Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft 365. Show all posts
Varonis
Cyber Attacks Data Leak Microsoft 365 Native Phishing User Privacy Varonis

Native Phishing Emerges as a New Microsoft 365 Threat Vector

 

A recent cybersecurity threat report highlights a tactic known as "native phishing," where attackers exploit the trusted, built-in features of Microsoft 365 to launch attacks from within an organization. This method moves beyond traditional phishing emails with malicious attachments, instead leveraging the trust users have in their own company's systems. 

The core of native phishing is its subtlety and legitimacy. After compromising a single user's Microsoft 365 account, an attacker can use integrated apps like OneNote and OneDrive to share malicious content. Since these notifications come from a legitimate internal account and the links point to the organization’s own OneDrive, they bypass both security systems and the suspicions of trained users.

Modus operandi

Attackers have found Microsoft OneNote to be a particularly effective tool. While OneNote doesn't support macros, it is not subject to Microsoft's "Protected View," which typically warns users about potentially unsafe files. Its flexible formatting allows attackers to create deceptive layouts and embed malicious links . 

In a typical scenario, an attacker who has gained access to a user's credentials will create a OneNote file containing a malicious link within the user's personal OneDrive. They then use the built-in sharing feature to send a legitimate-looking Microsoft notification to hundreds of colleagues. The email, appearing to be from a trusted source, contains a secure link to the file hosted on the company's OneDrive, making it highly convincing. 

Victims who click the link are directed to a fake login page, often a near-perfect replica of their company's actual authentication portal. These phishing sites are frequently built using free, AI-powered, no-code website builders like Flazio, ClickFunnels, and JotForm, which allow attackers to quickly create and host convincing fake pages with minimal effort. This technique has shown an unusually high success rate compared to other phishing campaigns. 

Mitigation strategies 

To combat native phishing, organizations are advised to take several proactive steps: 

  • Enforce multi-factor authentication (MFA) and conditional access to reduce the risk of account takeovers. 
  • Conduct regular phishing simulations to build employee awareness.
  • Establish clear channels for employees to report suspicious activity easily. 
  • Review and tighten Microsoft 365 sharing settings to limit unnecessary exposure.
  • Set up alerts for unusual file-sharing behavior and monitor traffic to known no-code website builders.
Read more »
Zero Day Vulnerabilities
CIS CISA Cyber Exploits Cyber Security CyberCrime DNA Global Attacks Malicious Software Microsoft 365 SharePoint Storm 2603 Zero Day Vulnerabilities

SharePoint Exploit Emerges as Root of Global Cyber Threat

 


A global cybersecurity crisis has been triggered by a newly discovered and unpatched vulnerability in Microsoft SharePoint Server, prompting the Governments of the United States, Canada, and Australia to conduct urgent investigations. In what experts are calling a coordinated and large-scale zero-day attack, which is a breach that takes advantage of a previously unknown security vulnerability, an exploit that enables remote code execution without the user's input, a critical flaw has been exploited to exploit a critical flaw that enables remote code execution without user interaction. 

A widely used enterprise platform called SharePoint, which facilitates the sharing and collaboration of documents and ideas, has been identified as one of the latest attack vectors by threat actors looking to gain access to high-value systems. Thousands of servers are said to be vulnerable to the attack, with organisations across the public and private sectors scrambling to protect their systems since there has been no official security patch available from Microsoft for some time. 

After this incident, concerns over Microsoft's security posture continue to grow, coming after a Chinese spying campaign in 2023 compromised email accounts belonging to U.S. government officials, including those belonging to the highest levels of the executive branch. As a result of the review, both the U.S. government and industry experts heavily criticised the company's security practices. 

The latest breach highlights persistent vulnerabilities in widely-used platforms, as well as raising serious concerns about whether the global infrastructure is sufficiently prepared for sophisticated, evolving cyber threats that are rapidly evolving in complexity. There has been an increase in threats surrounding the SharePoint vulnerability following the emergence of a ransomware attack by the threat actor referred to as Storm-2603. 

The group has changed its strategy from initially focusing on cyber-espionage operations to one focused on more destructive tactics, which is a troubling development in its campaign strategy. It appears that Storm-2603 is currently exploiting a vulnerable SharePoint flaw in order to infiltrate vulnerable systems and spread ransomware payloads. This is a worrying shift in the group's strategy. 

By encrypting entire networks with malicious software, this malicious software demands cryptocurrency payments to restore access, effectively paralysing the operations of the targeted businesses. As a result of this strategic pivot, Microsoft announced this in a blog post released late Wednesday. During its extended analysis, it found that the transition from silent data theft to overt disruption and extortion had occurred over the past couple of years. 

A ransomware campaign using this same zero-day vulnerability not only amplifies the threat posed by the campaign but also demonstrates that cybercriminal groups are blurring the line between espionage and financially motivated attacks as they become more prevalent in the world. As analysts warn, this dual-purpose exploitation could result in a greater financial and operational impact, especially for organisations that have not yet implemented compensating control or detection measures, which will lead to greater operational damage. 

Moreover, this incident underscores the urgency of timely patching, comprehensive threat monitoring, as well as cross-border cybersecurity collaboration, which are all imperative to preventing any future attacks on SharePoint. Microsoft has attributed the ongoing exploitation of the SharePoint vulnerability to a threat group known as Storm-263, which is rated as based in China with moderate confidence. 

Storm-2603 has not been directly connected to any other known Chinese threat actors, but has been linked to the attempted exfiltration of sensitive data, including MachineKeys, via on-premises SharePoint flaws. As of July 18, 2025, Microsoft has been observing the group actively deploying ransomware using the exploited vulnerability, despite not being directly linked to any Chinese threat actors. 

An attack chain for this attack starts when a malicious payload (spinstall0.aspx) is executed on internet-exposed SharePoint servers in order to enable the execution of commands through the w3wp.exe process. In addition to conducting reconnaissance through tools such as whoami, cmd.exe, and batch scripts, Storm-2603 disables Microsoft Defender by altering the system registry. 

An actor maintains persistence by installing web shells, creating scheduled tasks, and manipulating IIS components in a way that allows malicious .NET assemblies to be loaded and to maintain persistence. In order to move around and steal credentials, tools such as Mimikatz, PsExec, Impacket, and WMI are employed. 

Ultimately, the operation results in the installation of the Warlock ransomware using modified Group Policy Objects (GPOs). Moreover, Microsoft warns that other threat actors may exploit the same vulnerability, which emphasises the necessity of organisations to implement security mitigations and apply patches without delay to prevent further damage from occurring. 

According to the CVSS scale, CVE-2025-53770 is the critical zero-day vulnerability at the centre of the ongoing exploitation campaign. It has been assigned a severity score of 9.8 on the CVSS scale, meaning it is a critical zero-day flaw. There has been a classification given by security researchers for this vulnerability that which is a variation of the CVE-2025-49704 vulnerability that has been patched in the past, with a slightly less severe rating of 8.8. This vulnerability entailed code injection and remote code execution within Microsoft SharePoint Server. 

Although Microsoft's Patch Tuesday release of July 2025 addressed the earlier flaw, the newly discovered variant has not been patched, which leaves many SharePoint environments running on-premises at risk. A Microsoft advisory issued on July 19 says that the core problem stems from the derivation of untrusted data, which could lead to attackers remotely executing arbitrary code over a network without authenticating themselves. 

