Hello, stay ahead with CISO Brief 🚀

🔒 Enterprise SaaS products increasingly adopt Retrieval-Augmented Generation (RAG) to give AI agents access to customer-specific knowledge, but that bridge also creates severe security liabilities. The article reviews recent high-profile failures — from the EchoLeak zero-click exfiltration to vector database reconstructions, indirect prompt injections in IDEs and large-scale knowledge-base poisoning — and breaks down the typical three-phase RAG architecture: ingestion & embedding, vector storage & retrieval, and LLM generation. It advocates a defense-in-depth posture combining pre-ingest DLP, retrieval-time RBAC/ABAC, prompt isolation and output filtering, and highlights Google Cloud services like Cloud DLP, Vertex AI vector search, Vertex AI model armor and Security Command Center to operationalize those controls.

⚠ Microsoft confirmed a display bug causing newly introduced Windows security warnings to render incorrectly when opening Remote Desktop (RDP) files. The issue affects all supported Windows releases updated in April 2026 (including Windows 11 KB5083768 & KB5083769, Windows 10 KB5082200, and Windows Server KB5082063) and appears when multiple monitors use different scaling settings, producing overlapping text and misplaced buttons. These dialogs — deployed to warn users about unsigned or unverified RDP files and to show resource redirection settings — can become difficult or impossible to interact with until Microsoft provides a fix.

🛡️ Identity management is changing as AI agents introduce a new class of non‑human identities that can act, decide, and access resources at machine speed. Experts including Dustin Wilcox and Michael Adams recommend an identity-first security posture built on clean directories, enforced least privilege, and clear offboarding. They warn that legacy models and inventory processes won’t track proliferating tokens and agents, so organizations should catalog non‑human identities, assign ownership, and treat MFA as a baseline while moving toward phishing‑resistant methods and continuous verification.

🛡️ AiTM phishing evades credential theft by intercepting session tokens after legitimate logins, rendering stronger passwords and many MFA approaches insufficient on their own. While FIDO2 and passkeys reduce exposure at the authentication step, session cookies remain bearer tokens that can be replayed. The article recommends three practical controls—bind sessions to managed devices, monitor post-authentication anomalies, and shorten high-value session lifetimes—combined with targeted user guidance to stop attackers from exploiting captured sessions.

🔒 French authorities have arrested a 21-year-old who used the alias 'HexDex', suspected of carrying out around 100 data breaches since late 2025. Prosecutors say he was preparing another data dump when detained and has been charged with six offences, including aggravators for organised gang activity. Alleged victims include the Ministry of National Education, where the Compas trainee-teacher system exposed roughly 243,000 employee records, as well as registries, unions, cultural institutions, sports federations, food banks and hotel chains. Stolen files were redistributed on criminal marketplaces; his account page now displays a message saying it was seized.

📧 Microsoft has asked iPhone users to manually re-enter credentials in the default Mail app to restore access to Outlook and Hotmail accounts after a global sign-in outage. The company reported intermittent sign-in failures and some users being signed out or seeing "too many requests" errors, attributing the disruption to a "recently introduced change." Service health was reported as restored around 7 PM UTC, but iOS users must follow a step-by-step procedure in Settings → Mail → Accounts to update passwords. Microsoft has not disclosed the outage's root cause, scale, or affected regions.

🔍 The UK National Cyber Security Centre (NCSC) cautions that many common SOC metrics are misleading and can actively harm security operations if used or reported externally. CTO Dave Chismon argues that only time to detect/time to respond (TTD/TTR) reliably demonstrates SOC effectiveness, while metrics such as ticket counts, closure times, rule counts or raw log volume create perverse incentives. He recommends red and purple team exercises to assess TTD/TTR, and suggests internal, non-public metrics — hypothesis-led hunting, strict false-positive thresholds, log coverage, tooling expertise and analyst engagement — to monitor week-by-week health without driving the wrong behaviours.

🔒 Arctic Wolf attributes a large-scale spear-phishing campaign to BlueNoroff, a subgroup of the Lazarus Group, which targeted more than 100 cryptocurrency and fintech organizations across 20+ countries. The operation used typosquatted Zoom and Microsoft Teams links, manipulated Calendly invites, fake meeting interfaces and ClickFix-style clipboard injection to harvest credentials and wallet data. Researchers observed a self-sustaining deepfake pipeline, PowerShell-based C2, AES-encrypted browser payloads and Telegram-based exfiltration, with some intrusions persisting for 66 days.

🛡️ A Chinese national accused of ties to the Silk Typhoon group has been extradited to the United States from Italy to face charges alleging multiple cyber intrusions and theft of COVID‑19 vaccine research. U.S. prosecutors say 34-year-old Xu Zewei and co-defendant Zhang Yu carried out operations between February 2020 and June 2021 under direction of the MSS Shanghai State Security Bureau, exploiting zero-day vulnerabilities in Microsoft Exchange Server to deploy web shells for remote access. Xu, arrested in Milan in July 2025 while on vacation with his wife, has pleaded not guilty and maintains he is a case of mistaken identity; Zhang remains at large.

