New phishing kit targets Microsoft 365 accounts.

This news roundup describes three security developments: an active phishing-as-a-service called Kali365 that harvests OAuth tokens to compromise Microsoft 365 accounts; Anthropic’s Project Glasswing using the Mythos model to surface over 23,000 potential open-source vulnerabilities (about 1,500 high/critical, 530 disclosed, 75 patched so far); and Dutch police arrests of two alleged bulletproof hosting operators who facilitated Russian cyber activity, with over 800 servers seized.