Threat Analysis: PhaaS Campaigns, Teams-Based RAT Deployment, and Unpatched Acer Router Zero-Days Threatening UK SMBs

Threats & Attacks

Threat Analysis: PhaaS Campaigns, Teams-Based RAT Deployment, and Unpatched Acer Router Zero-Days Threatening UK SMBs

By Mauven MacLeod ·

Hello, Mauven here.

This is your Daily Threat Analysis for 3rd June 2026.

Three items today. Each one is worth your attention. The first two are active campaigns with confirmed victims. The third is a vendor disclosure with no patch and no timeline. None of them require nation-state resources to exploit. All of them are relevant to UK SMBs right now.

1. Phoenix PhaaS: MFA Bypass at Industrial Scale

Group-IB has published detailed research on a Phishing-as-a-Service platform called Phoenix that has been operating since at least January 2025. The numbers are not small: over 2,500 phishing domains, targeting more than 70 organisations across financial services, telecommunications, and logistics globally.

The two dominant campaign templates are worth noting. The first impersonates banks and telecom providers with fake reward points notifications. The second mimics logistics companies with failed parcel delivery lures. Both are designed to harvest credentials and, critically, to bypass multi-factor authentication.

The MFA bypass capability is what elevates this from routine smishing to a genuine operational risk for UK businesses. The standard advice, enable MFA and you are substantially better protected, is still correct. But it is not a complete answer when the tooling being used against you is specifically engineered to circumvent it.

What the Group-IB report does not say explicitly, but which the sector targeting implies: UK financial services and logistics businesses are almost certainly within the target set. These are not random campaigns. The themes are chosen because they work against specific audiences, and the UK has one of the highest volumes of online banking and parcel delivery interaction in Europe.

The advisory does not attribute Phoenix to a specific threat actor or nation state. What it does confirm is that this is structured criminal infrastructure, not opportunistic fraud. The 2,500-domain footprint represents significant investment and ongoing operational maintenance.

What SMBs should do:

  • Brief your staff on smishing. Not once a year in an annual awareness module. Now, this week, specifically about parcel delivery and bank reward lures.
  • If you are using SMS-based MFA, assess whether your platform supports app-based or hardware token alternatives. Phishing-resistant MFA (passkeys, FIDO2) defeats most PhaaS toolkits. SMS-based OTP does not.
  • If your business is in financial services, telecoms, or logistics, treat this as a current and active threat to your customers as well as your staff.

2. Nimbus RAT: Microsoft Teams as an Attack Vector

eSentire has documented an attack against a legal sector firm in April 2026 that should be read by anyone whose staff use Microsoft Teams for internal IT support.

The attack sequence is methodical and effective:

  1. Email bombing, 282 emails delivered to the target inbox within 90 minutes. The purpose is not to cause damage directly. It is to overwhelm the victim and create a pretext for contacting IT support.
  2. A call arrives via Microsoft Teams, purportedly from the IT helpdesk, offering to help with the email problem.
  3. The victim is persuaded to grant Quick Assist remote access, a legitimate Windows tool, which means it is unlikely to be blocked by endpoint controls.
  4. Within 20 minutes of access being granted, Nimbus RAT is deployed. The malware uses Google Drive and Google Sheets for command-and-control, again, legitimate infrastructure that most organisations do not block outbound.

The confirmed target sector is legal. That is not accidental. Legal firms hold privileged client communications, financial records, and commercially sensitive material. They are also, in my experience, more likely to have staff who are responsive to authority, including fake IT authority, and less likely to have mature security awareness programmes than equivalent-sized firms in financial services.

The use of Teams for the vishing call is the part most organisations are not prepared for. Email-based phishing has been a known risk for two decades. Voice phishing over a corporate collaboration platform, with a caller who appears to be an internal contact, is a harder problem. The social engineering is more convincing because the channel feels safe.

The use of Quick Assist specifically is also worth noting. Microsoft has taken some steps to warn users about Quick Assist abuse, but those warnings are easy to dismiss when a convincing helpdesk persona is telling you to proceed.