According to the company, the exploit is a serious one, and a comprehensive fix is in the process of being developed and undergoing extensive testing at the moment. Viettel Cyber Security has been credited with discovering the vulnerability via Trend Micro Zero Day Initiative (ZDI). The issue was reported to Trend Micro via the Zero Day Initiative (ZDI) and has been credited with the discovery. 

As outlined in a separate security bulletin released by Microsoft on the following weekend, Microsoft has confirmed that an active exploit of the vulnerability is still in progress, specifically targeting on-premise deployments. However, according to the company, SharePoint Online services within Microsoft 365 are not affected by the threat. 

A zero-day vulnerability known as CVE-2025-53770 has become a growing threat to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as a result of its increasing threats. Earlier this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a list of the Known Exploited Vulnerabilities (KEV) catalogue. 

Federal agencies have a limited timeframe—until Monday—to implement immediate mitigations. As a consequence of the active exploitation, according to Chris Butera, Acting Executive Assistant Director for Cybersecurity, the agency was alerted to the issue by a trusted partner, who promptly coordinated with Microsoft to resolve it. 

Researchers have attributed this vulnerability to the broader version of CVE-2025-49706, a vulnerability that was previously patched by Microsoft for spoofing. This vulnerability has been referred to as "ToolShell" by researchers. As the first cybersecurity firm to notice the attacks in action, Eye Security, a Dutch cybersecurity firm, reported that several high-profile targets, including multinational corporations, government institutions, and major banks, have already been compromised across several countries, including the United States, Germany, France, and Australia. 

It has been stated by Eye Security CTO Piet Kerkhofs that attackers are executing large numbers of exploit waves to gain unauthorised control through the use of the remote code execution (RCE) flaw. As a result of a technical analysis, it has been discovered that attackers are using the exploit to install web shells on compromised SharePoint servers and then to retrieve cryptographic keys from those servers. 

Through these keys, adversaries can forge authentication tokens and retain privileged access even after patches have been applied. Microsoft has advised organisations to make sure that all SharePoint servers have Defender Antivirus installed and that the Antimalware Scan Interface (AMSI) is integrated into SharePoint.

In case AMSI implementation is not possible, Microsoft recommends that vulnerable SharePoint instances be temporarily disconnected from the internet until a full security update is made available. Note that this vulnerability does not affect users of SharePoint Online within Microsoft 365, which is the cloud-based version of SharePoint. 

It has been reported that the CISA was first notified by a private cyber research firm on Friday of an active exploit of the SharePoint vulnerability, and Microsoft has been immediately notified, according to a spokesperson for the agency. A number of critical questions have been raised once again regarding Microsoft’s vulnerability management procedures as a result of this incident. 

There has previously been controversy surrounding the company due to its narrowly focused patches that do not often address similar attack paths, leaving organisations vulnerable to follow-up attacks that target similar exploits. It has been reported that Microsoft, one of the largest technology providers to global governments, has experienced a number of cybersecurity failures over the past two years, including attacks on its corporate infrastructure and executive email accounts, among other high-profile incidents. 

The Chinese government-backed threat actors were able to access federal official emails by exploiting a programming flaw in Microsoft's cloud services in one major incident. In addition, controversy was sparked after investigative outlet ProPublica reported Microsoft had hired engineers based in China to work on Department of Defence cloud projects. In response to the report, Defence Secretary Pete Hegseth immediately inspected the Pentagon cloud contracts and a formal review was initiated. 

Additionally, the nonprofit Centre for Internet Security (CIS) warned more than 100 vulnerable organisations, including public schools and universities, that they were at risk of being compromised by the threat. While Randy Rose, Vice President of CIS, indicated that incident response efforts had been significantly delayed as a result of a 65% cut to funding, CISA has had to significantly reduce its threat intelligence staffing.

In the future, this incident should serve as a crucial turning point for enterprises as they attempt to develop a comprehensive cybersecurity strategy beyond immediate containment. Organisations will need to adopt a mindset of continuous vigilance, integrating secure architecture with timely intelligence sharing, and automating threat detection into their operational DNA. 

When threat actors are constantly adapting and repurposing vulnerabilities, it is no longer sufficient to rely on vendor assurances without independent validation, especially in an environment where threat actors are constantly adapting and repurposing vulnerabilities. To minimise the blast radius in the event of a breach, organisations should prioritise scenario-based resilience planning, routine red teams, and strict access governance. 

Additionally, a close alignment between cybersecurity, legal, and executive leadership is essential in order to make informed decisions at the speed of modern threats. There is more to security than patchwork responses, as the threat matrix is evolving; it requires a security-first culture that is backed by investment, accountability, and strategic planning.
Read more »
stealth malware
Cyber Attacks CyberCrime Cyberhackers CyberThreat Microsoft 365 NCSC Russian Gru stealth malware

UK Connects Stealth Malware Targeting Microsoft 365 to Russian GRU

 


A series of sophisticated cyber espionage activities has been officially attributed to Russia's military intelligence agency, the GRU, in an important development that aims to strengthen the cybersecurity of both the United Kingdom and its allied countries. On 18 July, the United Kingdom government announced sanctions against three specific units of the GRU along with 18 Russian intelligence agents and military personnel. 

A wide range of actionisre being taken in order to hold cyber actors accountable for persistent and targeted cyber attacks targeting Western democracies. It has been discovered, in the National Cyber Security Centre (NCSC), a division of GCHQ, that Russian military intelligence operatives werutilisingng a previously unknown strain of malware in conducting surveillance operations on a number of occasions. 

AUTHENTIC ANTICS was a malicious program created specifically to steal email credentials from users, enabling prolonged unauthorised access to private communications through the use of covert infiltration and extraction of these credentials. It has been identified that the threat actor responsible for the deployment of this malware is APT28, a well-known cyber espionage group associated with the 85th Main Centre of Special Services of the GRU and also designated as military unit 26165. 

In the past few decades, this group has been known to target governmental, political, and military institutions in the Western world. According to the UK intelligence community, these activities are not only putting the nation's security at risk but also threatening the cybersecurity infrastructure of allied nations. APT28 tactics and tools are being exposed, and sanctions are being imposed against the individuals involved, in an effort by British authorities to disrupt hostile cyber operations and reaffirm their commitment in collaboration with international partners to safeguard democratic processes and information integrity. 

In contrast to previous disclosures that frequently provide high-level assessments, the National Cyber Security Centre's (NCSC) latest findings offer an uncommonly comprehensive insight into the GRU's cyber operations. This includes the cyber operations attributed to the group known in Western intelligence circles as Fancy Bear and its associated groups. 

Not only does this report provide insight into the technical capabilities of the operatives involved in the cyber campaigns, but it also sheds light on the broader strategic objectives behind the campaign as a whole. Several Russian intelligence officers and commanding figures have been publicly named and subjected to financial sanctions as a result of this public action. 

A total of 18 of these individuals are affiliated with the GRU units 29155 and 74455, as well as Unit 26165, which has been associated with cyber operations under the APT28 designation for some time. In an unprecedented move towards deterring state-sponsored cyberattacks by holding individual operatives accountable for their actions, this unprecedented level of attribution marks a significant step forward in international efforts to deter state-sponsored cyberattacks. 

