Daily Brief

Microsoft has reversed its decision to terminate support for Office apps on Windows 10, extending it by three years to October 2028. The extension aims to ensure security while users transition to Windows 11, following Windows 10's support end in October 2025. Microsoft 365 applications like Word will still function post-Windows 10 support end but risk performance issues on the unsupported OS. Over half of the global Windows users are still operating on Windows 10, showing resistance to upgrading due to hardware requirements of Windows 11. Office 2016 and Office 2019 will lose extended support in October, pushing users to modernize to Microsoft 365 Apps. Despite the imminent Windows 10 support cut-off, options like Extended Security Updates (ESU) for home users and continued updates for LTSC and LTSB versions are available. Microsoft continues to encourage migrations to Windows 11 with guidance and strategic initiatives like "the year of the Windows 11 PC refresh."

UK's National Cyber Security Centre (NCSC) confirms strong ongoing relationship with the US's Cybersecurity and Infrastructure Security Agency (CISA), despite political pressures. NCSC leadership reports unchanged collaboration with CISA even after leadership changes and criticism from the Trump administration. Direct engagements and communications between NCSC and CISA leadership remain robust, highlighting a resilient partnership in cybersecurity. Concerns rise over the Trump administration's handling of cybersecurity, including potential budget cuts to CISA and shifts in mission focus. Recent developments raise alarms in the cybersecurity community, including endangered programs like the Common Vulnerabilities and Exposures (CVE) managed by MITRE. Despite political and administrative pressures, both CISA and NCSC commit to continued cross-border cooperation to enhance global cybersecurity defenses. Public statements by US Homeland Security Secretary Kristi Noem at RSA signal strong support for cybersecurity, although broader government actions generate unease.

Traditional red team operations are time-consuming, resource-intensive, and hard to scale due to their reliance on specialized human expertise. Adversarial Exposure Validation (AEV) combines Breach and Attack Simulation (BAS) with Automated Penetration Testing to offer fast, scalable, and continuous offensive security testing. BAS mimics known cyberattacks to test security defenses continuously, while Automated Penetration Testing emulates attacker workflows to identify exploitable vulnerabilities. AEV enables organizations to automate offensive tests, reducing the workload on human red teamers and allowing for frequent security assessments. These methodologies provide ongoing visibility and actionable insights into security exposures, helping organizations prioritize remediation effectively. Frequent and automated testing through AEV mitigates the risk of outdated security postures by ensuring constant readiness against potential attacks. AEV serves as a force multiplier for red teams, amplifying their capability to test and secure environments without additional manual effort.

Marks and Spencer (M&S) suffered a ransomware attack on April 22, 2025, leading to encrypted servers and stolen customer data. Attackers used DragonForce ransomware and Scattered Spider tactics to penetrate M&S’s network, encrypting VMware ESXi virtual machines. The cyberattack disrupted operations across 1,400 stores and halted online orders. The stolen customer data did not include usable payment details or account passwords, though sensitive personal information was compromised. M&S CEO Stuart Machin reassured customers that there was no immediate need for action as the stolen data has not been shared publicly. All M&S customers are required to reset their passwords upon their next login attempt as a precautionary measure. Despite assurances, M&S urged customers to stay vigilant against potential phishing attempts disguised as communications from M&S. An FAQ page on the M&S website outlines the specifics of the exposed data, advising customers on precautionary measures.

North Korean threat group Konni APT, also known as TA406, targets Ukrainian government entities to gather intelligence on Russia’s invasion tactics. The hacking group, operational since at least 2014, has historically focused on entities in South Korea, the U.S., and Russia. Konni APT employed phishing emails feigning affiliation with a non-existent think tank to distribute malware via a password-protected RAR file containing a deceptive CHM file. Interaction with the content triggers a PowerShell command to download further malware capable of system reconnaissance and data exfiltration. Additional attack methods noted by Proofpoint include HTML files sent as email attachments leading to the download of a ZIP archive with malware. Konni APT also engaged in credential harvesting using fake security alerts, preceding their malware deployment campaigns. The threat actor's broader strategy includes collecting strategic intelligence rather than tactical battlefield information, contrasting with other groups linked to Russia. The campaign highlights continued North Korean interest in sophisticated, politically driven cyber espionage tactics targeting not just Ukraine, but also regions pivotal to North Korean geopolitical interests, such as South Korea.

