Daily Brief

ReliaQuest reports a surge in Axios tool usage, with a 241% increase in flagged activity, facilitating advanced phishing attacks on Microsoft 365 environments. Attackers exploit Microsoft's Direct Send feature to bypass security defenses, achieving a 70% success rate in phishing campaigns targeting finance, healthcare, and manufacturing sectors. Axios is leveraged to intercept and modify HTTP requests, enabling real-time capture of session tokens and MFA codes, complicating traditional security measures. Phishing emails use compensation-themed lures and malicious QR codes to direct users to fake Microsoft Outlook login pages, aiming for credential theft. Advanced evasion tactics include hosting phishing pages on Google Firebase and using geofencing and IP filtering to avoid detection by security tools. Organizations are advised to secure or disable Direct Send, implement anti-spoofing policies, train employees, and block suspicious domains to mitigate risks. The Salty 2FA phishing-as-a-service offering simulates multiple MFA methods, further complicating defenses and illustrating the sophistication of modern phishing operations.

External Attack Surface Management (EASM) offers continuous monitoring of internet-facing assets to identify and mitigate vulnerabilities before exploitation occurs. EASM provides comprehensive visibility into digital assets, including domains, IP addresses, cloud services, and IoT devices, reducing potential entry points for attackers. Unlike traditional vulnerability scanning, EASM encompasses both known and unknown assets, creating a dynamic map of exposures visible to adversaries. The approach enables security teams to prioritize risk based on context, focusing resources on high-impact vulnerabilities rather than low-severity alerts. EASM fosters enhanced collaboration across IT, security, and DevOps teams through centralized dashboards and standardized reporting. Successful EASM implementation requires strategic planning, offering organizations a proactive defense against evolving cyber threats. By transforming security operations from reactive to proactive, EASM enhances organizational resilience and reduces the likelihood of data breaches.

Plex has experienced its third data breach in ten years, prompting a password reset advisory for affected users. The breach potentially exposed emails, usernames, and securely-hashed passwords, though no credit card data was compromised. Plex assures that accessed passwords were securely hashed, aligning with industry best practices to prevent third-party readability. The company has addressed the breach method and is conducting additional security reviews to enhance system defenses. Users are advised to reset passwords, enable two-factor authentication, and log out of connected devices for added security. Previous breaches in 2015 and 2022 involved similar data types, with the 2015 incident revealing weaknesses in hash implementations. Not all users received breach notifications, indicating a limited scope; Plex has yet to clarify the selection criteria for notifications. Plex's swift detection and response underscore its commitment to improving security and preventing future incidents.

Microsoft is addressing an anti-spam issue causing Exchange Online and Teams to block legitimate URLs and quarantine emails, affecting user access to essential communications. The problem emerged on September 5th when the anti-spam engine misidentified URLs within other URLs as threats, despite their safety being confirmed. Over 6,000 URLs were initially impacted, prompting Microsoft to deploy a fix to prevent further quarantines and restore mistakenly flagged messages. Microsoft engineers have resolved most issues but continue to address new URL sets affected by the faulty anti-spam models, while conducting a root cause analysis. The company has not specified the number of customers or regions affected, but the issue has been classified as an incident due to its significant user impact. Similar anti-spam issues have occurred throughout the year, with previous incidents involving incorrect spam tagging of Gmail and Adobe emails in Exchange Online. Businesses relying on Microsoft services should remain vigilant and monitor updates as Microsoft works to fully resolve these ongoing anti-spam challenges.

SAP released updates addressing 21 vulnerabilities, including three critical flaws in its NetWeaver software, a core component for enterprise applications like ERP and CRM. The most severe issue, CVE-2025-42944, scored 10 out of 10, involves insecure deserialization, allowing remote command execution through malicious Java objects. Another flaw, CVE-2025-42922, enables attackers with authenticated access to upload arbitrary files, risking full system compromise. CVE-2025-42958, the third critical flaw, permits unauthorized data access and administrative control due to missing authentication checks. Misconfigurations exposing the P4 port could widen attack surfaces, necessitating careful network configuration reviews. SAP advises immediate application of patches and adherence to mitigation strategies to protect against potential exploitation. These vulnerabilities underscore the importance of regular updates and vigilant security practices in safeguarding enterprise environments.

