< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1641 articles · page 17 of 83

IR Trends Q1 2026: Phishing and public administration

🔒 Talos IR’s Q1 2026 analysis finds phishing reemerged as the top initial access vector, with public administration and health care tied as the most targeted sectors. Investigations documented abuse of AI-enabled services like Softr to build credential-harvesting pages and the first observed intrusion by Crimson Collective exploiting exposed developer secrets. Pre-ransomware activity rose but no encryptions occurred due to early mitigation. Talos emphasizes properly configured MFA, patching, and centralized logging.
read more →

AirSnitch: Breaking Client Isolation in Enterprise Wi‑Fi

📶AirSnitch demonstrates techniques that subvert enterprise Wi‑Fi protections by exploiting interactions between encryption, switching and routing. The research shows how attackers can bypass WPA2 and WPA3‑Enterprise client isolation to intercept and inject traffic across access points. It details primitives like Port Stealing, Gateway Bouncing and Broadcast Reflection and provides practical mitigations for networks and endpoints.
read more →

ProxySmart Platform Found Powering 90+ SIM Farms Globally

🔎 Researchers at Infrawatch have identified a Belarus-associated platform, ProxySmart, linked to 87 control panels across 17 countries and 94 phone farm locations. The turnkey software provides device management, automated IP rotation, customer provisioning and anti-bot measures, enabling what researchers describe as SIM Farm as a Service. ProxySmart orchestrates both physical smartphones and USB 4G/5G modems, supports multiple proxy protocols, and includes OS fingerprint spoofing, significantly lowering the technical barrier for large-scale mobile proxy operations.
read more →

UK Faces 'Perfect Storm' of Nation-State Cyber Threats

⚠️ Richard Horne, CEO of the NCSC, warned at the tenth annual CYBERUK in Glasgow that the UK faces a “perfect storm” driven by rising geopolitical tensions and rapid AI-led technological change. He said nationally significant incidents remain broadly steady since the NCSC's last review, but the most serious threats now originate from nation states — notably Russia, China and Iran. The briefing urged organisations to shift from a prevention-only posture to a resilience mindset and to ensure fundamentals such as full visibility, 24/7 monitoring and correct configuration are in place.
read more →

Detecting Cloud Identity Infiltration via Fake Hires

🔍 Microsoft observed North Korea-aligned actors posing as legitimate hires—using stolen or fabricated identities and generative AI—to gain trusted access to corporate SaaS. They target external career sites and Workday Recruiting APIs (hrrecruiting/*) to submit convincing applications, complete onboarding, then use legitimate accounts to access Teams, SharePoint, OneDrive, and Exchange Online. Defenders should correlate multi-source telemetry, enable Microsoft Defender for Cloud Apps connectors, and monitor behavioral anomalies in candidates and new hires.
read more →

Unchecked AI Agents Drive Widespread Enterprise Incidents

⚠️ Research from the Cloud Security Alliance (CSA) and Token Security warns that unchecked AI agents have caused widespread cybersecurity incidents across enterprises in the past year. The report finds many organizations overestimate agent visibility — 68% claim high visibility while 82% discovered unknown agents — leading to data exposure, operational disruption and financial losses. It highlights weak lifecycle governance, particularly around decommissioning, and calls for unified controls across discovery, policy, monitoring and decommissioning.
read more →

Moving Beyond Bots vs. Humans for Web Security and Privacy

🔐 This post by Thibault Meunier explains why the old "bots vs. humans" lens is breaking down as AI agents, accessibility tools, and proxies blur client behavior. Cloudflare outlines current bot management signals (IP, TLS, User-Agent), the rate-limit trilemma, and the limits of fingerprinting. It advocates privacy-preserving proofs such as Privacy Pass and experimental primitives like ARC and ACT to enable anonymous, accountable rate-limiting while protecting an open Web.
read more →

State-Sponsored & Phishing Trends: Printers, M365 Risks

🔍 This podcast episode examines the 2025 Talos Year in Review, highlighting a sharp increase in internal phishing that evades traditional perimeter defenses. Hosts Amy Ciminnisi and Martin Lee explain how Microsoft 365's Direct Send feature has been broadly weaponized to deliver trusted-looking internal mail. They also unpack blended state-sponsored campaigns from China and North Korea that pair zero-day exploitation with advanced social engineering.
read more →

Phishing and MFA Exploitation: Targeting Trust in Workflows

🔐 In 2025 attackers increased focus on weaknesses in multi-factor authentication (MFA) and the trust inherent in everyday workflows, with phishing used for initial access in 40% of incidents. Cascaded phishing leveraged compromised, legitimate accounts to craft highly convincing lures, while abuse of Microsoft 365 Direct Send enabled internal-looking spoofed messages. MFA spray attacks and device compromise—driven by voice phishing against administrators—targeted IAM tools and high-turnover device ecosystems, with higher education notably impacted. Defenders should harden device management, enforce strong lockout and conditional access policies, and adopt email protections such as Reject Direct Send and tightened SPF/DMARC.
read more →

No Exploit Needed: Identity-Based Attacks Remain Top Threat

🔐 Attackers increasingly rely on stolen credentials—via credential stuffing, password spraying and phishing—to gain immediate, low-noise access. Legitimate logins often evade detection, allowing adversaries to dump additional passwords, move laterally, and persist. The author warns that AI is accelerating these techniques and advocates a DAIR (Dynamic Approach to Incident Response) loop, plus clear communication and hands-on training to contain and remediate identity-based intrusions.
read more →