In 2016, APT28, also known as Fancy Bear, made waves following high-profile cyberattacks that took place around the world, such as the 2016 breach of the World Anti-Doping Agency (WADA) and the infiltration of the Democratic National Committee (DNC) during the U.S. presidential election — events that had a huge impact on international affairs. NCSC has reported that, in the years since the attack, the group has continued its offensive operations, including targeting the email accounts of Sergei and Yulia Skripal. 

The compromised emails were discovered in the weeks leading up to the attempted assassination of a former Russian double agent in Salisbury and his daughter in 2018. It is clear that the GRU has been taking aggressive actions, according to David Lammy, which he described as part of a broader strategy that aims to undermine Ukrainian sovereignty, destabilise Europe, and endanger British citizens' safety. Lammy stated that the Kremlin should be clear about what they are trying to do in the shadows. 

This is a critical part of the government's Change Plan, he stressed, reinforcing the UK's commitment to the protection of its national security while standing firm against hostile state actors operating as cyberwarfare actors. In a report published by the National Cyber Security Centre (NCSC), detailed technical insights into the AUTHENTIC ANTICS malware have been released, which highlights a sophisticated design and stealthy method that makes it extremely challenging to detect and eliminate this malware. 

It was first observed in active use in 2023 when the malware was embedded into Microsoft Outlook. This method allows the malware to intercept authentication data without being able to see it because it is embedded directly in the Outlook process. When the malware has been installed, it prompts the user repeatedly for their sign-in credentials aauthorisationion tokens so that it can gain access to their email accounts by capturing them. 

 As a key advantage of the malware, it can take advantage of tenant-specific configurations of Microsoft 365 applications, which is one of the malware's key advantages. Moreover, according to the NCSC, this flexibility suggests that the threat is not confined to Outlook alone, but may also extend to other integrated services, including Exchange Online, SharePoint, and OneDrive, potentially exposing a wide range of data that would otherwise be unprotected by the company. 

The attackers at AUTHENTIC ANTICS are particularly insidious in their method of exfiltrating stolen data: they are using the victim's Outlook account to forward the stolen data to an account controlled by the attacker. As a method to hide such outgoing messages, the malware disables the "save to sent" function, so that the user remains unaware that unauthorised activity has taken place. This malware's architecture is modular, and its components include a dropper that initiates the installation process, an infostealer that gathers credentials and other sensitive information, a PowerShell script that automates and extends the malware's functionality, and a set of customised scripts that automate and extend its functionality. 

It is interesting to note that this malware does noutiliseze traditional command-and-control (C2) infrastructure, but rather relies on legitimate Microsoft services to communicate over the network. The result of this approach is a drastically reduced digital footprint, making it extremely difficult to trace or disrupt. In order to maximize its stealth, AUTHENTIC ANTICS minimizes the time and space that it spends on the victim's computer. 

It keeps important information in Outlook-specific registry locations, a method that allows it to avoid conventional endpoint detection mechanisms, sms, as it does not write significant data to disk. Based on the NCSC's technical analysis, these abilities allow the malware to remain infected for a long time, allowing it to keep gaining access to compromised accounts despite operating almost entirely undetected. This is an important turning point in the global cybersecurity landscape with the discovery that AUTHENTIC ANTICS was used as a tool by Russian state-sponsored cyber operations. 

As a result of this incident, it has been highlighted that advanced persistent threats are becoming increasingly sophisticated and persistent, and also underscores the need for more coordinated, strategic, and forward-thinking responses both from the public and private sectors in order to combat these threats. Increasingly, threat actors are exploiting trusted digital environments for espionage and disruption to enhance their effectivenesOrganisationstions must maintain a high level of security posture through rigorous risk assessments, continuous monitoring, and robust identity and access management strategies. Further, national and international policy mechanisms need to be enhanced to ensure that attribution is not only possible but actionable, reinforcing that malicious cyber activity will not be allowed to go unchallenged in the event of cyberattacks. 

It is essential for maintaining the stability of national interests, economic stability, and trust that is the basis of digital ecosystems to strengthen cyber resilience. This is no longer a discretionary measure but rather a fundamental obligation. The United Kingdom's decisive action in response to the attacks is a precedent that can be followed by others, but for progress to be made, it is necessary to maintain vigilance and strategic investment, as well as unwavering cooperation across industries and borders.
Read more »
Microsoft Teams
Black Basta Cyber Attacks Cybersecurity Precautions Hackers MFA Microsoft Microsoft 365 Microsoft Office vulnerability Microsoft Teams

Hackers Exploit Microsoft Teams for Phishing and Malware Attacks

 

Cybercriminals are increasingly targeting Microsoft Teams, utilizing the platform for sophisticated phishing, vishing, and ransomware campaigns. Exploiting Teams' widespread use, attackers employ social engineering tactics to deceive users and extract sensitive data. Methods range from fake job offers to malicious file sharing, aiming to infiltrate accounts and compromise organizational networks.

Bypassing Multifactor Authentication

One notable tactic involves bypassing multifactor authentication (MFA). Threat actors, reportedly linked to the SolarWinds attack, create fraudulent “onmicrosoft.com” subdomains designed to mimic legitimate security entities. They send chat requests via Microsoft Teams, prompting users to enter a code into the Microsoft Authenticator app. This action grants attackers unauthorized access to Microsoft 365 accounts, enabling data theft or the integration of malicious devices into corporate networks.

The Black Basta ransomware group employs a different strategy by overwhelming users with spam emails and impersonating IT support staff on Teams. Claiming to assist with email issues, they persuade victims to install remote desktop tools, providing attackers with direct access to deploy malware. This includes Trojans and ransomware designed to exfiltrate sensitive data and compromise systems.

Another prevalent scheme involves fake job offers. Scammers contact individuals with fabricated employment opportunities, sometimes conducting entire interviews via Microsoft Teams chat. These scams often escalate to requests for personal information, such as Social Security numbers or tax details. In some cases, victims are asked to pay for materials or services, resulting in financial loss and potential identity theft.

Attackers also impersonate HR personnel, sending phishing messages about urgent policy updates. These messages frequently include malicious files disguised as legitimate updates. Once downloaded, malware like DarkGate is installed, granting attackers control over the victim’s system and network.

Additionally, compromised Microsoft 365 accounts are used to distribute malicious files through Teams chats. These files often appear as PDFs with double extensions, deceiving users into downloading executable malware. Once activated, these programs can breach data and facilitate deeper network infiltration.

Mitigation Strategies for Organizations and Users

Vigilance is essential in countering these threats. Users should verify unexpected messages, invitations, or file-sharing requests, especially those containing links or urgent calls to action. Tools that check link safety and domain age can help detect phishing attempts.

Organizations should prioritize employee education on recognizing scams and enforcing robust cybersecurity protocols. By staying informed and cautious, users can mitigate risks and safeguard against cyberattacks targeting Microsoft Teams.

