IT Security Awareness News Roundup for June 2026

Added at 06/01/2026, last update at 06/30/2026

What matters most in IT security and awareness, and what should guide the attention of CIOs, CISOs, and CEOs?

IT Security Awareness Failures

"Inbox Full" Phishing Campaign Bypasses MFA via Calendar Invites

A sophisticated global phishing wave exploits employee trust by sending highly convincing emails claiming their Outlook mailboxes are full. To bypass traditional security awareness training, attackers hide the malicious "release emails" link inside attached calendar invitations or PDFs rather than the email body. Clicking this link routes victims through a phishing platform to a compromised Microsoft login page, where attackers steal session tokens to successfully bypass multi-factor authentication / MFA. (06/30/2026)

Awareness Training Takeaway: This case demonstrates that phishing attacks are becoming more professional and sophisticated. Employees should be trained to understand web and e-mail basics to spot attack vectors through links in emails or text messages etc.: IT Security Awareness Training for Employees.

Phishing Simulation Sparks Backlash After Fake Paid Leave Offer (Canada)

A Canadian health authority faced strong criticism after employees received a phishing simulation e-mail promising an extra paid day off. Staff described the campaign as a "cruel hoax", arguing it damaged trust and morale, especially during a period of heavy workloads. The organization later apologized and announced it would review its approach to security awareness training. (06/26/2026)

Our Take on Security Awareness: Why Foundations Matter More Than Phishing Simulations - why foundational IT security training and understanding how the internet works is the key to long-term corporate security.

AI-Powered Phishing-as-a-Service Network Disrupted by FBI and Google

The FBI and Google dismantled Outsider Enterprise, a large phishing-as-a-service operation that used AI to generate fake websites and phishing campaigns at massive scale. The platform was linked to more than one million phishing URLs, thousands of fraudulent websites, millions of stolen payment card records, and significant financial losses worldwide. (06/21/2026)

Awareness Training Takeaway: This case demonstrates that phishing attacks are becoming more professional and convincing through AI, making it increasingly difficult to identify scams based on poor language or obvious mistakes. Employees should be trained to verify unexpected requests through a trusted channel, avoid clicking links in unsolicited emails or text messages, report suspicious messages to the IT Security team, etc.: IT Security Awareness Training for Employees.

CEO Password Security Fail

"The Register" describes a company where the CEO stored every employee's username and password in a single Excel file so he could access their email accounts, even refusing to enable multi-factor authentication (MFA). Despite repeated security warnings and previous ransomware incidents, this practice led to multiple data breaches, highlighting the importance of never sharing passwords and always using MFA. (06/17/2026)

HissenIT Tip: Managers should demonstrate an even higher level of security awareness than the average employee. Not only do they set the tone and lead by example, but their decisions and actions can significantly influence the security posture of the entire organization. To improve their background information, we offer IT Security Awareness for Executives, General & Project Managers.
Equally important, managers should possess the same strong foundation in security fundamentals and awareness principles as their employees, enabling them to recognize phishing, scams, and other common threats while setting the right example for their teams: IT Security Awareness Training for Employees.

Secure Programming / Coding Failures

Cisco Catalyst SD-WAN Manager Flaw Allowed Root Access via Malicious CSV Upload

A zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager allowed attackers to exploit an improperly validated CSV file upload feature, resulting in OS command injection. By uploading a crafted CSV file through the web interface, attackers could bypass normal administrative restrictions and gain full root access to the underlying operating system. (06/30/2026)

Programming Training with Security? Train your developers and TPMs(!) → Secure Programming of Web Applications

Drupal SQL Code-Injection Vulnerability

The CVE-2026-9082 vulnerability is a critical SQL injection flaw in Drupal Core's database abstraction layer that allows unauthenticated attackers to inject malicious SQL queries via crafted requests against PostgreSQL-backed sites, potentially leading to data theft, privilege escalation, or remote code execution. (06/10/2026)

Why does it still exist? Even with decades of documentation, SQL Code Injection remains a top threat. Train your developers and TPMs → Secure Programming of Web Applications

MS Exchange Server XSS Vulnerability

The vulnerability CVE-2026-42897 is a cross-site scripting (XSS) flaw in Exchange Server Outlook Web Access that allows attackers to execute malicious JavaScript in a user's browser via specially crafted emails. It is classified as a spoofing issue and can lead to session hijacking and account compromise within the OWA context. (06/09/2026)

Reason enough to study the background of "Web Application Security" of custom-made applications - no matter if these are used only internally or with public access → Secure Programming of Web Applications

Stored Cross-Site Scripting (XSS) Vulnerabilities in VMware Products

Broadcom has disclosed three high-severity stored cross-site scripting (XSS) vulnerabilities (CVE-2026-41722, CVE-2026-41723, CVE-2026-41724) affecting various VMware products. Attackers with permissions to create policies, views, or text widgets could inject malicious scripts and potentially perform actions with elevated privileges. Broadcom has released patches for all affected products, no workaround is available. (06/09/2026)

HissenIT Tip: That is why awareness for Secure Programming of Web Applications is so important - for developers and (technical) project managers!

How do you train your (technical) project managers and developers?

Under pressure "non-functional" security features are often dropped or delayed. Fixing breaches in production is 100x costlier. Complexity has increased exponentially. Your team's skills must follow:

Secure Code Training - Security by Design Poster

General IT Security Awareness Content

Microlearning for your Team: Recognize Quishing Attacks

Free lecture (SCORM package available):

Microlearning Cartoon: Detecting fake links (phishing)

Are you sure, your team knows the basics? - Detecting fake links as a security habit: How often do they check links before clicking? What do you do on your desktop and mobile device?

IT Security Awareness - Detecting fake links

Microlearning for your Team: How Hackers create Website Fakes

What's a cookie?

Excerpt from the practical Online Course "IT Security Awareness Training for Employees" (SCORM/pay-once Bundle)

IT Security Awareness for Employees

Self-Assessment (excerpt)

Free Lecture 'E-Mail Security'

How is your team's security awareness? For real and for audits!?

Are you on a platform or are you owning your awareness program or both?

IT Security Awareness through Learning Management System (LMS) IT Security Awareness to follow ISO 27001 IT Security Awareness - Hacker vs. Security Budget

How do you manage your employees' IT security awareness?

Online learning, phishing simulations, in-person sessions, … - What works best for you?

IT Security Awareness Poster - The Human Firewall vs LMS Power IT Security Awareness - Driver Training Comparison IT Security Awareness - Cost of Shortcuts IT Security Awareness Poster - The Human Firewall IT Security Awareness Cartoon - Confidence IT Security Awareness Cartoon - Before After Training IT Security Awareness - Habits