Intelligence Insights: Feb 2026 banner image
Blog
Popular

Intelligence Insights: Feb 2026

By Bridewell CSIRT 3 March 2026 6 min read

Daniel Whitcombe, Threat Intelligence Analyst | Alex Jones, Academy Threat Intelligence Analyst | Bridewell CSIRT

The Bridewell Threat-Led Approach

Bridewell’s managed security services are built upon a proactive, threat-led defence strategy. Moving beyond reactive monitoring, we actively track adversary infrastructure and tradecraft. By seamlessly integrating Cyber Threat Intelligence (CTI), Incident Response (IR), and Managed Detection and Response (MDR), we ensure our clients remain ahead of the evolving threat landscape.

In a landscape defined by rapid adaptation, knowing what is attacking you is just as critical as knowing how. This month’s Threat Insights leverages data from Bridewell’s global MDR and Incident Response engagements to expose the top malicious infrastructure of February 2026. We go beyond the headlines to provide actionable detection guidance on the month's threat insights, equipping your team with the foresight to stay one step ahead.

Top 5 Malicious Infrastructure Threats Tracked

Threat NameCategoryFeb. VolumeMonthly Trend
SliverExploitation Framework5239▲ Rising
Brute RatelExploitation Framework1930▲ Rising
BurpVulnerability Scanner1167▲ Rising
GoPhishPhishing932▲ Rising
MetasploitExploitation Framework562▲ Rising

“During the period we observed a large increase in IPs associated with Sliver C2 and have moderate confidence that this is attributed to the use of dynamic IP addresses being used by threat actors for some of the infrastructure that we track.”

Threat Detection Insights - February

ConsentFix: Browser‑Native OAuth Token Theft via Azure CLI

This month, we observed a browser‑native social engineering technique dubbed ConsentFix, which abuses OAuth authorisation flows to achieve covert Microsoft account compromise without malware, credential harvesting, or endpoint execution. The campaign blends elements of ClickFix, OAuth consent phishing, and search‑engine watering hole attacks, relying entirely on user interaction within the browser context.

Stage Analysis: The attack chain begins with victims being redirected from Google Search results to compromised, high‑reputation websites presenting a fake Cloudflare Turnstile CAPTCHA. After conditional email‑based targeting and IP suppression to evade analysis, victims are redirected to a legitimate Microsoft login flow. Upon authenticating, victims are instructed to copy and paste a localhost redirect URL containing an OAuth authorisation code into the attacker’s page. The attacker exchanges this code for a valid OAuth token using Azure CLI, enabling non‑interactive access to Microsoft Graph and Azure APIs—often blending in with legitimate Azure CLI usage patterns.

Community Detection Opportunities

Detection Opportunity (KQL) 1

// Detects potential ConsentFix activity by correlating a successful interactive Azure CLI sign-in
// with a subsequent non-interactive Azure CLI sign-in for the same user and session within a short time window.
let Lookback = 7d;
let Window   = 10m;
let AzureCLI_AppID = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";

let Interactive =
    SigninLogs
    | where TimeGenerated >= ago(Lookback)
    | where AppId == AzureCLI_AppID
    | where ResultType == 0
    | project
        InteractiveTime = TimeGenerated,
        UserPrincipalName,
        SessionId,
        InteractiveIP = IPAddress,
        InteractiveASN = tostring(AutonomousSystemNumber),
        InteractiveLocation = tostring(Location);

let NonInteractive =
    AADNonInteractiveUserSignInLogs
    | where TimeGenerated >= ago(Lookback)
    | where AppId == AzureCLI_AppID
    | where ResultType == 0
    | project
        NonInteractiveTime = TimeGenerated,
        UserPrincipalName,
        SessionId,
        NonInteractiveIP = IPAddress,
        NonInteractiveASN = tostring(AutonomousSystemNumber),
        NonInteractiveLocation = tostring(Location);

Interactive
| join kind=inner NonInteractive on UserPrincipalName, SessionId
| where NonInteractiveTime between (InteractiveTime .. InteractiveTime + Window)
| extend
    IPMismatch  = iff(InteractiveIP != NonInteractiveIP, true, false),
    ASNMismatch = iff(InteractiveASN != NonInteractiveASN, true, false)
| project
    UserPrincipalName,
    InteractiveTime, InteractiveIP, InteractiveASN, InteractiveLocation,
    NonInteractiveTime, NonInteractiveIP, NonInteractiveASN, NonInteractiveLocation,
    IPMismatch, ASNMismatch, SessionId
| order by InteractiveTime desc

Detection Opportunity (KQL) 2

// Correlates browser visits to CAPTCHA/Turnstile-themed URLs with Azure CLI OAuth sign-ins
let SuspiciousVisits = 
    DeviceNetworkEvents
    | where TimeGenerated >= ago(7d)
    | where isnotempty(RemoteUrl)
    | where RemoteUrl has_any ("cloudflare-verify", "captcha", "turnstile")
    | where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe")
    | project VisitTime = TimeGenerated, DeviceName, VisitUrl = RemoteUrl, DeviceUpn = InitiatingProcessAccountUpn;

let CLILogins =
    SigninLogs
    | where TimeGenerated >= ago(7d)
    | where AppId == "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
    | project LoginTime = TimeGenerated, SigninUpn = UserPrincipalName, IPAddress;

SuspiciousVisits
| join kind=inner (
    CLILogins
    | project LoginTime, SigninUpnLower = tolower(SigninUpn), IPAddress
) on $left.DeviceUpn == $right.SigninUpnLower
| where datetime_diff('minute', LoginTime, VisitTime) between (0 .. 10)
| project VisitTime, LoginTime, DeviceName, DeviceUpn, IPAddress, VisitUrl
| order by VisitTime desc

Bridewell CSIRT Detection Rules & Analytics

The following detection content was generated through our managed threat intelligence, threat hunting, and detection and response (MDR) services. The content automatically protects our customers from known and emerging threats.

Detection Analytic ConceptCategory
KQL_ConsentFix_Triage_RareAzureCLISigninsInitial Access
KQL_ConsentFix_AzureCLI_AppConsent_EventsPersistence
KQL_Turnstile_CaptchaVisit_Correlated_AzureCLI_SigninInitial Access
KQL_IOC_IPAddress_SigninDetectionInitial Access
KQL_NonInteractive_IOC_IPAddress_SigninInitial Access
YARA_ConsentFix_Initial_Cloudflare_LureInitial Access
YARA_ConsentFix_OAuth_PhishingInitial Access
YARA_ConsentFix_OAuth_Phishing_LandingInitial Access

Stop Reacting. Start Hunting.

Bridewell’s threat-led MDR service combines world-class analysts with proprietary intelligence to protect your critical infrastructure and assets 24/7.

Managed Detection & Response
All Blogs
bridewell-logo

Bridewell CSIRT

Cyber Security Incident Response Team

Real-world incident response insights from our cyber security experts.

Topics

Cyber Threat Intelligence Intelligence Insights

Related Services

All Blogs