Read more »
Privacy
Edge Browser Microsoft 365 Password Privacy

Microsoft Edge’s New Password Update: What It Means for Your Online Security

 



Microsoft has finally turned a page in making the internet safer by offering protection against shared passwords. The establishment of sharing the same password among different users, for account management or accessing team resources, was a common practice but unsafe in the past. Such practices increase the likelihood of illegal access to data that might lead to a breach. At the Ignite 2024 developer conference, Microsoft revealed the solution to this problem: encrypted password sharing for users on Microsoft 365.


Simplifying Password Sharing for Microsoft 365 Users 

Soon, a new feature for Microsoft 365 Business Premium, E3, and E5 subscribers will roll out. It lets administrators deploy encrypted passwords in the browser Microsoft Edge for both corporate and web sites. This will be shared amongst designated users, thus allowing them to log on smoothly at these web sites without ever having to see the actual passwords.

According to group product manager for Edge enterprise at Microsoft, Lindsay Kubasik, this feature diminishes the possibility of unauthorized access and enhances organizational security. Because the encrypted passwords are uniformly distributed and only to a configured group of users, it keeps any organization from being exposed to security threats. The deployment will be gradual over the next few months with the idea of improving password management for enterprise users.


Essential Security Tips for Microsoft Edge Users 

While firms benefit from shared encrypted passwords, Microsoft recommends that personal consumers of the Edge browser eliminate password sharing outright. Shared password use may increase vulnerabilities and become an entry point for many cyberattacks.

For users, Edge will automatically encrypt sensitive data such as passwords, credit card details, and cookies when stored locally on a device. This means such data will stay safe, with access limited only to the logged-in user. Even if an attacker gains admin access to the device, they cannot retrieve plaintext passwords unless they also obtain the user’s operating system credentials.  


Best Practices for Password Security

Microsoft is keen on proper security practice, recommending that all users employ strong passwords, two-factor authentication, and even password managers as online account protection tools. Another alternative: passkeys, essentially biometric or device-based authentication methods, can eliminate reliance on a traditional password altogether.


The Bottom Line

Microsoft’s encrypted password sharing marks a pivotal advancement in digital security for enterprise users, setting a new standard for password management. For individual users, adopting recommended security practices remains crucial to staying protected in an increasingly digital world.


Read more »
Sextortion Scam
Bitcoin Cyber Security Email Scams Fraud Email Internet scammers Microsoft Microsoft 365 Ransom Demand Sextortion Scam

Beware of Fake Microsoft Emails Exploiting Microsoft 365 Vulnerabilities

 

The internet is rife with scams, and the latest involves hackers exploiting vulnerabilities in the Microsoft 365 Admin Portal to send fraudulent emails directly from legitimate Microsoft.com accounts. These emails bypass spam filters, giving them an appearance of credibility, but their true purpose is extortion. These scam emails claim to have sensitive images or videos of the recipient in compromising situations. To prevent this alleged content from being shared, the recipient is asked to pay a ransom—often in Bitcoin. This type of cybercrime, known as “sextortion,” is designed to prey on fear and desperation, making victims more likely to comply with the scammer’s demands. 

Unfortunately, sextortion scams are becoming increasingly common. While tech companies like Microsoft and Instagram implement protective measures, hackers find new ways to exploit technical vulnerabilities. In this case, scammers took advantage of a flaw in the Microsoft 365 Message Center’s “share” function, commonly used for legitimate service advisories. This loophole allows hackers to send emails that appear to come from a genuine Microsoft.com address, deceiving even cautious users. To identify such scams, it is crucial to evaluate the content of the email. Legitimate companies like Microsoft will never request payment in Bitcoin or other cryptocurrencies. 

Additionally, scammers often include personal information, such as a birthday, to make their claims more believable. However, it is important to remember that such information is easily accessible and does not necessarily mean the scammer has access to more sensitive data. Victims should also remember that scammers rarely have the incriminating evidence they claim. These tactics rely on psychological manipulation, where the fear of exposure often outweighs rational decision-making. Staying calm and taking deliberate action, such as verifying the email with official Microsoft support, can prevent falling prey to these schemes. Reporting such emails not only protects individual users but also helps cybersecurity teams track and combat the criminals behind these campaigns. 

Microsoft is actively investigating this criminal activity, aiming to close the exploited loopholes and prevent future scams. In the meantime, users must remain vigilant. Keeping software up to date, enabling multi-factor authentication, and using strong passwords can help mitigate risks. A scam email may look convincing, but its demands reveal its true intent. Always approach threatening emails critically, and when in doubt, seek guidance from the appropriate channels. By cultivating a habit of skepticism and digital hygiene, users can strengthen their defenses against cybercrime. Awareness and timely action are essential for navigating the modern threat landscape and ensuring personal and organizational security.
Read more »
Software
CrowdStrike Cyber Security Global Airlines IT system Microsoft 365 Software

Global IT Outage Disrupts Airlines, Hospitals, and Financial Institutions

 



A major IT outage has affected a wide array of global institutions, including hospitals, major banks, media outlets, and airlines. The disruption has hindered their ability to offer services, causing widespread inconvenience and operational challenges.

International airports across India, Hong Kong, the UK, and the US have reported significant issues, with numerous airlines grounding flights and experiencing delays. In the US, major airlines such as United, Delta, and American Airlines implemented a "global ground stop" on all flights, while Australian carriers Virgin and Jetstar faced delays and cancellations. According to aviation analytics firm Cirium, over 1,000 flights worldwide have been cancelled due to the outages.

At Indira Gandhi International Airport in Delhi, passengers experienced "absolute chaos," with manual processes replacing automated systems. Similar situations were reported in airports in Tokyo, Berlin, Prague, and Zurich, where operations were significantly hampered.

Emergency services and hospitals have also been severely impacted. In the US state of Alaska, officials warned that the 911 system might be unavailable, and some hospitals have had to cancel surgeries. In Australia, however, authorities confirmed that triple-0 call centres were unaffected.

Hospitals in Germany and Israel reported service disruptions, while GP services in the UK were also affected. These interruptions have raised concerns about the ability of medical facilities to provide timely care.

The media sector did not escape the impact, with many broadcast networks in Australia experiencing on-air difficulties. Sky News UK went off air for a period but has since resumed broadcasting. Retail operations were also disrupted, with supermarkets like Coles in Australia facing payment system failures, forcing the closure of self-checkout tills.

Cybersecurity firm CrowdStrike has confirmed that a defective software update for its Microsoft Windows hosts caused the outage. In a statement, CrowdStrike assured that the issue had been identified, isolated, and a fix deployed, emphasising that the incident was not a cyberattack. They advised organisations to communicate with CrowdStrike representatives through official channels to ensure proper coordination.

Earlier in the day, a Microsoft 365 service update had noted an issue impacting users' ability to access various Microsoft 365 apps and services. Microsoft later reported that most services were restored within a few hours.

The outage has highlighted the vulnerabilities of global IT systems and the widespread reliance on third-party software. A spokesperson for Australia's home affairs ministry attributed the issues to a technical problem with a third-party software platform used by the affected companies. The country's cybersecurity watchdog confirmed that there was no evidence of a malicious attack.

As companies scramble to resolve the issues, the incident serves as a stark reminder of the critical need for robust IT infrastructure and effective crisis management strategies. The global scale of the disruption underscores the interconnected nature of modern technology and the potential for widespread impact when systems fail.

