Week of April 14–20, 2026 | Published by S6 Tech
⚡ 60-SECOND VERSION
Biggest threat: Attackers are posing as your IT helpdesk on Microsoft Teams and going from "hello" to full domain compromise in under an hour.
Why it matters: One employee who grants remote access through Quick Assist can hand over your entire network. No malware, no exploit, just a convincing chat message.
Do this now: Block or restrict external Teams messaging (10 minutes, free) - Microsoft's guide.
📋 EXECUTIVE SUMMARY
1. Attackers shifted from technical exploits to the human layer. Microsoft documented a playbook where Teams messages impersonating IT support lead to domain-controller compromise in under 60 minutes, bypassing every firewall, MFA, and endpoint tool you own.
2. Law firms are this week's target of choice. 16 legal victims in seven days, the highest single-sector count of 2026, including 11 firms posted simultaneously by one actor. That points to either a shared vulnerability in practice-management software or a compromised service provider upstream of multiple firms.
3. For the first time, German police publicly named a major ransomware operator, the leader of REvil and GandCrab. The unmasking won't produce an arrest, but it signals to current crews that anonymity has an expiration date. Expect faster, more reckless attacks.
📊 METRICS & INTELLIGENCE
| Metric | This Week | What It Means |
|---|---|---|
| Total Disclosed Victims | 97 | Volume steady for a third week; attention shifted to new sectors |
| Active Threat Actors | 27 | Fragmentation holding; no single actor dominates |
| Legal Sector Hits | 16 (↑ sharply) | Highest single-sector count of 2026; likely coordinated |
| US-Based Victims | 23 (24%) | Settled between April 6 (8%) and April 13 (32%) |
| Top Actor Share | 12.4% (Qilin) | Far more distributed than last week's 17.5% leader share |
Germany (7), UK (6), Brazil (4), and France (4) followed the US.
SECTOR TARGETING — THIS WEEK
Legal surged to 16 victims — more than double any other sector. One actor posted 11 law firms in a single April 17 batch.
🚨 ACTIVE CAMPAIGNS
Microsoft Teams Helpdesk Impersonation 🏢
Full domain compromise documented within 60 minutes of first contact
What it does: An attacker creates a fake Microsoft 365 tenant, sends a Teams chat posing as IT support, and convinces your employee to launch Quick Assist (Windows' built-in remote-support tool). Once they accept, the attacker has desktop access, pivots through WinRM, a built-in tool for remotely controlling Windows servers, to reach domain controllers, and uses Rclone to exfiltrate data to cloud storage.
Why it matters: Every firewall, endpoint tool, and MFA prompt gets bypassed because the employee cooperates at each step. Any employee who can receive external Teams messages can become an entry point.
Source: Microsoft Security Blog
Apple Account Notification Phishing 🏢
Phishing emails sent from Apple's real servers, bypassing all spam filters
What it does: Attackers found a way to inject phishing content into Apple's legitimate account-change notifications. The messages genuinely come from [email protected] and pass every email authentication check (SPF, DKIM, DMARC). The embedded links redirect to credential-harvesting pages.
Why it matters: Your email security tools won't flag these, the sender is authentic. User training has to shift from "watch for typos" to "never click links in account alerts; go directly to the service."
Source: BleepingComputer
France ANTS Identity System Breach ⚠️ FRENCH CUSTOMERS ONLY
French Interior Ministry confirms breach of national ID document portal
What it does: France's National Agency for Secure Documents, handler of passports, ID cards, residence permits, and driver's licenses, detected a security incident on April 15. The Interior Ministry confirmed exposure of login IDs, names, email addresses, dates of birth, and unique account identifiers; some records also include postal addresses and phone numbers. A forum seller claims 18–19 million records; that figure is unverified.
Why it matters: If you onboard French customers or employees using government ID, expect an uptick in fraud using legitimate-looking credentials. Consider secondary verification for new French applicants through late 2026.
Source: The Record, Security Affairs
✅ JUST DO THIS
Restrict External Microsoft Teams Access
⏱️ 10 minutes | 💰 Free (included in Microsoft 365)
Why now: The Teams impersonation campaign only works if outside tenants can message your employees. Restricting external Teams access breaks the attack at step one. Most SMBs have no legitimate party who needs to reach employees through Teams, email and phone suffice.
| Platform | Steps |
|---|---|
| Microsoft 365 | Teams Admin Center → Users → External access → Set to "Block all external domains" OR "Allow only specific external domains" → Add trusted partner domains only → Save |
| Google Workspace | Admin Console → Apps → Google Chat → External chat settings → Restrict to approved domains, or disable external chat entirely |
| Other | Audit every chat/collaboration tool for external messaging defaults. The rule: deny by default, allow by exception |
Verify it worked: Ask someone outside your organization to send one of your employees a Teams message. It should be blocked outright or require admin approval before delivery.
🎯 THREAT ACTOR SPOTLIGHT
"UNKN" Unmasked: REvil/GandCrab Leader Named 🏢
German police publicly identify the person behind a $2 billion ransomware empire
What happened: Germany's federal police (BKA) publicly identified Daniil Maksimovich Shchukin, 31, as "UNKN"/"UNKNOWN" — leader of GandCrab and REvil from 2019–2021. This is the first time authorities have publicly named the top operator of a major ransomware-as-a-service program.
Why it matters: Shchukin is believed to live in Russia and won't face arrest. The extradition math hasn't changed. What changed is the message to every active operator: your real name has a shelf life.
What to expect from active crews:
- Shorter dwell times. More smash-and-grab attacks; speed to cash over long-term pressure.
