying on SMS OTP or authenticator apps for their most sensitive accounts is the gap this infrastructure exploits.
The smishing component is also worth noting. Phoenix-linked campaigns use SMS as the initial delivery vector, not just email. If your staff receive unexpected messages about parcel deliveries or account reward points asking them to click a link, that is the entry point.
What to do: Review what authentication method protects your most sensitive accounts, email, finance platforms, CRM, cloud storage. If the answer is SMS OTP or a standard authenticator app, you have exposure. Passkeys or hardware keys are the direction of travel. At minimum, ensure that anyone in your organisation with access to financial systems or customer data is using app-based TOTP rather than SMS, and brief staff that a correct MFA prompt does not confirm they are on a legitimate site.
AI-Assisted Attacks: GREYVIBE and the Closing Capability Gap
The Register reported today on research into a Russia-linked group designated GREYVIBE, which used AI tools end-to-end throughout a campaign targeting Ukrainian military and government entities, from generating the initial phishing lures through to building payloads.
I want to be precise about what this means operationally, because the coverage tends toward the dramatic. The significance is not that a sophisticated nation-state actor used AI. It is what this signals for the threat landscape downstream.
When a well-resourced state-sponsored group demonstrates a working AI-assisted attack pipeline, that methodology does not stay with them. Techniques and tools developed at the high end of the threat landscape have a consistent history of filtering into commodity criminal infrastructure within months. RaaS operations normalised enterprise-grade ransomware deployment for criminal affiliates with limited technical skill. The same diffusion effect applies here.
The implication for UK SMBs is not that you are being targeted by GREYVIBE. It is that the quality and volume of phishing lures, social engineering scripts, and malware variants targeting your sector will increase as this capability becomes more accessible. The AI-generated lure that arrived in your inbox last year with slightly awkward phrasing will, in twelve months, be grammatically indistinguishable from a message from your accountant.
There is a separate but related development worth flagging. Research published today demonstrates that ChatGPT can be manipulated through prompt injection attacks to turn web pages into phishing lures, effectively weaponising the AI assistant against users who ask it to summarise or interact with attacker-controlled content. This is an emerging attack surface, not a current mass-exploitation scenario, but it illustrates how AI tools are being examined for abuse potential on multiple fronts simultaneously.
What to do: The defensive answer here is not technical. It is procedural. Any request, however legitimate-sounding, that asks someone to approve a payment, share credentials, or grant access to systems should require a second out-of-band verification. A phone call to a known number. Not a reply to the original message. Not a click on a link in the message. A separate contact. This is not new advice. The NCSC has recommended it for years. What has changed is the quality of the lures that will be used to bypass human judgement.
One Other Item Worth Noting
Google has rolled out Device Bound Session Credentials (DBSC) to all Chrome users today. This binds session cookies to the specific device they were issued to, which directly addresses the infostealer threat model where stolen cookies are exported and replayed from a different machine. It does not eliminate infostealer risk, credential harvesting has multiple vectors, but it closes one of the most commercially valuable post-infection steps. If your organisation uses Chrome and relies on web application access, this is worth knowing about. No action required; it rolls out automatically.
Summary
Three priorities for today:
- FortiClient EMS: Confirm with your IT provider that CVE-2026-35616 is patched. Do this today.
- Authentication review: Identify which accounts in your organisation rely on SMS OTP and move the highest-risk ones to stronger authentication.
- Verification procedures: Reinforce, or establish, a clear policy that any unusual request involving money, credentials, or access requires out-of-band verification before action is taken.
The FortiClient EMS issue is the only one with an immediate technical remediation. The other two are about reducing your exposure to infrastructure that is already operational and targeting sectors where UK SMBs are present.