The cybersecurity landscape is changing due to generative AI, enabling attackers to execute large-scale social engineering by impersonating trusted figures. Deepfakes are rapidly evolving, making it difficult to rely on traditional detection methods such as user training or AI analysis for distinguishing genuine from fake interactions. Recent trends indicate that AI impersonation attacks have become a significant threat vector, necessitating a shift from detection to prevention. To establish a robust defense, the establishment of provable, real-time trust rather than mere detection or assumption is critical. Prevention strategies advocate creating conditions that make impersonation fundamentally impossible to enhance security in sensitive communications. Beyond Identity has introduced 'RealityCheck', a tool for Zoom and Microsoft Teams, that uses cryptographic device authentication and continuous risk assessment to ensure verified identity badges for participants. Beyond Identity will be demonstrating the capabilities of RealityCheck in an upcoming webinar, focusing on eliminating deepfake threats in collaboration environments.

Marks & Spencer confirmed the theft of customer data following a cyberattack, raising suspicions of a ransomware incident. The compromised data includes names, dates of birth, contact details, and online order histories, but not payment details or passwords. Since the breach on April 22, M&S has alerted customers, advising no immediate action but recommending password resets on next site visit. The breach led to operational disruptions, including shutdowns of online services and app orders, as well as in-store returns and widespread stock shortages. Share prices fell significantly, resulting in a loss of over £1 billion in market value. Cybersecurity experts warn that the stolen data might be used for phishing attacks or sold on the dark web, urging vigilance among customers. Competing British retailers, including Co-op and Harrods, have also faced similar cybersecurity issues around the same time.

The European Union fully launched the European Vulnerability Database (EUVD) as a proactive measure against security threats, amid uncertainty in US vulnerability tracking. The EUVD offers timely updates and transparency on exploited and critical vulnerabilities, presented through easily navigable dashboard views. This development is in response to the US's budget cuts and operational challenges within its own vulnerability tracking system, which faces potential funding expirations and confusion regarding program continuation. The EUVD is designed to provide a comprehensive source of mitigation measures for affected ICT products and aims to improve overall vulnerability management. Amidst the changes, the US CISA has altered its public notification methods for exploiting vulnerabilities, moving from website alerts to emails and RSS feeds. ENISA, as a CVE Numbering Authority, coordinates closely with MITRE to understand the impacts of funding changes on the US CVE program and ensure collaborative support. The EUVD system was developed under the EU's Network and Information Security 2 Directive, highlighting the bloc's prioritization of robust cybersecurity infrastructures.

Turkish espionage threat group, dubbed Marbled Dust, exploited a zero-day vulnerability in the messaging app Output Messenger to spy on the Kurdish military in Iraq. Microsoft's threat intelligence unit uncovered these attacks, which started in April 2024, utilizing CVE-2025-27920, a directory traversal flaw in Output Messenger. The attacks targeted governmental and military operations, aligning with Turkish interests against the formation of a Kurdish state. Srimax, the developer of Output Messenger, released a patch in December, but not all installations were updated in time to prevent exploitation. Marbled Dust, also known by names such as Sea Turtle and UNC1326, historically targeted entities through DNS hijacking and exploiting known vulnerabilities. This new campaign shows a heightened technical sophistication from the group, potentially indicating escalated operational objectives or urgency. Microsoft and Srimax strongly advise users to update their Output Messenger to the latest version to protect against similar security breaches.

Moldovan authorities arrested a 45-year-old suspect linked to ransomware attacks on Dutch companies, including a €4.5 million incident. The 2021 attack targeted the Netherlands Organization for Scientific Research (NWO), compromising internal documents. During the arrest, police seized €84,000 in cash, electronic wallet, laptops, a mobile device, and multiple storage and memory cards. The attacks were attributed to the ransomware group DoppelPaymer, known for using similar tactics and ransom notes as BitPaymer. Germany and Ukraine recently targeted key members of DoppelPaymer, issuing arrest warrants for three individuals believed to be group masterminds. The suspect, whose identity is undisclosed, faced international warrants for cybercrimes, including blackmail and money laundering.

