Today’s SMB cyber lookout: endpoint management compromise + poisoned “help” searches

Today’s look-out: Supplier / endpoint management compromise scams and credential theft; poisoned searches leading to malware

What to look out for today

1) Endpoint management servers being abused to push malware: Threat actors are exploiting a FortiClient Enterprise Management Server (EMS) flaw to deploy credential-stealing malware via trusted management infrastructure.

2) “Helpful” search results (and AI chatbot recommendations) leading to mining/malware: A campaign is spreading via SEO poisoning and manipulated recommendations, targeting high-performance machines.

3) Follow-on phishing after a major consumer breach: A large confirmed breach (Carnival) may fuel convincing phishing and fraud using leaked personal details.

Why this matters to smaller businesses

Tool trust is your weakness: If an endpoint management platform is compromised, attackers may reach many PCs quickly and quietly, including finance and admin machines.
Credential theft is a gateway: Stolen logins can lead to email takeover, invoice fraud, payroll diversion and wider SaaS compromise.
Search poisoning hits busy teams: Staff often Google “download”, “how to”, “fix error” or vendor support pages. A bad link can lead to unwanted software installs.
Breach ripple effects: When criminals have accurate personal details, scam emails and calls become harder for staff to spot.

Warning signs

Devices receive “software updates” or “endpoint agent packages” that IT didn’t announce.
Unusual login alerts for Microsoft 365/Google/work apps, especially from new locations or at odd times.
Multiple staff report browser pop-ups, unexpected new extensions, or sudden performance issues (fans running hard / high GPU usage).
Helpdesk tickets mention users finding a fix via search/AI and being prompted to install a “tool”, “driver”, “support app” or “security update”.
Phishing that references real personal/travel details (likely recycled from breached datasets) to pressure payment or account verification.

How attackers may exploit the situation

Abuse of trusted management infrastructure: If FortiClient EMS is exposed or not updated, attackers can use that trust path to distribute credential-stealing malware across endpoints.
Credential theft → account takeover: Stolen passwords/cookies can be used to access email, cloud storage, payroll, accounting and supplier portals.
Search/AI manipulation: Criminals steer users to lookalike download/support pages, pushing unwanted installers that lead to mining or further malware.
Social engineering after breaches: Scammers use known details to sound legitimate and rush staff into changing bank details, buying gift cards, or “confirming” logins.

What to do today

Confirm whether you use FortiClient EMS (directly or via your IT provider/MSP) and who is responsible for securing it.
Tell staff: don’t install “fix tools” or “support apps” found via search/AI without IT approval; use bookmarked vendor portals.
Check for suspicious sign-ins on key services (email, finance, payroll, CRM). Prioritise admins and finance users.
Harden high-risk users: ensure MFA is on for email, admin accounts and finance systems; review any recent MFA changes/resets.
Be alert for breach-themed phishing: remind staff that “data breach compensation”, “booking issues”, or “account verification” emails can be scams.

Ask your IT provider

Do we have FortiClient EMS anywhere in our environment (or managed on our behalf)? Is it internet-facing?
What monitoring is in place for endpoint-management platforms (admin logins, new packages pushed, unusual configuration changes)?
If credentials are stolen, what is our rapid response plan (forced sign-out, password resets, token revocation, mailbox rules review)?
Can you provide a quick report of unusual sign-ins for the last 7 days for admins and finance users?
Do we have application allow-listing or controls to prevent staff installing random “downloaded” tools?

Patch watch - only one short paragraph, and only if relevant

If you (or your MSP) run FortiClient EMS, treat this as urgent: the reporting indicates active exploitation of an authentication bypass (CVE-2026-35616) that has been patched. Ensure updates have been applied and confirm any exposed management interfaces are reviewed and locked down.

One action today

Message staff today: only use bookmarked vendor/support pages and never install “fix” or “support” tools found via search/AI without IT approval.

Related Actions On Cyber resource

Actions On Cyber checklist: Phishing & invoice fraud quick checks (including supplier bank-detail change verification)

Sources

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer (The Hacker News)
Hackers exploit FortiClient EMS flaw to push infostealer malware (BleepingComputer)
GPU mining malware spreads via SEO poisoning, AI chatbots (BleepingComputer)
Carnival Cruise confirms data breach affecting nearly 6 million people (BleepingComputer)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.