What SMBs should do:

  • Establish and communicate a clear policy: your IT team will never initiate a Teams call to request remote access. Remote access requests always come through a ticketed process with a reference number that staff can verify independently.
  • Consider whether Quick Assist should be disabled or restricted on endpoints where it is not operationally required. Group Policy can control this.
  • Email bombing is the trigger for this attack. If a staff member’s inbox is suddenly flooded, that is not a routine spam problem. It is a potential indicator of incoming social engineering. It should be reported to IT immediately, and the staff member should not accept any incoming calls or messages from unknown parties until the situation is assessed.
  • If your IT support function uses Teams for any remote assistance, brief your helpdesk staff that attackers are impersonating them. Your internal IT team needs to know this as much as your general staff.

3. Acer Wave 7 Routers: Two Unpatched Maximum-Severity Zero-Days

Acer has disclosed two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh router range. As of 3rd June 2026, no patch is available.

The specifics reported are concerning: one vulnerability involves hardcoded credentials, the other involves credentials being transmitted in cleartext. Both classes of vulnerability are well understood, have been documented in guidance from NCSC and its predecessors for years, and should not exist in networking equipment sold in 2026. The fact that they do tells you something about the state of quality assurance in consumer and SMB networking hardware.

Hardcoded credentials mean that an attacker who knows the credential, and these things have a habit of appearing on public forums, can access the device regardless of any password you have set. Cleartext credential transmission means that anyone positioned to intercept traffic on your network can capture authentication material without any cryptographic attack.

For UK SMBs, the immediate question is whether you have Acer Wave 7 devices deployed. These are mesh networking products, often sold as home office or small business solutions. If you or any of your staff are using them, including as home office infrastructure connecting to corporate networks via VPN, you have an exposure.

There is no patch. The vendor is working on one. Until it arrives, the mitigations are limited but not zero.

What SMBs should do:

  • Inventory your network equipment now. If Acer Wave 7 devices are present, assess whether they can be replaced or isolated while you wait for a patch.
  • Ensure that management interfaces for any network device are not exposed to the internet. If your router’s admin panel is accessible from outside your network, that needs to change immediately regardless of which vendor made it.
  • For home office staff, this is a reminder that the security of remote working environments matters. A compromised home router is a foothold into your corporate systems.
  • Watch for the patch. When it arrives, apply it the same day.

Also Worth Noting

Kali365, a phishing-as-a-service operation previously focused on Microsoft 365, has expanded its targeting to include AWS, Okta, and Xerox DocuShare. The mechanism is OAuth 2.0 device code flow abuse, a technique that bypasses MFA by stealing authentication tokens rather than credentials. Arctic Wolf has published detailed research. If your organisation uses any of these platforms, and most UK SMBs with cloud infrastructure do, the device code phishing technique is worth understanding and mitigating. Conditional access policies that restrict device code flow are available in most enterprise identity platforms.

Separately, Microsoft Threat Intelligence identified 33 malicious npm packages published between 28th and 29th May 2026 using dependency confusion techniques. This is a supply chain concern primarily relevant if your organisation has development teams or uses contracted developers. If software is being built on your behalf, ask your developers or MSP whether their build pipelines validate package sources.

Sources

SourceTitleURL
Group-IBPhoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaignshttps://www.group-ib.com/blog/phoenix-phaas-kit-smishing/
eSentireNimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAThttps://www.esentire.com/blog/nimbus-rat-how-threat-actors-are-abusing-microsoft-teams-and-google-drive-to-deploy-a-java-rat
BleepingComputerAcer working to patch max severity zero-days in Wave 7 routershttps://www.bleepingcomputer.com/news/security/acer-warns-of-max-severity-zero-days-affecting-wave-7-routers/
Arctic WolfFrom Token Bingo to MAX Takeover: Kali365 Operator Expands Operationhttps://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/
Microsoft Security BlogMalicious npm packages abuse dependency confusion to profile developer environmentshttps://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/

Filed under

  • smb-security
  • uk-business
  • social-engineering
  • credential-theft
  • remote-access
  • vendor-risk
  • incident-response