APT28 Compromises European Defense Contractor via Outlook Zero-Day

Saturday, March 14, 2026 at 04:00 PM UTC·Source: ANSSI / Microsoft Threat Intelligence

Updated: Sunday, March 15, 2026 at 11:00 AM UTC

Executive Summary

APT28 exploits Outlook NTLM relay zero-day to compromise a major European defense contractor. Classified project data at risk.

Analysis

APT28 used CVE-2026-15899, an Outlook zero-day that triggers NTLM credential relay via a specially crafted calendar invite — no user interaction beyond receiving the email. Targeted a Tier-1 European defense contractor working on next-generation weapons systems. Access maintained for approximately three weeks before detection.

Timeline

Discovered

Mar 1, 2026

Exploitation Detected

Mar 1, 2026

Published

Mar 14, 2026

Patch Available

Mar 14, 2026

Indicators of Compromise (1)

CVE (1)

CVE-2026-15899

NVD MITRE CVE

Source Attribution

Originally published by ANSSI / Microsoft Threat Intelligence on Mar 14, 2026. Verified by: ANSSI, Microsoft, NATO.

Related Threats

CRITICALApt

7 tips for accelerating cyber incident recovery

Despite strong and redundant defenses, enterprises remain vulnerable to a wide range of cyberattacks. And because attacks — and cyber incidents — are inevitable, developing an incident response and recovery process that’s quick, comprehensive, and coordinated is essential. Expediting incident recovery time is critical because the longer an outage persists, the more costs, risk, and business disrup

3h agoCSO Online

LOWApt

5 Steps to Managing Shadow AI Tools Without Slowing Down Employees

Many employees already use shadow AI tools at work without security review. Adaptive Security breaks down how teams can build practical AI governance without adding friction for employees. [...]

17h agoBleepingComputer

MEDIUMApt

Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access

The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts. Turla, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is assessed to be affiliated with Center 16 of Russia's Federal Security Service (FSB)

3d agoThe Hacker News