< ciso
brief />

Hello, stay ahead with CISO Brief 🚀

Every day the cybersecurity world moves fast — new incidents, evolving AI risks, changing regulations, and critical vendor updates. We cut through the noise to deliver only what matters most for your business and security strategy.

CISO Brief brings you a daily digest of high-signal news: major breaches, hyperscaler security releases, AI and compliance shifts, and the latest threat intelligence — all in one concise update.

Built for CISOs, CTOs, and architects, our goal is to save you time, reduce distraction, and keep you always on pulse with the risks and opportunities that shape tomorrow.

👉 Join our Telegram channel for your daily update — stay informed, stay ready.

Cybersecurity News Digest — Daily Briefings

Microsoft extends free Windows 10 ESU to 2027

đź“° Microsoft quietly extended free Windows 10 Extended Security Updates (ESU) for consumer devices by one year, now covering devices through October 12, 2027. The change appeared in documentation updates and an editor's note on the Windows Experience Blog dated June 25, 2026. Enrolled users will remain covered automatically, and the consumer ESU remains unavailable for domain-joined or MDM-managed systems. The extension aims to give consumers more time to upgrade to Windows 11 or newer devices.
read more →

AI-Augmented Threat Intelligence: Beyond IOCs

🛡️ The article examines how AI, particularly large language models, can bridge the gap between atomic indicators of compromise (IOCs) and richer strategic threat intelligence by indexing and relating unstructured reports. It highlights opportunities to retrieve relevant intelligence and generate tailored defensive advice while warning about data veracity and confidentiality. The piece also emphasizes practical Windows threats abusing COM and recommends tooling and hunting practices to detect such misuse.
read more →

AI Liability and the Publisher–Carrier Distinction

📰 The German court found Google liable for AI-generated search summaries, rejecting defenses that users should verify AI output themselves. This ruling highlights the historical distinction between carriers and publishers and argues that AI summaries act like editorial content. Past cases, like Air Canada’s chatbot ruling, reinforce that organizations are responsible for their AI agents. The decision could force companies to improve AI accuracy or curtail certain commercial uses.
read more →

Amazon Redshift adds upfront RI payment options

đź”” Amazon Redshift now offers All Upfront and Partial Upfront payment options for 1- and 3-year reserved instances (RG instances). These join the existing No Upfront option and give customers more flexibility to optimize compute costs. All Upfront provides the largest discount by paying the full term up front, while Partial Upfront splits cost between an initial payment and lower monthly installments. The new options are available across many AWS Regions globally.
read more →

macOS 'Gaslight' malware targets AI analysis tools

🛡️ Researchers uncovered a macOS malware family named macOS.Gaslight that embeds fabricated error messages and debugging data inside a Rust binary to mislead AI-assisted analysis tools. The 3.5 KB payload contains 38 fake system messages — including memory dumps, token-expiration warnings, and build errors — designed to appear as legitimate developer logs. SentinelOne attributes the sample with high confidence to a North Korean-linked actor and notes the strings aim to prompt-inject LLM pipelines, causing them to abort or distrust their session. The malware retains standard backdoor and data-stealing capabilities alongside the deceptive messaging tactic.
read more →

Microsoft named Leader in Forrester Wave 2026

🔒 Microsoft is recognized as a Leader in The Forrester Wave™: Endpoint Management Platforms, Q2 2026, reflecting Intune’s role in connecting identity, security, compliance, and AI governance across endpoints. The report highlights Intune’s cross-platform management, AI-powered Endpoint Privilege Management, and integrated Security Copilot features that enable faster remediation and device onboarding. Forrester also cited Microsoft’s partner strategy and licensing value as factors supporting enterprise adoption.
read more →

PirloTV sports piracy network disrupted in domain seizure

🔎 PirloTV, a network of sites embedding unauthorized live sports streams, has had 44 domains seized in a coordinated action. The Alliance for Creativity and Entertainment (ACE), UEFA, UC3, and Mexican authorities targeted domains that generated over 950 million visits annually, with heavy traffic from Mexico and Colombia. The takedown occurred ahead of the UEFA Champions League final and may affect piracy during the ongoing FIFA World Cup. Despite the seizures, some domains remain indexed and the network can quickly migrate to new domains.
read more →

Fortinet launches product carbon footprint calculator

🌱 Fortinet has introduced a Product Carbon Footprint (PCF) Calculator that provides greenhouse gas emissions estimates for more than 790 products. The publicly accessible, free tool uses internationally recognized standards like ISO 14040 and ISO 14067 and includes country-specific emission factors. It supports lifecycle analysis across manufacturing, use, and end-of-life stages to help customers and partners incorporate environmental data into procurement and reporting.
read more →

Bluekit adopts browser-in-the-middle for login theft

🛡️ The Bluekit phishing-as-a-service platform has added browser-in-the-middle (BitM) capabilities and nearly 70 new hostnames, enabling attackers to load legitimate login pages and capture valid session tokens. Netcraft found Bluekit uses the open-source rrweb library to serialize and stream page DOM data over WebSockets while fetching assets through phishing infrastructure. The kit also includes advanced anti-analysis features such as randomized CSS filters, large rotating obfuscated JavaScript bundles, custom CAPTCHAs, browser fingerprinting, and WebRTC IP-mismatch checks.
read more →

