The Chinese APT campaign documented inside Microsoft 365 tenants this week used the MITRE T1098 technique class (Account Manipulation): service principal role assignments, OAuth application grants, and Exchange mailbox delegation rules. The credential reset does not remove these. MFA re-enrollment does not either. The vendor's post-incident guidance for M365 tenant compromise leads with credential hygiene and user account remediation. The persistence mechanism documented in T1098 survives both steps, because it is not a credential. It is a trust grant logged in the tenant's own audit trail as an authorized configuration change, and clearing it requires a full audit of every application registration and delegated permission in the tenant, which is not a standard triage step in any APAC financial institution IR runbook written before 2023.

Cisco SD-WAN is under active exploitation with no patch available as of 7 June 2026. The network layer is not closed either. APAC banks running that product for branch connectivity face a live exploitation path through their network segmentation architecture simultaneously with documented state-linked persistence inside their M365 tenants. MAS TRM 2021 and HKMA's Cybersecurity Fortification Initiative both require demonstrable control effectiveness across identity and network layers. Neither document addresses the scenario where the control vendor's product is the active attack vector and no remediation is available. MAS has not issued emergency guidance; Cisco has not committed to a patch date.