20 Mar Security Report – 20 Mar 2026
Cloud breaches are becoming increasingly common, particularly across Microsoft 365 environments such as SharePoint and OneDrive. These platforms are heavily targeted not because of technical weaknesses, but because access is driven by user credentials. In many cases, attackers gain entry using stolen, reused, or outdated passwords—often where MFA is not enforced or has been misconfigured. This means breaches rarely involve sophisticated exploits; instead, they rely on legitimate sign‑ins that appear normal on the surface.
Once access is obtained, SharePoint data can be viewed, downloaded, or shared externally using built‑in features, making detection difficult. Sensitive files such as contracts, financial records, and internal documentation are often exposed without triggering alerts or malware warnings. As a result, organisations may remain unaware of the SharePoint breach for extended periods, reinforcing that identity compromise—rather than platform failure—is now the primary risk driving cloud data breaches.
Recent Breaches
United States – Salesforce Experience Cloud – Technology
Exploit: Misconfiguration
Risk to Business: Moderate: Salesforce’s Cybersecurity Operations Center has warned that threat actors are mass-scanning publicly accessible Experience Cloud sites using a modified version of the AuraInspector tool to access customer data. AuraInspector is an open-source command-line tool originally released to audit Salesforce Aura and Experience Cloud applications for data exposure risks. It simulates a guest user to discover endpoints and test for access control weaknesses. Evidence suggests threat actors are now using a modified version of this tool to exploit overly permissive guest user settings, allowing unauthorised access to sensitive records. Misconfigured sites risk exposing customer relationship management (CRM) data such as accounts, contacts and leads, which can then be used to carry out targeted social engineering or vishing attacks.
United States – Stryker Corporation – Healthcare
Exploit: Nation-State
Risk to Business: Severe: Operations at Stryker, America’s largest medical device maker, remain disrupted more than a week after an Iran-linked cyberattack. On March 11, Stryker Corporation confirmed it suffered a significant cyber incident that impacted its global Microsoft environment. The Iran-linked threat actor Handala claimed responsibility for the attack, which appears to be politically motivated and destructive in nature. Unlike typical financially driven incidents, Stryker stated there is no indication of ransomware or traditional malware, suggesting a deliberate data destruction campaign rather than extortion. Reports indicate that attackers may have exploited Microsoft Intune, Stryker’s mobile device management platform, to issue remote wipe commands across corporate devices worldwide. The group claims to have wiped thousands of servers and endpoints, including Windows laptops and smartphones, and alleges the exfiltration of up to 50 TB of corporate data.
Talk to a TCT team member today about implementing IT strategy plan for your business.
Robert Brown
20/3/2026
Related Articles:
Stop Data Leaks via Public AI Tools
Going Cloud-Only Might be a Mistake