- More rebranding. Operators recycle brand names faster to muddy the attribution trail.
- Harder negotiations. Tighter deadlines, less multi-round haggling, faster leaks.
Defensive Priorities:
| # | Action | Plain English |
|---|---|---|
| 1 | Offline backup verification | Confirm backups the attacker can't reach, and test restoring this quarter |
| 2 | Incident response plan refresh | Faster attacks mean your plan needs to work in hours, document who calls whom first |
| 3 | Cyber insurance review | Confirm double-extortion coverage is explicit; check ransom payment exclusions |
Also Active: Qilin led weekly volume with 12 victims (12.4%) across professional services and education in France, Colombia, the US, and UK. ShinyHunters set an April 21 deadline across nine enterprise targets (Pitney Bowes, Medtronic, Canada Life, and others) — attacker claims, not independently verified.
🏭 SECTOR TARGETING
Legal Services — 16 victims 🏪 SMB PRIORITY
Threat actors: The Gentlemen, Leakeddata, Qilin, Payload, Safepay, Pear
Notable incidents: Jones Day (US), Harris Beach Murtha (US), Goulston & Storrs (US), Philip Lee LLP (Ireland), GUEGUEN Avocats (France), Roger D. Mason II P.A. (Florida)
Why the surge: Leakeddata posted 11 law firms in a single April 17 batch. A drop that size typically means either a shared vulnerability in practice-management software or a compromised service provider (document management, e-billing, e-discovery) sitting upstream.
Healthcare — 6 victims 🏪
Threat actors: Blackwater, Qilin, Dragonforce, The Gentlemen, Termite, Kairos
Notable incidents: Minidoka Memorial Hospital (Idaho, under active 7-day Blackwater countdown), Laboratório Santa Luzia (Brazil), Millennium Dental Technologies (US)
Financial Services — 5 victims 🏭
Threat actors: Prinz Eugen, Everest, Qilin
Notable incidents: Standard Bank Group (South Africa), Frost Bank (US), Citizens Bank (US). Attackers claim 1.2TB exfiltrated from Standard Bank; not independently verified.
Real Estate / Property Management — 5 victims 🏪
Threat actors: Lamashtu, Payload, Kairos, INC Ransom
Notable incidents: Jesin Group (Malaysia), Better House (Egypt), Strata Republic (Australia)
⚠️ SMB Sector Alert: Law Firms
16 legal victims this week, 11 posted by a single actor in one batch. Solo practitioners and boutique firms were mixed in with larger practices. This is not a size-only target list. If you run a law firm: call your practice-management vendor and ask about any security incidents in the last 30 days. Verify your backups are offline and recent.
🏪 SMB REALITY CHECK
If you're under 50 employees with no dedicated security staff, here's what actually matters this week:
The Teams impersonation threat is the one to focus on, and it's manageable once everyone knows one rule: your company will never ask anyone to grant remote access through an unexpected Teams message, email, or phone call. If it happens, hang up and call IT directly. Say it out loud in a team meeting this week.
The Apple phishing emails affect everyone with an Apple ID. One rule: if you get an email about an Apple purchase or account change, open a new tab and go directly to appleid.apple.com. Never click the email link. This week the sender actually is real.
💡 The Code-Phrase Trick
A $0, 30-minute defense against this week's top threat: create an internal code phrase: something specific like "the backup server is blue." Real IT uses it every time they request remote access. No phrase, no access. Share at an all-hands, not by email. Run one mock test afterward.
Your Stack, Your Actions:
| If You Use... | Do This | Time |
|---|---|---|
| Microsoft 365 or Google Workspace | Restrict external chat — trusted partner domains only, or disable | 10 min |
| Any remote support tool | Create a verbal code phrase; share in-person, never email | 30 min |
| Law firm | Call practice-management vendor; verify offline backups | 20 min |
📞 When to Call for Help
If any employee reports an unexpected Teams message, email, or call from "IT support", especially one asking them to run Quick Assist or accept a remote session, contact your MSP immediately. Treat one report as an active incident.
Safe to ignore this week: The France ANTS breach (unless you onboard French customers), the REvil leadership story, and the ShinyHunters enterprise deadline claims.
🔮 LOOKING AHEAD
The Anonymity Arbitrage Is Closing — And Attacks Will Speed Up
Every ransomware crew operates on an assumption: their real identities stay hidden long enough to enjoy the money. The REvil/GandCrab unmasking is a crack in that assumption. The named operator is safe from extradition, but the naming is the message, every active operator has to assume the clock is ticking on their own anonymity.
What to watch: Faster initial-access-to-encryption timelines (hours, not days). Shorter negotiation windows, more "pay in 48 hours or we publish" ultimatums. More rebranding as operators burn through names.
Bottom line: Your incident response plan needs to assume hours, not days. The 2023-era playbook, engage insurer, hire responders, start negotiations, can't keep up. Pre-negotiated retainers now matter more than the dollar limit on your policy.
📅 This Month's Priority
Write a 60-minute incident playbook: who gets called in the first 15 minutes, who authorizes isolating systems, who contacts the insurer. Print it. Post it. Pre-negotiated IR retainers ($2,500–10,000/year) cut response time by more than half.
CLASSIFICATION: TLP:CLEAR
Sources: Microsoft Security Blog (Apr 18), BleepingComputer (Apr 19), The Record (Apr 20), Security Affairs (Apr 20), Krebs on Security (Apr 6), Ransomware.live API, RansomLook.io API
S6 RANSOMWARE SIGNAL
Your data is an asset. We guard it like one.
Intelligence cutoff: April 20, 2026 14:00 ET | Next edition: April 27, 2026