This incident will likely prompt a reevaluation of cybersecurity measures and disaster recovery plans across various sectors, emphasising the importance of resilience and preparedness in the digital age.


Read more »
Microsoft 365
Command and Control(C2) Cyber Security Google Microsoft Hackers Microsoft 365

Rising Threat: Hackers Exploit Microsoft Graph for Command-and-Control Operations

 


Recently, there has been a trend among nation-state espionage groups they are tapping into native Microsoft services for their command-and-control (C2) operations. Surprisingly, different groups, unrelated to each other, have reached the same conclusion that It is smarter to leverage Microsoft's services instead of creating and managing their own infrastructure. This approach not only saves them money and hassle but also lets their malicious activities blend in more seamlessly with regular network traffic. In this regard, the Microsoft graph plays a major role. 
 
Microsoft Graph is like a toolbox for developers, offering an interface to connect to various data like emails, calendars, and files stored in Microsoft's cloud services. While it is harmless in its intended use, it has also become a tool for hackers to set up their command-and-control (C2) infrastructure using these same cloud services. Recently, Symantec found a new type of malware called "BirdyClient" being used against an organization in Ukraine. This malware sneaks into the Graph API to upload and download files through OneDrive. However, we are still waiting to hear from Microsoft about this.   
 
O'Brien emphasizes that organisations must be vigilant regarding unauthorized cloud account usage. Many individuals access personal accounts, like OneDrive, from work networks, which poses a risk as it makes it harder to detect malicious activities. To mitigate this risk, organizations should ensure that connections are limited to their enterprise accounts and implement strict access controls. 

In response to the concerning trend of hackers exploiting Microsoft Graph for command-and-control operations, organizations must prioritize proactive measures to fortify their cybersecurity posture. Firstly, staying vigilant with updates and patches for all Microsoft applications, particularly those related to Microsoft Graph, is imperative. Regularly monitoring network traffic for any anomalies or unauthorized access attempts can also help in the early detection of suspicious activities. Implementing robust access controls and multi-factor authentication protocols can significantly mitigate the risk of unauthorized access to sensitive data through Microsoft Graph. 

Additionally, conducting thorough employee training programs to raise awareness about the potential threats posed by such exploits and promoting a culture of cybersecurity consciousness throughout the organization are indispensable steps in bolstering defenses against cyber threats. By adopting these preventive measures, organizations can effectively safeguard their systems and data from the nefarious intentions of cyber adversaries.
Read more »
Tycoon
Gmail malware MFA Bypass Microsoft 365 multifactor authentication phishing kit Safety Security Tycoon

'Tycoon' Malware Kit Bypasses Microsoft and Google Multifactor Authentication

 

An emerging phishing kit called "Tycoon 2FA" is gaining widespread use among threat actors, who are employing it to target Microsoft 365 and Gmail email accounts. This kit, discovered by researchers at Sekoia, has been active since at least August and received updates as recent as last month to enhance its evasion techniques against multifactor authentication (MFA).

According to the researchers, Tycoon 2FA is extensively utilized in various phishing campaigns, primarily aimed at harvesting Microsoft 365 session cookies to bypass MFA processes during subsequent logins. The platform has amassed over 1,100 domain names between October 2023 and late February, with distribution facilitated through Telegram channels under different handles such as Tycoon Group, SaaadFridi, and Mr_XaaD.

Operating as a phishing-as-a-service (PhaaS) platform, Tycoon 2FA offers ready-made phishing pages for Microsoft 365 and Gmail accounts, along with attachment templates, starting at $120 for 10 days, with prices varying based on the domain extension. Transactions are conducted via Bitcoin wallets managed by the "Saad Tycoon Group," suspected to be the operator and developer of Tycoon 2FA, with over 1,800 recorded transactions as of mid-March.

The phishing technique employed by Tycoon 2FA involves an adversary-in-the-middle (AitM) approach, utilizing a reverse proxy server to host phishing webpages. This method intercepts user inputs, including MFA tokens, allowing attackers to bypass MFA even if credentials are changed between sessions.

Despite the security enhancements provided by MFA, sophisticated attacks like Tycoon 2FA pose significant threats by exploiting AitM techniques. The ease of use and relatively low cost of Tycoon 2FA make it appealing to threat actors, further compounded by its stealth capabilities that evade detection by security products.

Sekoia researchers outlined a six-stage process used by Tycoon 2FA to execute phishing attacks, including URL redirections, Cloudflare Turnstile challenges, JavaScript execution, and the presentation of fake authentication pages to victims.

The emergence of Tycoon 2FA underscores the evolving landscape of phishing attacks, challenging the effectiveness of traditional MFA methods. However, security experts suggest that certain forms of MFA, such as security keys implementing WebAuthn/FIDO2 standards, offer higher resistance against phishing attempts.

To assist organizations in identifying Tycoon 2FA activities, Sekoia has published a list of indicators of compromise (IoCs) on GitHub, including URLs associated with Tycoon 2FA phishing campaigns.
Read more »
Technology
AI technology Artificial Inteligence Microsoft 365 Microsoft Copilot Technology

Microsoft is Rolling out an AI Powered Key

 


Prepare for a paradigm shift as Microsoft takes a giant leap forward with a game-changing announcement – the integration of an Artificial Intelligence (AI) key in their keyboards, the most substantial update in 30 years. 

This futuristic addition promises an interactive and seamless user experience, bringing cutting-edge technology to the tips of your fingers. Explore the next frontier of computing as Microsoft redefines the way we engage with our keyboards, setting a new standard for innovation in the digital age. The groundbreaking addition grants users seamless access to Copilot, Microsoft's dynamic AI tool designed to elevate your computing experience. 

At the forefront of AI advancements, Microsoft, a key investor in OpenAI, strategically integrates Copilot's capabilities into various products. Witness the evolution of AI as Microsoft weaves its intelligence into the fabric of everyday tools like Microsoft 365 and enhances search experiences through Bing. 

Not to be outdone, rival Apple has long embraced AI integration, evident in Macbooks featuring a dedicated Siri button on their touch bar. As the tech giants vie for user-friendly AI interfaces, Microsoft's AI key emerges as a pivotal player in redefining how we interact with technology. 

Copilot, the star of Microsoft's AI arsenal, goes beyond the ordinary, assisting users in tasks ranging from efficient searches to crafting emails and even generating visually striking images. It's not just a tool; it's your personalised AI companion, simplifying tasks and enriching your digital journey. Welcome to the era where every keystroke opens doors to boundless possibilities. 

By pressing this key, users seamlessly engage with Copilot, enhancing their daily experiences with artificial intelligence. Similar to the impact of the Windows key introduced nearly 30 years ago, the Copilot key marks another significant milestone in our journey with Windows, serving as the gateway to the realm of AI on PCs. 

In the days leading up to and during CES, the Copilot key will debut on numerous Windows 11 PCs from our ecosystem partners. Expect its availability from later this month through Spring, including integration into upcoming Surface devices. 

This addition, which simplifies access to Copilot, has already made waves in Office 365 applications like Word, PowerPoint, and Teams, offering functionalities such as meeting summarization, email writing, and presentation creation. Bing, Microsoft's search engine, has also integrated Copilot. 

