Hello, stay ahead with CISO Brief 🚀

🔒 The Texas Parks and Wildlife Department disclosed a breach at its external license system vendor that exposed personal information for 3,087,721 hunting and fishing license customers. The Texas Cyber Command discovered the intrusion and confirmed no Social Security numbers, dates of birth, or financial data were affected. Exposed fields may include driver’s license data, passport numbers, emails, phone numbers, and residential addresses. TPWD is working with the vendor on enhanced safeguards and offering affected individuals one year of free credit monitoring.

🔒 Apple is changing the domain used for newly generated Hide My Email aliases from "@icloud.com" to "@private.icloud.com", a tweak that has drawn criticism from privacy-minded users. The shift makes generated addresses identifiable as aliases, potentially allowing sites to block anonymous sign-ups. Existing aliases will continue to function, while new ones will be issued on the new domain later this summer. Users warned this could reduce the feature's effectiveness for anonymity.

🔒 Microsoft researchers disclosed AutoJack, an exploit chain that lets an AI browsing agent load a malicious web page which then reaches a privileged local service and spawns processes on the host. The issue resides in AutoGen Studio's MCP WebSocket handler, present only in two pre-release PyPI builds (0.4.3.dev1 and dev2). A vanilla pip install (0.4.2.2) is not affected; fixes are merged to GitHub main but not yet released on PyPI.

🛠️ Microsoft’s June update has caused Office apps like Word and Excel to fail when launched via third-party software that relies on OLE automation. Affected integrations include CCH Engagement, Workpaper Manager, Zotero and dental systems such as Dentrix and Softdent, with users reporting files won’t open and no clear error is shown. Microsoft acknowledged the issue and is working on a fix, and also noted a separate cosmetic Recycle Bin filename display problem stemming from the same update.

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers to secure FortiGate appliances after a large-scale campaign, dubbed FortiBleed, compromised 86,644 devices as of June 19, 2026. The campaign, attributed to Russian-speaking actors, used mass scanning and credential spraying against internet-facing VPN and firewall endpoints, leveraging leaked and reused credentials. Telecom, government, and education sectors were heavily affected, prompting guidance to reset passwords, enable MFA, and move to PBKDF2 hashing for admin credentials.

🛡️ Check Point Research warns that Amazon Prime Day (June 23–26, 2026) is generating a large pre-event surge in phishing, fake storefronts, and domain-squatting operations. Between December 2025 and May 2026, thousands of Amazon-themed domains were registered, with many already flagged as malicious. Attackers are building multi-TLD campaigns, regional IDN spoofs, and convincing counterfeit product pages to steal credentials and payments.

⚙️ Today Cloudflare announced Temporary Cloudflare Accounts for AI agents, enabling agents to run wrangler deploy --temporary to deploy Workers instantly without human sign-up. Temporary deployments remain live for 60 minutes and can be claimed by a user to become permanent; unclaimed accounts expire automatically. The feature integrates with Wrangler, which now informs agents about the --temporary flag, letting agent-driven development iterate quickly through deploy, verify, and redeploy cycles.

🛠️ Microsoft acknowledged a bug that causes the Recycle Bin confirmation dialog to show internal filenames (for example, $Rxxxxx.ext) instead of the original filename when permanently deleting a single item. The Recycle Bin view and restore operations continue to use the original filename. The issue affects all supported client and server Windows releases after installing the June 2026 security updates, and a fix is planned for a future update. Businesses can request a temporary workaround via Microsoft's Business Support.

📰 On June 9, Anthropic released the Fable model; days later the US classified it as a dangerous munition and used export controls to block foreign access, prompting Anthropic to cut access entirely. Fable is a constrained variant of Mythos and reportedly excels at finding and exploiting vulnerabilities, but similar capabilities have been replicated using smaller models with improved harnesses. The core issue is not a single model but rising general AI capability and the lack of collective, global governance to manage associated risks.