A threat group, known as Marbled Dust and affiliated with Türkiye, exploited a zero-day vulnerability in Output Messenger to infiltrate Kurdish military servers in Iraq. The Microsoft Threat Intelligence team identified this cyber espionage campaign, indicating it began in April 2024. The vulnerability exploited was a directory traversal flaw in Output Messenger (CVE-2025-27920), allowing remote arbitrary file access or execution. Attackers initiated the campaign by gaining authenticated access, possibly through DNS hijacking or typosquatted domains, and later collected credentials to deploy Golang backdoors. Marbled Dust deployed malware named "OM.vbs" and "OMServerService.vbs/exe" that communicated with a command-and-control domain for data exfiltration. Microsoft observed specific techniques demonstrating increased technical sophistication of the threat group including the use of the aforementioned zero-day. The security flaw has been patched by Srimax in version 2.0.63 of Output Messenger as of late December 2024, but there was no prior acknowledgment of the flaw being exploited. Microsoft also detected an XSS vulnerability (CVE-2025-27921) in the same application version, though no exploitation evidence was found for this flaw.

Microsoft will continue providing security updates for Microsoft 365 (M365) apps on Windows 10 until October 10, 2028, despite Windows 10 support ending on October 14, 2023. Users can purchase an extended support package for Windows 10, but Microsoft emphasizes migration to Windows 11. If M365 app issues on Windows 10 do not occur on Windows 11, users will be encouraged to upgrade operating systems for better support. Future technical support for M365 apps on Windows 10 may be limited; troubleshooting assistance will be available, but no option for logging bugs or requesting additional product updates. Resistance to Windows 11 is notable among users due to its demanding hardware requirements, causing challenges for consumers and corporate IT managers. Surface devices, including early models of Surface books and versions 1-5 of Surface Pro, face compatibility issues with Windows 11. Despite Windows 11's release four years ago, Windows 10 retains a higher market share globally, with only a slight lead over Windows 11.

ASUS DriverHub, a driver management utility, was found to contain a critical remote code execution vulnerability. Independent cybersecurity researcher Paul (aka "MrBruh") discovered the flaw, which involved poor command validation allowing malicious site interactions. The vulnerability was identified in the tool’s management of Origin Headers and in how it processed “UpdateApp” endpoint requests. Attackers could manipulate these flaws to remotely execute malicious code by tricking users into visiting crafted websites. By spoofing headers, hostile sites could command DriverHub to download and silently run malware embedded within legitimate ASUS-signed files. ASUS addressed the security flaws following the researcher's report and issued an important software update to mitigate risks. The update is crucial for users of ASUS motherboards where DriverHub is pre-installed, there was no indication of these vulnerabilities being exploited in the wild.

The US Cybersecurity and Infrastructure Security Agency (CISA) has modified its communication channels; routine cyber alerts will not appear on its website but will be distributed via email, RSS feeds, and X (formerly Twitter). CISA’s primary focus on its website will now be strictly on emerging threats and significant cybersecurity activities to ensure these critical updates receive appropriate attention. The impetus for changing the update distribution channels includes making urgent information more accessible and prioritize it over routine updates. Staff reductions at CISA started in March, influenced by budget cuts proposed in President Trump’s 2026 budget, suggesting a 17% funding reduction for CISA. Former CISA chief Jen Easterly criticized these budget cuts, highlighting global cyber threats including those from the Chinese People's Liberation Army, and expressing concerns over decreasing the capability of America’s cyber defense. Other US government agencies are also centralizing their updates on X, with the National Transportation Safety Board and Social Security Administration moving their communications to the platform, indicating a broader shift in how government information is disseminated.

Aggregating IT asset inventory from multiple tools provides a more complete picture of an organization’s security posture, revealing critical gaps that isolated tool reports might miss. Typical organizations deploy numerous security tools that operate in silos, often resulting in fragmented and contradictory asset reports. Manual processes involved in correlating control inventory can be lengthy and error-prone, with discrepancies frequently appearing only when data is consolidated and analyzed. A unified view of IT assets helps expose blind spots and overlaps in control environments, improving operational efficiency and security coverage. Aggregating data helps ensure that critical security controls such as endpoint detection and response (EDR) and mobile device management (MDM) are consistently applied across all assets, revealing misconfigurations and unprotected devices. This comprehensive visibility enables teams to address vulnerabilities proactively, preventing potential cyberattacks by addressing them before they are exploited. Accurate asset management supports better justification and optimization of investment in security tools, ensuring that all parts of the IT estate are adequately protected. Complete asset inventory aggregation is essential for facing the complexities of modern IT environments, enhancing tool integration, and closing security gaps.