Exploited SharePoint Flaw, 75k DDoS Warnings, and Russian Email Spy Campaign Shape Week 16 Cyber Landscape

**TL;DR:** In calendar week 16 of 2026, CISA added CVE-2026-32201 to its Known Exploited Vulnerabilities catalog, Europol’s Operation PowerOFF issued over 75,000 DDoS‑related warnings, and Reuters linked Russia to the compromise of more than 170 Ukrainian prosecutors’ email accounts. These events highlight attackers targeting vendor interfaces, cloud services, and trusted communications.

**Context:** Week 16 (April 13‑19, 2026) showed that trust is increasingly broken at the seams between organizations and their external partners. While high‑profile ransomware grabs headlines, the week’s most telling signs came from a legacy on‑premises flaw, a coordinated law‑enforcement alert surge, and a classic espionage campaign. Together they reveal that attackers exploit any weak link—whether a SharePoint server, a dependency chain, or an email gateway—to reach valuable data.

**Key Facts:** - On April 14, CISA placed CVE-2026-32201, a remote code execution flaw in SharePoint Server, into the KEV catalog and set an April 28 deadline for U.S. federal agencies to apply mitigations. Microsoft noted the vulnerability was already being exploited before patches were released, affecting on‑premises deployments that integrate with document workflows and business applications. - Europol’s Operation PowerOFF, spanning 21 countries, generated over 75,000 warnings about impending DDoS attacks, seized 53 domains, executed 25 search warrants, and resulted in four arrests. The operation targeted booter‑as‑a‑service infrastructure, using traffic‑analysis signatures and abuse‑report sharing to alert potential victims. - Reuters reported that more than 170 email accounts belonging to Ukrainian prosecutors and investigators were compromised over several months, with spillover to military and government accounts in Romania, Greece, Bulgaria, and Serbia. Researchers attribute the campaign to Russian state‑linked actors who used phishing laces and credential‑harvesting TTPs (MITRE ATT&CK T1566.001, T1078) to gain persistent access to sensitive correspondence.

**What It Means:** The SharePoint flaw underscores the risk of unpatched on‑premises software that interfaces with cloud services and third‑party plugins. Defenders should apply the April 2026 security update immediately, enforce least‑privilege access to SharePoint farms, and monitor for unusual SPNEGO or SOAP requests (MITRE ATT&CK T1210). Operation PowerOFF demonstrates that proactive threat‑intelligence sharing can reduce the impact of DDoS‑for‑hire services. Organizations should subscribe to abuse‑feed services, enable rate‑limiting and SYN‑cookie protections on edge routers, and review logs for amplification vectors such as memcached or DNS reflection. The email espionage campaign reminds teams that credential theft remains a high‑value tactic. Enforce MFA on all privileged accounts, deploy anti‑phishing gateways that detect look‑alike domains, and rotate passwords for any account suspected of compromise. Regularly review mailbox forwarding rules and IMAP/SMTP anomalies.\n Watch for follow‑on patches from Microsoft for related SharePoint components, further disclosures from Europol on seized booter networks, and any indications that the Russian email operation expands to NATO‑linked institutions.