According to Prof John Tucker from Swansea University, the introduction of this key is a natural progression, showcasing Microsoft's commitment to enhancing user experience across various products. Despite Windows 11 users already having access to Copilot via the Windows key + C shortcut, the new dedicated key emphasises the feature's value.

Acknowledging the slow evolution of keyboards over the past 30 years, Prof Tucker notes that Microsoft's focus on this particular feature illustrates its potential to engage users across multiple products. Google, a dominant search engine, employs its own AI system called Bard, while Microsoft's Copilot is built on OpenAI's GPT-4 language model, introduced in 2022. 

The UK's competition watchdog is delving into Microsoft's ties with OpenAI, prompted by disruptions in the corporate landscape that resulted in a tight connection between the two entities. The investigation seeks to understand the implications of this close association on competition within the industry. 

As we anticipate its showcase at CES, this innovative addition not only reflects Microsoft's commitment to user-friendly technology but also sparks curiosity about the evolving landscape of AI integration. Keep your eyes on the keyboard – the Copilot key signals a transformative era where AI becomes an everyday companion in our digital journey.


Read more »
User Privacy
AI Tool Artificial Intelligence Cyber Security data security data security threats Microsoft Microsoft 365 User Privacy

Microsoft's Purview: A Leap Forward in AI Data Security

Microsoft has once again made significant progress in the rapidly changing fields of artificial intelligence and data security with the most recent updates to Purview, its AI-powered data management platform. The ground-breaking innovations and improvements included in the most recent version demonstrate the tech giant's dedication to increasing data security in an AI-centric environment.

Microsoft's official announcement highlights the company's relentless efforts to expand the capabilities of AI for security while concurrently fortifying security measures for AI applications. The move aims to address the growing challenges associated with safeguarding sensitive information in an environment increasingly dominated by artificial intelligence.

The Purview upgrades introduced by Microsoft have set a new benchmark in AI data security, and industry experts are noting. According to a report on VentureBeat, the enhancements showcase Microsoft's dedication to staying at the forefront of technological innovation, particularly in securing data in the age of AI.

One of the key features emphasized in the upgrades is the integration of advanced machine learning algorithms, providing Purview users with enhanced threat detection and proactive security measures. This signifies a shift towards a more predictive approach to data security, where potential risks can be identified and mitigated before they escalate into significant issues.

The Tech Community post by Microsoft delves into the specifics of how Purview is securing data in an 'AI-first world.' It discusses the platform's ability to intelligently classify and protect data, ensuring that sensitive information is handled with the utmost care. The post emphasizes the role of AI in enabling organizations to navigate the complexities of modern data management securely.

Microsoft's commitment to a comprehensive approach to data security is reflected in the expanded capabilities unveiled at Microsoft Ignite. The company's focus on both utilizing AI for bolstering security and ensuring the security of AI applications demonstrates a holistic understanding of the challenges organizations face in an increasingly interconnected and data-driven world.

As businesses continue to embrace AI technologies, the need for robust data security measures becomes paramount. Microsoft's Purview upgrades signal a significant stride in meeting these demands, offering organizations a powerful tool to navigate the intricate landscape of AI data security effectively. As the industry evolves, Microsoft's proactive stance reaffirms its position as a leader in shaping the future of secure AI-powered data management.


Read more »
Technology
AI Assistant AI Chatbot AI-powered tool Copilot Microsoft Microsoft 365 Microsoft Copilot Technology

Microsoft Copilot: New AI Chatbot can Attend Meetings for Users


A ChatGPT-style AI chatbot, developed by Microsoft will now help online users summarize their Teams meetings by drafting emails, and creating Word documents, spreadsheet graphs, and PowerPoint presentations in very little time. 

Microsoft introduced Copilot – its workplace assistant – earlier this year, labelling the product as a “copilot for work.”

Copilot which will be made available for the users from November 1, will be integrated to the subscribers of Microsoft 365 apps such as Word, Excel, Teams and PowerPoint – with a subscription worth $30 per user/month.

Additionally, as part of the new service, employees at companies who use Microsoft's Copilot could theoretically send their AI helpers to meetings in their place, allowing them to miss or double-book appointments and focus on other tasks.

‘Busywork That Bogs Us Down’

With businesses including General Motors, KPMG, and Goodyear, Microsoft has been testing Copilot, which assists users with tasks like email writing and coding. Early feedback from those companies has revealed that it is used to swiftly respond to emails and inquire about meetings. 

According to Jared Spataro, corporate vice president of modern work and business applications at Microsoft, “[Copilot] combines the power of large language models (LLMs) with your data…to turn your words into the most powerful productivity tool on the planet,” he said in a March blog post. 

Spataro promised that the technology would “lighten the load” for online users, stating that for many white-collar workers, “80% of our time is consumed with busywork that bogs us down.”

For many office workers, this so-called "busywork" includes attending meetings. According to a recent British study, office workers waste 213 hours annually, or 27 full working days, in meetings where the agenda could have been communicated by email.

Companies like Shopify are deliberately putting a stop to pointless meetings. When the e-commerce giant introduced an internal "cost calculator" for staff meetings, it made headlines during the summer. According to corporate leadership, each 30-minute meeting costs the company between $700 and $1,600.

Copilot will now help in reducing this expense. The AI assistant's services include the ability to "follow" meetings and produce a transcript, summary, and notes once they are over.

Microsoft, in July, noted that “the next wave of generative AI for Teams,” which included incorporating Copilot further into Teams calls and meetings.

“You can also ask Copilot to draft notes for you during the call and highlight key points, such as names, dates, numbers, and tasks using natural language commands[…]You can quickly synthesize key information from your chat threads—allowing you to ask specific questions (or use one of the suggested prompts) to help get caught up on the conversation so far, organize key discussion points, and summarize information relevant to you,” the company noted.

In regard to the same, Spataro states that “Every meeting is a productive meeting with Copilot in Teams[…]It can summarize key discussion points—including who said what and where people are aligned and where they disagree—and suggest action items, all in real-time during a meeting.

However, Microsoft is not the only tech giant working on making meeting tolerant, as Zoom and Google have also introduced AI-powered chatbots for the online workforce that can attend meetings on behalf of the user, and present its conclusions during the get-together.  

Read more »
Security
attackers Cyber Attacks Data Safety data security EvilProxy Hackers Microsoft Microsoft 365 Microsoft Office Safety Secure Data Security

EvilProxy Phishing Campaign Targets Microsoft 365 Executives Worldwide

 

Cybercriminals have launched an EvilProxy phishing campaign with the aim of infiltrating thousands of Microsoft 365 user accounts across the globe. 

Over a span of three months from March to June, the attackers distributed a barrage of 120,000 phishing emails targeting more than 100 organizations worldwide. The primary objective of this operation was to compromise high-ranking executive accounts, paving the way for subsequent, deeper attacks within these enterprises.

Researchers from Proofpoint have shed light on the ongoing campaign, revealing that it employs a range of phishing strategies, including brand impersonation, scan blocking, and a multi-step infection process. 

These tactics have enabled the attackers to successfully seize control of cloud accounts belonging to top-level executives. Notably, over the past half-year, there has been an alarming surge of over 100% in these takeover incidents. These breaches occurred within organizations that collectively represent 1.5 million employees globally.

