An unpatched Atlassian Confluence server served as the credential harvesting stage in the SCC-CAM-2026-0354 attack chain, with embedded plaintext credentials in Confluence pages enabling Kerberos relay against Active Directory. No specific Confluence CVE is attributed in this campaign; the risk is operational — unpatched Confluence paired with embedded secrets creates a reliable escalation path from any internal foothold to domain compromise.