Critical Microsoft & Adobe patches, AI Supply chain compromises, and more

by Garrett Brown | Apr 21, 2026 | Security Alerts | 0 comments

This month brought an overwhelming stream of actionable security news. As always, prompt action and user education remain essential to safeguarding your organization.

Microsoft:
Microsoft has released patches for 169 security flaws this month, including three actively exploited zero-day vulnerabilities. If you’re thinking Windows Defender may help protect you here, unfortunately, these vulnerabilities affect the security software found on every Windows system. The vulnerabilities could allow an attacker to escalate privileges and take administrative control of a system. Failure to patch them represents a significant risk to your users and organization.

Microsoft RDP:

Microsoft rolled out updates that flag potentially malicious Remote Desktop connection files (ending in .rdp), which attackers have increasingly abused in phishing campaigns to remotely steal data and credentials from victims. This is causing some confusion for users who regularly use these files to access remote systems. The new warnings appear when a remote connection is initiated and are intended to help users distinguish between expected and unexpected connections.

Risk becomes real with Vercel compromise due to shadow AI:

An employee at Vercel, a software company, installed a Chrome extension that granted an AI tool called Context.ai access to their Google Workspace account. Context.ai is an AI assistant designed to analyze internal documentation, technical logs, and institutional knowledge to provide context-aware answers. This led to the compromise of Vercel customer data and systems. It remains unclear how Context.ai itself became compromised. In addition, security researchers identified 108 malicious Chrome extensions this month. This incident highlights the risks of browser extensions and the need for strong, clearly defined safe-use-of-AI policies combined with strong user training.

Identity is the target:

There were multiple headlines this month involving attackers gaining access to systems through targeted attacks on identity platforms including Entra ID and Okta. Researchers discovered VENOM, a phishing-as-a-service platform that targets executives and can steal Microsoft 365 credentials while bypassing MFA. Additionally, we learned that vishing is becoming an increasingly effective technique for threat actors such as ShinyHunters to trick users into granting access to systems like Okta and Entra ID. Much like phishing, which uses email to trick recipients into clicking links or taking other actions, vishing uses phone calls to manipulate recipients into granting access. Attackers leverage detailed profiles of their targets using sources like LinkedIn, company websites, ZoomInfo, and previously compromised credentials to establish trust and carry out sophisticated scams. Once inside Okta, an attacker can gain access to every SSO-connected application without needing to compromise each one separately.

Adobe Acrobat:

Adobe issued an emergency patch to address a zero-day vulnerability discovered at the end of March. It appears that Russian-based attackers were exploiting this vulnerability by sending malicious PDF files to users. The vulnerability allowed attackers to escape sandbox protections and execute privileged JavaScript code. This means the code could potentially perform any action, including administrative actions. This vulnerability appears to affect both Windows and macOS systems.

Growing risks of add-on solutions:

We’ve seen several documented examples this year of attackers gaining access to seemingly secure systems and stealing large volumes of data through unexpected means. Threat actors like ShinyHunters and APT41 are stealing data from Salesforce, Snowflake, AWS, Azure, and Google Cloud Platform by exploiting weaknesses in third-party plugins designed to help users work with data more efficiently. Some of these tools include Anodot, Salesloft, and Gainsight. Once an attacker gains access to one of these systems, usually through a compromised account, they can pivot to one of these powerful add-on tools to bypass controls and quickly access large volumes of data. These tools are designed to access large datasets and make them more accessible and actionable.

What do I need to do?

Microsoft Windows: For our clients who subscribe to our security and management tools, your Windows computers should start receiving updates starting this week. Users should complete the installation of patches when prompted and not delay or defer them. Updates can be manually installed following the directions below:
- Microsoft Windows: https://support.microsoft.com/en-us/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a
Microsoft RDP: Advise users who use Remote Desktop software of the new notices they’ll potentially be seeing. Provide them with the following linked Microsoft article explaining the new alerts: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remotepc/understanding-security-warnings
Shadow AI and Browser Extensions: It is critical to have a strong safe use of AI policy that all staff are trained on. A good policy should explicitly define different types of data, tie into your data classification policy, specify which systems are approved for use, clarify what types of data can be used with them, and provide clear guidance on how to evaluate tools and get support. Additionally, organizations should maintain a strong, ongoing security awareness program that educates users about the risks of browser extensions and other related threats.
Identity Risks: Strong email security solutions combined with an ongoing security awareness program are the best defense against this type of risk. However, additional layers of protection are recommended, including web filtering and conditional access rules to limit how users can access systems and to restrict access to approved devices.
Adobe Acrobat: For clients who subscribe to our security and management tools, your computers should have started receiving updates last week. Users should complete patch installation when prompted and should not delay or defer updates. Updates can also be manually installed by following the directions below:
- From within the Adobe Acrobat program choose the Help Menu and select Check for Updates,’ which triggers update process
Add-on Solutions Risks: Organizations should evaluate any add-on tools they have and review the providers guidance for securing the add-on tools. Principles of least privilege should be applied, so that they only have access to the data they need to provide the desired capabilities. Organizations should consider how they can monitor activity of these tools and if there are any thresholds that can be applied, so that the damage of a potential compromise could be limited.

QuickTip: The IC3 website (https://www.ic3.gov/) is the official website run by the FBI for reporting cyber crime. It stands for Internet Crime Complaint Center. This is a first step to reporting any suspected or confirmed cyber crime.

Additional Resource and Details: