Check Point Weekly Report: Texas Parks & Wildlife Breach, Klue OAuth Theft, and SearchLeak Copilot Vulnerability
Check Point's weekly threat intelligence bulletin covers a third-party breach at Texas Parks and Wildlife exposing 3 million records, a Klue breach by the Icarus group stealing Salesforce OAuth tokens, and Microsoft's patch for the SearchLeak Copilot prompt injection.
Check Point Research has released its weekly threat intelligence bulletin for June 22, 2026, detailing a range of active attacks and vulnerabilities. The report highlights a significant third-party data breach at the Texas Parks and Wildlife Department, a sophisticated OAuth token theft at market intelligence platform Klue, and the patching of a critical prompt injection vulnerability in Microsoft 365 Copilot Search, among other incidents.
The Texas Parks and Wildlife Department breach affected approximately 3.1 million hunting and fishing license customers. The incident, which occurred through the department's license system vendor, exposed driver's license numbers, passport numbers, email addresses, phone numbers, and residential addresses. Social Security numbers and payment data were not compromised, according to the department. The breach underscores the growing risk of third-party vendor compromises in the public sector.
In a separate incident, market intelligence platform Klue confirmed a breach after attackers used compromised legacy integration credentials to steal OAuth tokens connected to customer Salesforce environments. The Icarus extortion group claimed responsibility, and the stolen tokens enabled the theft of sales and customer data from several high-profile clients, including Huntress, Recorded Future, Tanium, and Jamf. This attack highlights the dangers of unused or poorly managed integration credentials and the cascading impact of OAuth token theft.
On the vulnerability front, Microsoft patched CVE-2026-42824, a prompt injection vulnerability in Microsoft 365 Copilot Search dubbed "SearchLeak." Researchers from Varonis detailed how a crafted link could trigger hidden instructions that abuse Bing image fetch to exfiltrate emails, authentication codes, and files from OneDrive or SharePoint. Microsoft has released a security update to address the flaw.
The report also covers active exploitation of several other vulnerabilities. Fortinet FortiSandbox flaws CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 are being exploited through unauthenticated API requests, enabling path traversal and root-level command execution. Microsoft confirmed CVE-2026-50656, a Defender zero-day allowing privilege escalation to SYSTEM via a race condition, with a public proof-of-concept available. Cisco acknowledged active exploitation of CVE-2026-20262, an arbitrary file write flaw in Catalyst SD-WAN Manager, and released patches. Splunk Enterprise CVE-2026-20253 is also under active attack, allowing unauthenticated file operations that can lead to remote code execution.
Additionally, Check Point Research uncovered a crypto clipboard hijacker promoted through phishing websites and amplified on GitHub, SourceForge, and YouTube. The Rust-based malware targets Windows and macOS, swapping copied cryptocurrency wallet addresses to attacker-controlled wallets. The report also notes a seasonal surge in travel-themed cybercrime, with 47,318 travel-related domains registered in May 2026, and Amazon-themed scams ahead of Prime Day.
This weekly bulletin serves as a comprehensive snapshot of the current threat landscape, emphasizing the need for organizations to patch critical vulnerabilities promptly, monitor third-party access, and remain vigilant against evolving social engineering and supply chain attacks.