IT Security Awareness News Roundup for June 2026
Added at 06/01/2026, last update at 06/30/2026
What matters most in IT security and awareness, and what should guide the attention of CIOs, CISOs, and CEOs?
IT Security Awareness Failures
"Inbox Full" Phishing Campaign Bypasses MFA via Calendar Invites
A sophisticated global phishing wave exploits employee trust by sending highly convincing emails claiming their Outlook mailboxes are full. To bypass traditional security awareness training, attackers hide the malicious "release emails" link inside attached calendar invitations or PDFs rather than the email body. Clicking this link routes victims through a phishing platform to a compromised Microsoft login page, where attackers steal session tokens to successfully bypass multi-factor authentication / MFA. (06/30/2026)
Phishing Simulation Sparks Backlash After Fake Paid Leave Offer (Canada)
A Canadian health authority faced strong criticism after employees received a phishing simulation e-mail promising an extra paid day off. Staff described the campaign as a "cruel hoax", arguing it damaged trust and morale, especially during a period of heavy workloads. The organization later apologized and announced it would review its approach to security awareness training. (06/26/2026)
AI-Powered Phishing-as-a-Service Network Disrupted by FBI and Google
The FBI and Google dismantled Outsider Enterprise, a large phishing-as-a-service operation that used AI to generate fake websites and phishing campaigns at massive scale. The platform was linked to more than one million phishing URLs, thousands of fraudulent websites, millions of stolen payment card records, and significant financial losses worldwide. (06/21/2026)
CEO Password Security Fail
"The Register" describes a company where the CEO stored every employee's username and password in a single Excel file so he could access their email accounts, even refusing to enable multi-factor authentication (MFA). Despite repeated security warnings and previous ransomware incidents, this practice led to multiple data breaches, highlighting the importance of never sharing passwords and always using MFA. (06/17/2026)
Equally important, managers should possess the same strong foundation in security fundamentals and awareness principles as their employees, enabling them to recognize phishing, scams, and other common threats while setting the right example for their teams: IT Security Awareness Training for Employees.
Secure Programming / Coding Failures
Cisco Catalyst SD-WAN Manager Flaw Allowed Root Access via Malicious CSV Upload
A zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager allowed attackers to exploit an improperly validated CSV file upload feature, resulting in OS command injection. By uploading a crafted CSV file through the web interface, attackers could bypass normal administrative restrictions and gain full root access to the underlying operating system. (06/30/2026)
Drupal SQL Code-Injection Vulnerability
The CVE-2026-9082 vulnerability is a critical SQL injection flaw in Drupal Core's database abstraction layer that allows unauthenticated attackers to inject malicious SQL queries via crafted requests against PostgreSQL-backed sites, potentially leading to data theft, privilege escalation, or remote code execution. (06/10/2026)
MS Exchange Server XSS Vulnerability
The vulnerability CVE-2026-42897 is a cross-site scripting (XSS) flaw in Exchange Server Outlook Web Access that allows attackers to execute malicious JavaScript in a user's browser via specially crafted emails. It is classified as a spoofing issue and can lead to session hijacking and account compromise within the OWA context. (06/09/2026)
Stored Cross-Site Scripting (XSS) Vulnerabilities in VMware Products
Broadcom has disclosed three high-severity stored cross-site scripting (XSS) vulnerabilities (CVE-2026-41722, CVE-2026-41723, CVE-2026-41724) affecting various VMware products. Attackers with permissions to create policies, views, or text widgets could inject malicious scripts and potentially perform actions with elevated privileges. Broadcom has released patches for all affected products, no workaround is available. (06/09/2026)
General IT Security Awareness Content
Microlearning for your Team: Recognize Quishing Attacks
Free lecture (SCORM package available):
Microlearning Cartoon: Detecting fake links (phishing)
Are you sure, your team knows the basics? - Detecting fake links as a security habit: How often do they check links before clicking? What do you do on your desktop and mobile device?
Microlearning for your Team: How Hackers create Website Fakes
What's a cookie?
Excerpt from the practical Online Course "IT Security Awareness Training for Employees" (SCORM/pay-once Bundle)