RatOn, an Android malware, has evolved into a sophisticated remote access trojan with NFC relay and Automated Transfer System capabilities, posing a significant threat to financial security. The malware targets cryptocurrency wallet applications such as MetaMask and Trust, enabling account takeovers and unauthorized money transfers, particularly affecting Czech and Slovakian users. RatOn employs fake Play Store listings, masquerading as TikTok 18+, to distribute malicious dropper apps that bypass Android security measures and install the malware. The trojan requests extensive permissions, including device administration and accessibility services, to execute its malicious functions and conduct NFC relay attacks using the Ghost Tap technique. RatOn's ransomware-like features use overlay screens to coerce victims into paying cryptocurrency ransoms, capturing device PIN codes in the process for further exploitation. The malware records sensitive data via a keylogger and exfiltrates it to external servers, enabling unauthorized access to victims' accounts and theft of cryptocurrency assets. The threat actor group initially focused on the Czech Republic, with Slovakia as a potential next target, possibly collaborating with local money mules for automated transfers.

Cybersecurity researchers identified a phishing campaign targeting Japanese users, deploying MostereRAT malware to gain control over systems and exfiltrate sensitive data. The attack uses advanced evasion techniques, including Easy Programming Language (EPL) for payload development, and mutual TLS for secure command-and-control communications. MostereRAT disables Windows security mechanisms and blocks network traffic from security programs, complicating detection and analysis. The malware operates with elevated permissions, allowing interference with critical Windows processes and unauthorized modifications to system files. A parallel campaign uses "ClickFix-esque techniques" to distribute MetaStealer, leveraging social engineering to bypass security measures. Attackers employ CSS-based obfuscation and AI manipulation to deliver malicious instructions, exploiting user trust in AI-generated summaries. Organizations are advised to update security solutions and educate users on social engineering dangers to mitigate these evolving threats.

HMD Global introduces HMD Secure, a new business unit focusing on mobile security for European governments and critical sectors with its first product, the Ivalo XE smartphone. The Ivalo XE is an Android-based 5G smartphone, designed, developed, and manufactured in Europe, targeting security-conscious customers wary of American tech reliance. The device incorporates Qualcomm's Dragonwing Q-6690 chip, offering enterprise-grade processing power, RFID capability, and advanced wireless standards, despite Qualcomm being US-based. Security features include anti-tamper design, dual encryption, secure boot, and a fingerprint reader, with certifications for durability and resilience. HMD Secure provides tailored operating systems and ensures long-term support, spare parts, and security updates for the Ivalo XE until 2032. The smartphone offers modular connectivity options for additional hardware, aiming to deliver a versatile and secure communication tool for high-stakes environments. HMD Global strategically positions itself to capture market share in Europe amid growing concerns over data sovereignty and supply chain transparency.

Akamai researchers identified a cryptojacking campaign leveraging the TOR network to target misconfigured Docker APIs, building on findings from Trend Micro's June 2025 report. The attack involves deploying an XMRig cryptocurrency miner using a TOR domain for anonymity, potentially laying the groundwork for a botnet. Attackers exploit Docker API misconfigurations to execute a container with a Base64-encoded payload, downloading a shell script from a .onion domain. The script modifies SSH configurations for persistence and installs tools for reconnaissance and command-and-control communication. The malware uses Masscan to propagate by scanning for open Docker API services, with future capabilities hinted at for ports 23 and 9222. The campaign underscores the need for organizations to secure Docker APIs, limit service exposure, and enforce strong credential policies to mitigate such threats.

Anthropic's Claude Code employs AI for automated security reviews, aiming to prevent code deployment without a baseline security check. Checkmarx discovered that while Claude Code identifies simple vulnerabilities, it can miss complex ones, such as remote code execution via Python's pandas library. The AI tool sometimes misclassifies vulnerabilities, as seen when a misleading "sanitize" function was erroneously deemed secure. Executing test cases during reviews can inadvertently introduce risks, especially if malicious code is present in third-party libraries. Developers are advised to heed Claude Code's warnings and apply additional safeguards, such as human confirmation for risky actions and endpoint security measures. The research suggests that AI security reviews need rigorous human oversight to ensure robust application security, given the tool's susceptibility to suggestion and prompt injection issues.

