The DarkSword attack — your iPhones could give hackers access to company data
CISA warns of actively exploited iOS attack chain threatening anyone running Microsoft Authenticator, Outlook, or Teams on iPhone.
Five new vulnerabilities were added to CISA's Known Exploited Vulnerabilities catalog on March 20. Three of them form an attack chain called DarkSword targeting iPhones.
This is not a theoretical risk. DarkSword is being actively exploited right now. The attack requires minimal user interaction and can give the attacker full device control.
Why this matters for SMBs
Most of your employees have Microsoft Authenticator, Outlook, and Teams installed on their iPhones. A compromised iPhone means potential access to MFA codes, email, and internal communications.
Microsoft Authenticator also has its own vulnerability (CVE-2026-26123) enabling sign-in interception via a Man-in-the-Middle attack through a rogue app. Together, these flaws create a serious mobile security risk.
What you should do now
- Check iOS versions — all devices should run at least iOS 18.3.2. Check in Intune under Device Compliance.
- Create a compliance policy in
Intunethat blocks devices with older iOS versions from accessing company data. - Enable jailbreak detection in Microsoft Authenticator — this is rolling out now and blocks compromised devices.
- Update the Authenticator app to the latest version via Intune MAM.
CISA requires US federal agencies to patch by April 3. We recommend the same deadline for all organizations.
How we can help
We offer a Quick Check (1-2h) to verify your Intune compliance policies and iOS versions. Need help setting up the right policies? Contact us.