🔒 An underscoped built-in role in Microsoft Entra ID, Agent ID Administrator, allowed users to assume ownership of arbitrary service principals and then add credentials to authenticate as those principals, enabling full service principal takeover. Silverfort researchers, led by Noa Ariel, reported the vulnerability on March 1, 2026, and Microsoft issued a patch across all cloud environments on April 9, 2026. After the update, attempts to assign ownership of non-agent service principals using the role are blocked and return a 'Forbidden' error. Organizations are advised to monitor sensitive role usage, audit service principal ownership and credential changes, and secure privileged non-human identities.

🛡️ Microsoft confirmed active exploitation of a patched Windows Shell vulnerability, CVE-2026-32202, after correcting its advisory metadata. The flaw is a spoofing/authentication-coercion issue (CVSS 4.3) that can disclose sensitive information and was addressed in April Patch Tuesday. Akamai researcher Maor Dahan links the defect to an incomplete February fix for CVE-2026-21510 and says an APT28 campaign weaponized LNK/CPL/UNC/SMB chains to harvest credentials.

🔒 This buyer's guide explains what Endpoint Detection and Response (EDR) is, which core capabilities to expect, and which vendors and solutions are recommended. It highlights EDR features such as real-time behavioral telemetry, deep investigation tools, centralized analytics, and integrations with SIEM, SOAR, firewalls and other security controls. Vendor profiles include CrowdStrike, Microsoft, Palo Alto, SentinelOne, Sophos and Trend Micro, and four practical questions to ask vendors before purchasing are provided.

🛡️ Security teams are being urged to inspect Cisco ASA and Firepower devices following discovery of a resilient backdoor called Firestarter that can persist after patching and survive normal reboots. CISA and the UK’s NCSC recommend generating a core dump and running their published YARA rules (or scanning a disk image) to detect the implant. If an infection is confirmed, the advisory states the device must be physically disconnected from all power sources, including redundant and backup supplies, for at least one minute or be fully reimaged — a standard reboot or power cycle is not sufficient.

🚀Google announced a broad expansion of AI infrastructure at Google Cloud Next, presenting the AI Hypercomputer — an integrated stack of dedicated hardware, software, and flexible consumption models. The release highlights new accelerators including TPU 8t and TPU 8i, A5X GPU instances, and Axion N4A CPUs, plus megascale Virgo networking and storage improvements. These changes target agentic workloads to improve latency, utilization, and cost-efficiency for enterprise and consumer AI.

⚙️ At Google Cloud Next '26, Google announced Fluid Compute and a broad set of compute, networking, and storage updates to support both traditional and agentic AI workloads with better performance and lower cost. Key moves include GA of the Arm-based Axion N4A, a GKE Agent Sandbox running on Axion, previews of bare-metal Axion C4A.metal and network-optimized C4N, and expanded Flexible Committed Use Discounts. The changes emphasize elastic scaling for spiky agent workloads, isolated runtime sandboxes, and higher I/O and VM-to-VM bandwidth to reduce contention and TCO.

🔒 Threat actors abused a flaw in Robinhood's account creation flow to inject arbitrary HTML into account confirmation emails, producing convincing Unrecognized Device warnings that directed recipients to a phishing site. The messages originated from noreply@robinhood.com and passed SPF and DKIM checks, which made them appear legitimate. Robinhood confirmed there was no systems breach or impact to customer funds and removed the vulnerable Device: field to remediate the issue. Recipients are advised to delete the emails and verify any suspicious alerts through the official app or website.

🤖 Amazon Redshift Serverless now enables AI-driven scaling and optimization by default for all new workgroups, using machine learning to predict compute needs and automatically adjust resources before queries queue. The update expands support to workloads with a Base RPU range of 8–512 RPU, lowering the entry cost. Use the price-performance slider to prioritize cost, performance, or a balance; Amazon Redshift also applies automatic materialized views and table design optimizations. Configure targets via the AWS Management Console or the Amazon Redshift API; settings can be modified after workgroup creation and are available in all Regions where Serverless is offered.

🚨 A new wave of the GlassWorm campaign is targeting the OpenVSX ecosystem with 73 'sleeper' extensions that upload as benign clones of legitimate listings and later deliver malicious payloads via updates. Socket researchers say six extensions have already been activated to install malware, while the other packages are considered suspicious or dormant. The attackers use thin loaders that fetch secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript to retrieve and install payloads at runtime. Developers who installed any listed extensions should rotate all secrets and clean their development environments.