Daily Threat Intel Digest - 2026-02-15

🔴 Critical Threats & Active Exploitation

[NEW] Office Add-ins Hijacked for “AgreeTo” Phishing Campaign Attackers are hijacking legitimate Microsoft Office add-ins to conduct highly convincing phishing attacks within the trusted Outlook interface. In a campaign dubbed “AgreeTo,” threat actors performed a subdomain takeover on an abandoned add-in’s hosting infrastructure, allowing them to serve a malicious phishing kit that inherited the original Microsoft-signed manifest’s permissions. This enabled attackers to read and modify victim emails and exfiltrate over 4,000 sets of credentials. The malicious sidebar persists across devices and even survives password resets by leveraging authenticated session tokens, making removal exceptionally difficult for users and traditional security tools. This attack vector transforms any orphaned, high-permission add-in into a potential persistent backdoor, bypassing the need for initial malware installation on the endpoint [SOCFortress analysis].

[NEW] Cloudflare Pages Abused in Large-Scale Malware Delivery Operation A long-running malicious operation is abusing the reputation of Cloudflare Pages to deliver phishing, adware, and malware at scale. Attackers have created more than 250 SEO-optimized landing pages hosted on *.pages.dev that are indexed by search engines. These pages display a benign-looking article but then force a “Continue reading” modal that redirects users to a central Traffic Distribution System (TDS). This backend system filters targets and routes them to various malicious outcomes, including credential-harvesting pages, fake software installers, and QR-code scams. The click-gated redirect and anti-analysis features (like blocking VPNs/proxies) help the campaign evade automated detection, resulting in low antivirus detection rates for delivered payloads. This technique highlights the growing risk of attackers abusing legitimate cloud platforms for malicious infrastructure that is difficult to block wholesale [Malware Analysis].

• IOCs: preservationwristwilling[.]com/utx3iw6i?key=; SHA256 of observed adware: be590100ecdcae5ce4b7b42f87082e201fcb2f38c114c8fbc6640ad9b9a0708a.

[NEW] Major Data Breach at Dutch Telecom Odido Affects 6.2 Million Customers Over 6.2 million customers of Dutch telecommunications provider Odido have been impacted by a significant data breach. Unidentified attackers gained access to the company’s customer contact system and exfiltrated a large volume of personal information. The breach affects a substantial portion of the Dutch population, putting millions at risk of targeted phishing, identity theft, and other forms of fraud. The company is currently investigating the scope of the incident and has not yet disclosed the specific timeline of the attack or the exact types of data compromised [DataBreaches.Net].

🎯 Threat Actor Activity & Campaigns

[NEW] TheGentlemen Ransomware Group Claims Attack on Brazilian University The ransomware group known as TheGentlemen has claimed responsibility for an attack against UniFil, a major educational institution in Brazil. The attack, reported on February 10, 2026, has resulted in the theft of sensitive data, with the group threatening to release it publicly unless the university negotiates. This incident continues the trend of ransomware groups targeting the education sector, which, while seeing a plateau in the number of attacks, is experiencing increasingly severe data exposure [DeXpose report].

[NEW] “Kurd Hackers Forum” Emerges as Hub for Middle Eastern Breaches A new, clear-net cybercrime forum called the “Kurd Hackers Forum” has been established, specifically focusing on data breaches and leaks from Iran, Syria, and Turkey. The domain was registered in late January 2026, and the forum’s structure closely mirrors that of the notorious BreachForums. The emergence of a dedicated, publicly accessible forum for this geographic focus indicates a maturation and specialization within the cybercrime ecosystem, potentially leading to an increase in targeted attacks and data trafficking within the region [DataBreaches.Net].

📋 Policy & Industry News

[NEW] Nevada Adopts Statewide Data Classification Policy Following Cyberattack Months after a severe cyberattack crippled state systems, Nevada’s Governor’s Technology Office has announced a new, first-of-its-kind statewide data classification policy. The policy creates standardized categories for data sensitivity, aiming to improve privacy and security controls across all state agencies. This move represents a direct, policy-level response to a major incident and could serve as a model for other state and local governments looking to formalize data governance and reduce their attack surface [DataBreaches.Net].

[NEW] Guernsey Medical Practice Sanctioned for Phishing-Induced Data Breach The Office of the Data Protection Authority (ODPA) in Guernsey has formally sanctioned First Contact Health, a local medical practice, following a data breach that originated from a successful phishing attack on an employee’s email account. The attackers gained unauthorized access to confidential patient data, leading the regulator to determine that the practice failed to implement sufficient security measures. This action underscores the increasing regulatory scrutiny and potential penalties for organizations that fail to protect against common attack vectors like phishing, especially in the healthcare sector [DataBreaches.Net].

[NEW] 2025 Report: Ransomware Attacks on Schools Plateau, But Data Exposure Surges A new report analyzing ransomware trends in the education sector reveals that while the number of attacks in 2025 remained relatively steady compared to previous years, the total volume of records exposed increased dramatically. According to Comparitech, threat actors claimed 251 attacks on educational institutions, but the impact was magnified by a handful of large-scale breaches and successful exploitation of third-party software vulnerabilities. This trend suggests that ransomware groups are becoming more efficient at exfiltrating data, even if the frequency of initial compromise is not rising, putting the personal information of students and faculty at greater risk [DataBreaches.Net].