The attackers leveraged the EvilProxy phishing-as-a-service platform, utilizing reverse proxy and cookie-injection methods. These techniques allowed them to bypass multi-factor authentication (MFA), which is often touted as a defense mechanism against phishing attacks. The use of tools like EvilProxy, which operate as reverse-proxy hacker tools, is making it increasingly feasible for malicious actors to overcome MFA.

Upon obtaining credentials, the attackers wasted no time in accessing executives' cloud accounts, achieving entry in mere seconds. Subsequently, they maintained control by employing a native Microsoft 365 application to incorporate their own MFA into the "My Sign-Ins" section. The favored method for this action was the "Authenticator App with Notification and Code."

Surprisingly, the researchers noted that there has been a rise in account takeovers among tenants with MFA protection. Their data suggests that at least 35% of all compromised users over the past year had MFA enabled.

The EvilProxy attack typically commences with attackers masquerading as trusted services such as Concur, DocuSign, and Adobe. They send phishing emails from spoofed addresses, purportedly originating from these services, containing links to malicious Microsoft 365 phishing sites.

Clicking on these links initiates a multi-step infection process involving redirects to legitimate sources like YouTube, followed by further redirects utilizing malicious cookies and 404 errors. This convoluted approach is designed to scatter the traffic, minimizing the chances of detection.

Ultimately, the user traffic arrives at an EvilProxy phishing framework—a landing page functioning as a reverse proxy. This page imitates recipient branding and third-party identity providers.

Despite the large number of attacks, the cybercriminals exhibited precision, specifically targeting top-tier executives. C-level executives were the focus in approximately 39% of the attacks, with 17% targeting CFOs and 9% aimed at presidents and CEOs.

The success of this campaign in breaching MFA and its extensive scale underscore the advancing sophistication of phishing attacks. This necessitates organizations to bolster their security measures and adopt proactive cybersecurity intelligence to detect anomalous activities, emerging threats, and potential vulnerabilities.

While the effectiveness of EvilProxy as a phishing tool is acknowledged, there remains a significant gap in public awareness regarding its risks and implications. 

Proofpoint recommends a series of steps to mitigate phishing risks, including blocking and monitoring malicious email threats, identifying account takeovers, detecting unauthorized access to sensitive cloud resources, and isolating potentially malicious sessions initiated through email links.
Read more »
Windows
Azure China CISA Cyber Security MFA Microsoft 365 Sensitive Data Leak User Data Windows

Microsoft Offers Free Security Features Amid Recent Hacks

Microsoft has taken a big step to strengthen the security of its products in response to the growing cybersecurity threats and a number of recent high-profile attacks. The business has declared that it will offer all users essential security features at no cost. Microsoft is making this change in an effort to allay concerns about the security of its platforms and shield its users from potential cyberattacks.

The Messenger, The Register, and Bloomberg all reported that Microsoft made the decision to offer these security capabilities free of charge in response to mounting demand to improve security across its whole portfolio of products. Recent cyberattacks have brought up important issues with data privacy and information security, necessitating the development of stronger protection methods.

A number of allegedly state-sponsored hacks, with China as a particular target, are one of the main drivers behind this tactical approach. Governments, corporations, and individual users all over the world are extremely concerned about these breaches since they target not only crucial infrastructure but also important data.

Improved encryption tools, multi-factor authentication, and cutting-edge threat detection capabilities are among the free security improvements. Users of Microsoft's operating systems, including Windows 10 and Windows 11, as well as cloud-based services like Microsoft 365 and Azure, will have access to these functionalities. Microsoft wants to make these crucial security features available to a broader variety of customers, independent of subscription plans, by removing the financial barrier.

Microsoft responded to the judgment by saying, "We take the security of our customers' data and their privacy extremely seriously. We think it is our duty to provide our users with the best defenses possible as threats continue to evolve. We believe that by making these security features available for free, more people will take advantage of them and improve their overall cybersecurity posture.

Industry professionals applaud Microsoft for choosing to offer these security measures without charge. This is a huge step in the right direction, said Mark Thompson, a cybersecurity analyst with TechDefend. Because these services are free, Microsoft is enabling its users to properly defend themselves against possible attacks as cyber threats become more complex.

The action is also in line with the work of other cybersecurity organizations, including the Cybersecurity and Infrastructure Security Agency (CISA), which has been promoting improved cooperation amongst IT businesses to battle cyber threats.

Although the choice definitely benefits customers, it also poses a challenge for other digital firms in the sector. Customers are expected to demand comparable initiatives from other big players in response to the growing emphasis on data security and privacy, driving the entire sector toward a more secure future.

Read more »
phishing
Cyber Attacks CyberCrime DDoS Email Microsoft 365 Microsoft Outlook Outlook phishing

Outlook Services Paralyzed: Anonymous Sudan's DDoS Onslaught

 


In the last few days, several distributed denial-of-service (DDoS) attacks have been launched against Microsoft Outlook, one of the world's leading email providers. Anonymous Sudan, a hackers' collective, has launched DDoS attacks against Microsoft Outlook. The attacks, which aim to disrupt services and create concerns about various issues, have disrupted Outlook users worldwide. Additionally, online platforms are quite vulnerable to cyber threats because they are hosted online. 

Several outages have been reported today on Outlook.com for the same reason as yesterday's outages. Anonymous Sudan, an Internet hacking collective, claims that it performs DDoS attacks against the service on hackers' behalf. 

It has been claimed, however, that the hacktivist group Anonymous Sudan is responsible for the attack. They assert that they are conducting a distributed denial of service (DDoS) attack on Microsoft's service in protest of US involvement in Sudanese internal affairs by operating cyberattacks against its infrastructure. 

Approximately 1 million Outlook users across the globe have been affected by this outage, which follows two more major outages yesterday. Due to this issue, Outlook's mobile app cannot be used by users in a wide range of countries as users cannot send or receive emails. 

There have been complaints on Twitter about Outlook's spotty email service. Users assert that it has impacted their productivity as a result. 

It was announced over the weekend that the hacktivist group would be launching a campaign against the US as a response to the US interference in Sudanese internal affairs recently as part of its anti-US campaign. They cited the visit made by Secretary of State Antony Blinken to Saudi Arabia last week, in which he discussed the ongoing humanitarian situation in the country. 

There has also been an announcement by the White House that economic sanctions will be imposed on various corrupt government entities in Sudan, including the Sudanese Armed Forces (SAF) and the Rapid Support Forces (RSF), which are considered responsible for the escalation of the conflict. 

In response to this, Anonymous Sudan launched a distributed denial of service attack in late November, targeting the ride-sharing platform Lyft, in an attempt to overload a site or server with bot requests, thereby essentially bringing it to a standstill. 

It is also worth noting that several regional healthcare providers across the country were also taken offline during the weekend campaign.

Email communication was interrupted by several disruptions, including delayed or failed delivery of messages, intermittent connectivity problems, and slow response times. This was as a result of this issue. Individual users were inconvenienced by these interruptions; however, businesses that rely on Outlook for their day-to-day operations were also facing challenges as a result of these disruptions. This attack demonstrates the vulnerability of online platforms and emphasizes the need for robust cybersecurity measures to guard against threats of this nature. This is to ensure online platforms remain secure. 

In many tweets posted to Twitter by Microsoft, the company has alternated back and forth between saying they have mitigated the issue and that the issue is back again, implying that these outages are caused by technical issues. 