🛡️ AWS has introduced Continuum, a new platform that manages code vulnerabilities across discovery, prioritization, validation and remediation. Launched at AWS Summit New York on June 17, Continuum ingests both structured and unstructured data from an organization’s environment and begins in a human-supervised "learn mode." The platform includes the AWS Security Agent and features for pen testing, code scanning and threat modelling, with outputs in STRIDE format.

🔒 The U.S. CISA has ordered federal agencies to patch a critical Splunk Enterprise vulnerability (CVE-2026-20253) by Sunday after evidence of active exploitation. The flaw impacts Splunk Enterprise versions 10.2.0–10.2.3 and 10.0.0–10.0.6 and allows unauthenticated attackers to create or truncate arbitrary files via a PostgreSQL sidecar service endpoint. Splunk released patches and mitigation guidance, and Shadowserver has identified over 1,400 Internet-exposed Splunk instances that may be at risk.

🛡️ Shadow AI has evolved from simple data leakage to an access control challenge as employee-built agents connect to enterprise systems. These agents — created across platforms, extensions, and scripts — can call APIs, use credentials, and perform actions in production, often with broad or forgotten permissions. Traditional controls like DLP and domain blocking miss non-human identities, so organizations must inventory agents, map ownership and credentials, and enforce automated remediation.

🔍 A simple framework called the SOC Triangle balances quality, consistency and cost efficiency in security operations. Human-centric workflows create trade-offs where improving one dimension often harms another. AI is changing this dynamic by automating repeatable investigative workflows, improving depth, consistency and scaling without linear headcount increases. The triangle still exists, but its constraints are loosening for machine-suitable tasks, shifting humans toward oversight and complex judgment.

🔒 Salesforce has disabled the Klue Battlecards app integration after unusual activity tied to a Klue security incident on June 11, 2026, which may have allowed unauthorized access to some customer data. Klue says attackers used a compromised legacy credential to obtain OAuth tokens and access connected third-party platforms, while Salesforce emphasizes the issue stemmed from the app connection and not its platform. Klue and customers like Huntress are investigating, revoking tokens, and remediating impacts.

🔒 As SMBs adopt Claude, security leaders must quickly map which Claude products and plans are appropriate and control the blast radius. Understand plan differences—Team vs Enterprise—and apply an agile approval process for provisioning. Risk-rank features, phase enablement, and tightly manage API keys and access. Maintain data governance, monitor web search egress, and complement Anthropic controls with internal tooling and vendor collaboration.

🔍 New research from KnowBe4 finds cybersecurity leaders increasingly lack confidence in detecting threats on non-email channels like Slack and Microsoft Teams. An Infosecurity Europe 2026 survey of 169 professionals reports that 50% of organizations do not have strong visibility across messaging and social platforms, even as 60% say attacks are moving beyond email. While email remains viewed as the riskiest channel, confidence in stopping email attacks (83%) is far higher than for Teams (61%), social media (51%), SMS/WhatsApp (50%) and Slack (40%).

📢 A New York man was indicted on cyberstalking charges after allegedly creating multiple fake social media and email accounts to harass a former college classmate. The defendant is accused of distributing AI-generated nude images and fabricated racist messages across platforms including Instagram, LinkedIn, Reddit, X, Strava, and Yahoo between January and March 2025. Authorities say he used spoofed accounts to send images to the victim’s family and continued the campaign after the victim transferred to a Georgia college. Federal prosecutors emphasize that sharing intimate images without consent is a prosecutable offense and urge victims to report such abuse.

🔒 Microsoft demonstrated a new remote code execution path called “AutoJack,” showing how web-enabled AI agents can be hijacked to reach local Model Context Protocol (MCP) services and execute arbitrary processes. The researchers exploited three weaknesses in AutoGen Studio’s MCP WebSocket implementation—origin allowlist inheritance, missing authentication for MCP paths, and unsanitized URL-supplied server parameters that spawn processes. Microsoft reported and mitigated the issue in development builds and warned this pattern could affect other agentic frameworks.