Weaponizing macOS Primitives for Movement and Execution

🔐 Talos demonstrates how adversaries can repurpose legitimate macOS features to achieve remote execution and lateral movement across enterprise fleets. By weaponizing Remote Application Scripting (RAE) and abusing Spotlight Finder comments as a staging area, attackers can bypass static file analysis and traditional SSH-focused telemetry. The research validates multiple native transfer channels—including SMB, netcat, Git, TFTP, and SNMP—and urges defenders to emphasize process lineage, IPC anomalies, and strict MDM controls.
read more →

Identity: The New Foundation of Digital Transformation

🔐 Identity-centric systems have evolved from simple login mechanisms into the operational backbone of digital enterprises. By replacing the old network perimeter with a person- and device-centric model, modern identity frameworks enable fine-grained access control, real-time authorization and auditable accountability across cloud, mobile and distributed workforces. They also power customer personalization and fraud detection, helping teams move faster while reducing operational and security risk.
read more →

Top Techniques Attackers Use to Infiltrate Systems

🔒 Much reporting on cyber risk focuses on AI, but frontline incidents remain grounded in social engineering and identity exploitation. Experts say attackers increasingly abuse legitimate tools — including trojanized RMM clients — and target network security appliances, OAuth flows, and machine identities to bypass defenses. Techniques like ClickFix, phishing, token theft and supply‑chain worms enable lateral movement and ransomware. Defenders should combine user training, RMM allowlists and layered, phishing‑resistant authentication.
read more →

Teams abused for helpdesk impersonation, warns Microsoft

🔒 Microsoft warns that threat actors are increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk staff and gain remote access. Attackers initiate cross-tenant chats to request remote assistance—commonly via Quick Assist—then perform reconnaissance and deploy small payloads into user-writable locations. They abuse trusted, signed applications for execution and use HTTPS-based C2 and tools like Rclone to exfiltrate filtered, high-value data, often blending into normal traffic. Administrators are urged to treat external Teams contacts as untrusted, restrict remote-assistance tools, and limit WinRM usage.
read more →

Attackers Use Microsoft Teams to Impersonate IT Support

🔒 Microsoft warns that attackers are exploiting Microsoft Teams cross-tenant features to impersonate IT helpdesk staff and trick employees into granting remote control. The cross-tenant helpdesk impersonation playbook leverages real-time chats, social engineering, and legitimate remote-support tools so access appears user-approved and avoids typical malware detections. Organizations are urged to tighten external access, restrict support workflows, enforce Zero Trust controls, and improve behavioral monitoring.
read more →

CISOs Evolve into Enterprise Risk and Business Strategists

🔒 Nitin Raina’s move from IT operations to Thoughtworks’ global CISO and global head of enterprise risk illustrates a fast-growing trend: CISOs increasingly lead enterprise risk programs. Since 2020 Raina has built an ERM function that links strategic, operational, and cybersecurity risks through assessments, gap analyses, and controls. Industry reports show most CISOs now share accountability for operational business risk and are responsible for AI governance, making GRC and risk quantification central to executive and board trust.
read more →

Ransomware as Industry: The Business Behind Attacks

🔐 The article argues that modern ransomware operates like an industry, with affiliates, suppliers, marketplaces and subscription services coordinating long before a ransom note appears. It cites the March 2024 Change Healthcare incident and disputes between affiliates and operators to illustrate franchise dynamics. It details technical enablers such as BYOVD EDR killers and emerging AI-assisted tooling, and urges defenders to map actors, tools and supply‑chain exposure rather than treat incidents as isolated break‑ins.
read more →

Apple account alerts abused to deliver phishing lures

📧 Threat actors are exploiting Apple account-change notifications to deliver callback phishing within legitimate emails sent from Apple's infrastructure. They place scam text into the account's first and last name fields, then trigger a shipping-info update so Apple sends the altered notification. Because messages are sent from appleid@id.apple.com and pass SPF, DKIM, and DMARC, they appear authentic and can bypass filters, increasing the risk of successful callback scams.
read more →

Cross‑tenant helpdesk impersonation and exfiltration

🔐 Microsoft Defender Security Research outlines a human-operated intrusion playbook where attackers abuse cross-tenant Microsoft Teams collaboration to impersonate IT/helpdesk staff and socially engineer users into granting remote assistance. With user consent, adversaries gain interactive access via Quick Assist or similar tools, then execute attacker modules by side-loading them into trusted vendor-signed applications. The chain leverages native administrative protocols such as WinRM and commercial RMM tooling to move laterally and stage sensitive business data for exfiltration. Microsoft Defender provides correlated identity, endpoint, and collaboration telemetry to surface and disrupt this pathway.
read more →

Predictive Shielding Halts Domain Compromise and Lateral

🔒 Microsoft describes how Microsoft Defender’s predictive shielding — part of automatic attack disruption — proactively contains exposed high-privilege identities to stop credential abuse and lateral movement. In a June 2025 public sector incident, automated containment prevented attackers from leveraging exposed domain credentials to escalate and pivot across identity and Exchange infrastructure. The feature evaluates exposure signals and applies just-in-time restrictions to block sign-ins, sessions, and interactive pivots while investigators remediate. It’s available out‑of‑the‑box for Defender for Endpoint P2 customers who meet prerequisites.
read more →