A group called Anonymous Sudan is claiming responsibility for the outages, claiming they are out to protest the US infiltrating Sudanese internal affairs through its involvement in the DDoS attacks against Microsoft and claim responsibility for the outages as well.

As a result of the continuous DDoS attacks on Microsoft Outlook and Microsoft 365 services, the group has been taunting Microsoft in its statements in the past month. 

There is increasing evidence that Microsoft Outlook continues to suffer crippling attacks from Anonymous Sudan, which frequently result in the suspension of service and the growth of concerns about the security of the online environment due to DDoS attacks launched by Anonymous Sudan. It has been observed that these deliberate disruptions hurt the user experience and the online platform. This is because these disruptions expose them to cyber threats. 

This ongoing situation only confirms the importance of cybersecurity measures to safeguard critical online services. The necessity of introducing these measures would be essential to ensure their protection in the future. Additionally, it raises questions about the platform's ability to cope with persistent and coordinated attacks on its cybersecurity system. 

The case between Anonymous Sudan and Microsoft in a world where cybersecurity threats are increasing by the day, serves as a timely reminder of the importance of continuous vigilance. This is to prevent these threats from becoming stronger as they progress in a direction not fully understood by users.
Read more »
Technology
API Cyber Attacks CyberCrime Cybersecurity Education Microsoft 365 Phishing Attacks Technology

Microsoft 365 Phishing Attacks Made Easier With 'Greatness'

 


It is a method of stealing money, or your identity, by attempting to get you to reveal personal information through websites that pretend to be legitimate websites, such as credit cards, bank details, or passwords, that aim to get you to reveal your personal information. Cybercriminals often pose as reputable companies, friends, or acquaintances and send fake messages with a link to a phishing website.  

By enticing people to reveal personal information like passwords and credit card numbers, phishing attacks are intended to steal sensitive data or damage it by damaging users' computers. 

Even script kiddies have constructed convincing, effective phishing attacks against businesses using a service never heard of before, called phishing-as-a-service (PaaS). 

As many organizations around the world use the Microsoft 365 cloud-based productivity platform, it has become one of the most valuable targets for cybercriminals. These criminals use it to steal data and credentials to compromise their networks. 

During a Cisco Talos research update, researchers explained how phishing activity on the Greatness platform exploded between December 2022 and March 2023. This was when the platform was launched in mid-2022. 

Since the tool was introduced in mid-2022, it has been used in attacks on several companies across a variety of industries. These industries include manufacturing, healthcare, technology, and banking. 

At this point, approximately half of those targeted are in the United States. Attacks have also been carried out around Western Europe, Australia, Brazil, Canada, and South Africa, but the majority are concentrated in the US. 

As a result of these attacks, a wide range of industries, including manufacturing, healthcare, technology, education, real estate, construction, finance, and business services, are being targeted. 

It contains everything you will ever need to conduct a successful phishing campaign if you intend to play at being a phishing actor in the future. 

Using the API key that they have acquired for their service, the users will have access to the 'Greatness' admin panel and provided a list of email addresses that they wish to attack. 

It is the PhaaS platform, or as it is often called, that allocates the infrastructure needed to host the phishing pages and also to build the HTML attachments. This is like the server hosting the phishing pages. 

Afterward, the affiliate builds the content for the email and provides any other material needed, and changes any default settings if necessary. 

The process of taking on an organization is simple. A hacker simply logs into the enterprise using their API key; provides a list of target email addresses; creates the content of the email (and changes any other default details as they see fit). 

Greatness will authenticate on the real Microsoft platform based on the MFA code supplied by the victim once the MFA code is provided. This allows the affiliate to receive an authenticated session cookie through the Telegram channel provided by the service or through access to their web panel. 

As a result, many companies find that stolen credentials can also be used to breach their network security. This results in more dangerous attacks, like ransomware, being launched.
Read more »
Web Admin
Cyber Security Digital Infrastructure Microsoft 365 saaS Security Survey Web Admin

Influence of Digitalization on IT Admins

A SaaS software business named SysKit has released a report on the impact of digital transformation on IT administrators and the present governance environment. According to the report, 40% of businesses experienced a data breach in the last year. This can have a serious impact on an organization's productivity and lead to costly fines, downtime, and the loss of clients and certifications that are essential to its operations.

The research, held out in November, included 205 US IT managers who are in charge of overseeing the IT infrastructures of their firms, and it fairly depicts the target demographic. As per SysKit, improper zero trust and full trust implementation can result in data breaches. Based on the survey, 68% of respondents believe that the zero trust approach restricts the ability to collaborate, while 50% of respondents think that the full trust approach to governance is ideal.

The majority of IT administrators (82%) agree that non-technical staff who are resource owners must be more proactive in data reviews and workspace maintenance. Furthermore, when enquired about one‘s specific IT governance skills, 50% of the respondents stated that non-tech employees do not know how to properly apply external sharing policies, 56% believed they did not know how to properly apply provisioning policies, and 30% stated that their coworkers are not taking care of their inactive content. According to SysKit, this lack of knowledge can result in data leaks, unchecked workspace sprawl, and higher storage expenses.

The survey also revealed that excessive workloads, a lack of comprehension from superiors, and a misalignment of IT and business strategy are among the main issues for IT administrators. As technology continues to develop, organizations will face new opportunities and difficulties. Future applications of AI-based technologies have not yet been defined since they are still in their initial stages. 
Read more »
Microsoft 365
Cyber Attacks Cyber Phishing Cyber Threats Cyber-attacks Microsoft 365

Microsoft Upgrading Defender for 365 Users Teams

Last week, the technology giant Microsoft has announced that they are going to add some new advanced features to Microsoft Defender for Office 365 to allow Microsoft Teams users to alert their organization's security team of any deceitful messages they receive. 

Microsoft Defender for Office 365 (previously known as Office 365 Advanced Threat Protection or Office 365 ATP) works against malicious threats coming from malicious email messages, links, and collaboration tools to protect organizations. 

The new features are developing upon improvements announced in July 2021, allowing Microsoft Teams to automatically blocks phishing attempts. 

According to the given data on Microsoft's official website, this in-development feature will give power to admins to alter potentially dangerous messages targeting employees with malicious payloads or trying to redirect them to phishing websites. 

"End users will be able to report suspicious Microsoft Teams messages as a security threat just like they do for emails - to help the organization to protect itself from attacks via Microsoft Teams," Microsoft explains on the Microsoft 365 roadmap. 

Additionally, one of the users reported that Redmond is also developing new features for Office 365's Submissions experience to categorize the user-reported messages into individual tabs for Phish, Spam (Junk), and so on. 

However, as per the process, it is expected that the advance submission feature will be available to the general public next month, the new user reporting capability is now in preview and will most likely roll out to standard multi-tenants until the end of January 2023 to desktop and web clients worldwide. 

Microsoft extended Defender for Office 365 Safe Links protection to the Teams communication platform to help customers from malicious URL-based phishing attacks. 

"Safe Links in Defender for Office 365 scans URLs at the time of click to ensure that users are protected with the latest intelligence from Microsoft Defender,” Microsoft further told.
Read more »
Subscribe to: Posts (Atom)