32202 Spoof Lure
April 29, 2026. Users report that ‘SharePoint’ windows look almost right but strip security cues your org trained them to expect. IR ties the behaviour to CVE-2026-32202’s spoofing primitives plus a hurried phishing kit.
Briefing
Public databases summarise CVE-2026-32202 as a Windows Shell protection mechanism failure that allows spoofing over a network with user interaction. Attackers still need social engineering; the bug helps the window chrome lie convincingly enough that people drag classified PDFs into a fake sync client.
Your role
IR analyst partnering with the M365 team on hybrid desktop fraud.
Objective
Establish the spoof chain from fake SharePoint prompt to file upload attempt, DLP block, and host isolation.
Terminal environment
- user
- responder
- host
- ir-laptop-07
- cwd
- /home/ir/spoof-lure
- steps
- 8
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.