Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis

Microsoft 365 in the Crosshairs: $2.5 Million Zero-Day Exploit Up for Auction

10 July 2026 06:48

A staggering figure published in an announcement on a well-known underground forum is attracting the attention of the cyber security community. A user with the nickname Orcinus orca claims to be in possession of a rare zero-day vulnerability capable of compromising the core infrastructure of Microsoft 365. The user is then auctioning off what is described as a Pre-Authentication Server-Side Request Forgery (SSRF) exploit that can provide initial access to systems without any authentication.

According to reports, the exploit can target the global Exchange Online infrastructure by exploiting a mechanism of protocol-level desynchronization. This security bug allows bypassing Microsoft’s internal gateways. Additionally, the author of the post claims to have obtained session cookies and induced the infrastructure to process requests intended for users, hypothesizing scenarios of interception and compromise of accounts.

The post describes particularly severe impacts, including network segmentation bypass, Web Application Firewall bypass, and even the possibility of executing zero-click attacks, i.e., without any interaction from the victim.

Advertising

The requested price, as mentioned at the beginning, is staggering: it starts at $1 million as the base bid and $2.5 million for an immediate purchase, with payment exclusively in Monero (XMR).

Caution: Everything is Still to be Verified

As happens in the underground world, it is necessary to maintain a cautious approach. There are no independent confirmations that demonstrate the actual existence of this rare security bug, nor has Microsoft released any communications confirming a compromise of its infrastructure.

We can say that it is very common for cybercriminals to exaggerate or falsify the capabilities of their exploits to increase their commercial value. However, even when an announcement is unfounded, the appearance of offers of this level represents an indicator of interest in cloud infrastructures, especially in hyperscalers’ cloud infrastructures.

The Role of Initial Access Brokers

If this exploit were really functional, potential buyers would likely be the so-called Initial Access Brokers (IAB), in addition to nation-states and national intelligence. This is a central figure in the cybercrime economy, which we have discussed several times on these pages.

They are groups specialized in detecting security bugs (both known and 0-day, as in this case) within corporate networks, cloud services, or privileged accounts and then reselling such access to other criminal groups.

Advertising

In practice, they represent the first link in the attack chain. Once a Microsoft 365 environment is compromised, access could be sold to ransomware operators, data theft groups, Business Email Compromise (BEC) campaigns, or state-sponsored actors interested in cyber espionage activities.


Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Luigi Zullo 300x300
Cybersecurity researcher with experience in vulnerability analysis, cyber risk mitigation, red teaming and ethical hacking, and the protection of complex systems. Specializing in penetration testing and threat intelligence, he helps strengthen the digital resilience of corporate infrastructures and networks.
Areas of Expertise: Penetration Testing, Threat Intelligence, Red Teaming, Vulnerability Assessment, Incident Response