Threat Actor Exploited Cisco SD‑WAN Zero‑Day

🔒 A Google (Mandiant) report warns that a threat actor exploited a severe Cisco SD‑WAN vulnerability (CVE-2026-20245) at least two months before disclosure. The flaw, a high-severity (CVSS 7.8) privilege escalation in the CLI of Cisco Catalyst SD-WAN Controller, allowed authenticated local attackers to upload crafted files and execute commands as root. Cisco disclosed the issue on June 4 and began releasing fixes on June 10, while Mandiant detailed related unauthorized peering and credential-theft activity stretching back to late 2025.
read more →

High‑Install Chrome Extension Enables Remote Script Injection

🛡️ An analysis of a widely installed Google Chrome extension, Adblock for YouTube (10M+ installs), revealed it can execute arbitrary JavaScript across websites. Researchers found a dormant, server‑controlled injection capability that could create elements without an extension update or store review. Although no evidence of active abuse was reported, the combination of all‑site access, prior ad‑injection SDKs, and related removed extensions raises significant privacy and security concerns.
read more →

Cloudflare Workflows adds durable saga rollbacks

🛠️ Cloudflare Workflows now supports saga rollbacks, letting developers declare per-step compensation logic directly in step.do() calls. This feature simplifies undoing partial work when later steps fail by running rollback handlers in reverse step-start order and preserving idempotency via idempotency keys. Rollback handlers are durable, configurable with retries and timeouts, emit lifecycle events, and execute only when the Workflow fails terminally.
read more →

ClickFix: New social engineering that forces execution

🛡️ The ClickFix technique tricks users into executing malicious commands themselves by presenting convincing prompts like fake CAPTCHAs, Cloudflare checks, or “browser update” notices. Attackers rely on clipboard copy and instruct victims to paste commands into the Windows Run dialog, bypassing endpoint defenses that see the activity as legitimate user action. Check Point’s ThreatCloud AI team developed the ClickFix Engine, integrated into Gateways, Email Security, and Browse Security, to detect behavioral signals in page HTML and block such attacks irrespective of domain reputation.
read more →

Threatsday bulletin: proxyware, exploits, and trends

🛡️ This week’s bulletin highlights a string of practical and persistent threats: privacy-preserving bot defense work from Cloudflare and browsers, six serious curl vulnerabilities fixed in 8.21.0, and a critical unauthenticated takeover in Hoppscotch. Spur Intelligence found widespread proxyware in LG and Samsung smart TV apps, while Teams-based social engineering delivered the Edgecution extension. Other items include legacy credential breaches, state-crime convergence, admin reset alerts, and macOS ClickFix campaigns.
read more →

Study Finds Decline in Trust for AI Vulnerability Scanning

🛡️ The Cobalt State of Pentesting Report 2026 surveyed roughly 450 cybersecurity professionals across 2025 and 2026 and found trust in fully automated AI vulnerability testing has dropped sharply. Reliance on AI-only testing fell from 29% to 9%, while 47% now prefer a hybrid human-plus-AI model. Respondents reported that 78% of fully automated scanners missed critical vulnerabilities, and AI/LLM issues showed longer MTTR and lower fix rates.
read more →

CISA guidance steers agencies from TIC 2.0 to SASE

đź”’ CISA has issued guidance to help federal agencies transition from perimeter-based Trusted Internet Connections (TIC) 2.0 to a more flexible TIC 3.0 using Secure Access Service Edge (SASE) technology. The guidance explains how SASE can replace legacy Managed Trusted Internet Protocol Services (MTIPS) and combines networking and security functions such as SD-WAN, secure web gateways, CASBs, next-gen firewalls and ZTNA. It is vendor-agnostic and emphasizes architecture and visibility requirements rather than specific products.
read more →

Prompt Injection as Role Confusion in LLMs

📝 This post highlights a new paper that demonstrates how large language models are vulnerable to prompt injection because they learn to distinguish instruction blocks by style rather than explicit tags. The authors argue that role tags became a de facto security architecture but do not map cleanly into model representations, producing persistent role confusion. The paper warns that without genuine role perception, defenses will be reactive and brittle, and calls for deeper study of roles within the LLM stack.
read more →

macOS XPC Flaw Lets Non‑Root Users Disable EDR/MDM

đź”’ A disclosed macOS privilege escalation allows a non-root user to abuse XPC trusted caller caching to invoke privileged helper functions without authentication, impacting multiple EDR and MDM products. XM Cyber found attackers can tamper with a legitimate app to inherit its cached trust and call sensitive methods to unload or disable security agents with minimal forensic traces. Vendors including CrowdStrike and Kandji have issued fixes and mitigations, while XM Cyber released a scanner and will present findings at Black Hat.
read more →