Shadow AI agents are proliferating within enterprises, operating outside the visibility of traditional security measures, and posing significant risks to organizational security. These agents can be easily deployed by individuals or business units, often without the knowledge or oversight of IT or security teams. The rapid deployment of AI agents is facilitated by identity providers and PaaS platforms, making it challenging for governance to keep pace. A forthcoming panel, "Shadow AI Agents Exposed," will discuss strategies for identifying and controlling these agents to mitigate associated risks. The panel aims to provide actionable insights for improving visibility and control over AI operations within organizations. As shadow AI agents continue to multiply, enterprises must enhance their security frameworks to prevent potential breaches and unauthorized access. Organizations are encouraged to attend the panel to better understand the implications and prepare for future challenges posed by shadow AI.

Security leaders face challenges in securing budget approval, needing to align cybersecurity with business objectives to gain board support. Gartner reports 88% of boards view cybersecurity as a business risk, yet many CISOs struggle to communicate its value effectively. Translating technical goals into business outcomes, such as revenue protection and compliance, is crucial for gaining board approval. Continuous threat exposure management and automated testing are recommended to identify vulnerabilities and demonstrate proactive risk management. Industry standards like ISO 27001 and NIST can strengthen budget requests by providing a familiar framework for decision-making. Real-world examples and automated security validation can illustrate the business impact of potential breaches and justify investment. Tailoring communication to different audiences, from boards to security teams, helps bridge the gap between technical details and business priorities. Emphasizing security as a business enabler, rather than a cost center, can shift board perspectives and support ongoing investment.

The UK government plans to amend the Online Safety Act, requiring tech firms to proactively prevent self-harm content, marking it as a "priority offence." Newly appointed Science and Technology Minister Liz Kendall emphasized the importance of keeping harmful content off social media to protect families. The amendment aims to shift platform responsibility from reactive removal to proactive prevention, potentially impacting operational processes for tech companies. The Samaritans charity supports the amendment, citing the potential to save lives by reducing exposure to harmful content online. Critics argue the Act may infringe on privacy and grant excessive censorship power, with concerns about its broad application to various online platforms. The law's implementation could affect niche online communities, raising operational challenges for platforms with user-generated content. The new regulations will be enacted three weeks post-approval from both Houses of Parliament, intensifying the compliance timeline for affected companies.

A phishing attack led to the compromise of multiple npm packages, affecting over 2 billion weekly downloads, by targeting a maintainer's account. The attack involved a phishing email mimicking npm support, tricking the maintainer into providing credentials through an adversary-in-the-middle technique. Malicious code was injected into the packages, designed to intercept and alter cryptocurrency transactions by swapping wallet addresses. The malware operates as a browser-based interceptor, targeting end users with connected wallets visiting sites with compromised code. This incident underscores the vulnerability of package ecosystems like npm and PyPI, frequently targeted due to their extensive reach. Security experts emphasize the need for vigilance, hardening CI/CD pipelines, and securing dependencies to prevent such attacks. The attack reflects a growing trend where adversaries exploit popular open-source packages to infiltrate organizations and steal sensitive information.

Signal now offers 100MB of free encrypted storage for media, with a $1.99/month option for 100GB, enhancing user data management. The storage feature is opt-in, ensuring users maintain control over message retention preferences and can delete messages after a set period. Encrypted storage is backed up with a 64-character key stored on the user's device, inaccessible to Signal, ensuring data privacy. Signal's approach to storage includes padding files with extraneous data to prevent decryption attempts, reinforcing its commitment to user privacy. The storage feature is initially available on Android, with plans to expand to iOS and desktop, supporting cross-platform encrypted message history transfers. As a nonprofit, Signal's introduction of a paid tier helps cover storage costs without resorting to data monetization or advertising. Users should consider how the storage feature impacts message retention, particularly for messages intended to disappear, as this could affect privacy expectations.