Daily Brief

An ongoing phishing campaign is exploiting the "Direct Send" feature in Microsoft 365, designed for sending emails from devices like printers and scanners without needing authentication. Varonis’ Managed Data Detection and Response (MDDR) team discovered the campaign targeting more than 70 organizations across various industries, primarily in the United States. Attackers are using PowerShell to send deceptive emails appearing as internal communications, thereby bypassing standard email authentication checks such as SPF, DKIM, and DMARC. The phishing emails typically mimic voicemail or fax notifications with PDF attachments instructing recipients to scan a QR code, leading to a phishing site aiming to steal Microsoft credentials. Despite the emails failing authentication checks, they are treated as trusted because they are routed through the organization's internal smart host. Microsoft has introduced a "Reject Direct Send" setting to help mitigate such attacks, and Varonis recommends implementing strict email authentication policies and training for employees. Phishing tactics in the campaign include branded PDFs and QR codes instead of direct links, making detection and prevention more challenging.

Glasgow City Council's digital services were crippled following a cyberattack on June 19, 2025, involving a supply chain issue affecting a third-party contractor's supplier. Although data theft has not been confirmed, the council is operating cautiously under the assumption that data may have been stolen. The attack disrupted numerous digital services including online forms, calendars, and various resident portals for planning, parking, pensions, and registrar appointments. No financial systems were compromised, and banking data is considered secure; however, access to many services remains restricted to prevent further issues. An investigation is underway, conducted in coordination with Police Scotland, the Scottish Cyber Coordination Centre (SC3), and the National Cyber Security Centre. The council has notified the UK's data protection watchdog due to the potential breach involving customer data from web forms. Residents have been advised to be vigilant against phishing attacks and to report any suspicious activities, especially involving requests for sensitive personal information. This incident adds to a series of public sector cyber disruptions across the UK, with similar recent attacks affecting West Lothian Council and Oxford City Council.

The NHS confirmed a patient died due to delays caused by a ransomware attack on Synnovis, a pathology services provider. The cyberattack resulted in significant disruption, affecting multiple NHS trusts and leading to thousands of canceled appointments. An investigation attributed long waiting times for critical blood test results as a contributing factor to the patient's death. Overall, 170 patients experienced varying degrees of harm as a result of the cyberattack, with most classified as "low harm." Synnovis CEO expressed condolences, acknowledging the cyberattack as a contributing factor to the fatal incident. Previous cases and research suggest potential fatal outcomes linked to ransomware disruptions in healthcare, with contentions around the exact impact. The Qilin cybercrime group, known for targeting healthcare facilities, claimed responsibility for this and other similar attacks globally. The incident has highlighted ongoing vulnerabilities in healthcare cybersecurity, prompting calls for enhanced protection measures.

SaaS platforms, while advantageous for business operations and collaboration, lack comprehensive data protection, leaning heavily on a shared responsibility model. Traditional data protection strategies in SaaS environments are often outdated or overly simplistic, failing to ensure resilience against inadvertent data deletions and misconfigurations caused by human error. Compliance and regulatory challenges are escalating with stringent frameworks like GDPR and HIPAA, pressing the need for robust data management tools beyond native SaaS capabilities. Data loss incidents extend impacts beyond IT, affecting customer service, revenue generation, and stakeholder trust, with recovery often cumbersome and slow. Internal threat landscapes are broadening, as dispersed team environments and complex access permissions increase data vulnerability within enterprises. Cyberthreats continue to evolve, exploiting SaaS vulnerabilities and leading to substantial downtime and financial losses for affected organizations. Speed and efficiency in recovery from data disruptions, such as ransomware or natural disasters, define the success of a business during crises. Establishing modern data resilience requires a proactive mindset and adoption of platforms designed for robust data security and management, like Veeam Data Cloud.

The UK is purchasing 12 F-35A fighter jets, which are capable of carrying nuclear weapons, to strengthen NATO's deterrent capabilities. These aircraft are not compatible with the RAF's current refueling tankers, necessitating reliance on allied tanker support for operations. Unlike the F-35B models, which can operate from aircraft carriers, the F-35A variants require conventional runways for take-off and landing. The F-35A's longer range and additional fuel capacity compared to the F-35B model enhance its suitability for extended training and operational missions. The UK's Ministry of Defence has faced criticism and unanswered questions regarding procurement details and the strategic rationale behind choosing F-35A over additional F-35Bs. Current plans indicate that these jets will primarily serve in training roles, with their capacity to carry nuclear arms serving as a secondary function. Critics argue that the F-35A purchase may be a temporary solution pending the development of the next-generation Tempest fighter, which promises greater range and payload capacity.

Iranian APT35 group, linked to the Islamic Revolutionary Guard Corps, targets Israeli tech professionals and academics with sophisticated phishing schemes. Victims receive communications via email and WhatsApp, directing them to fake Gmail and Google Meet login pages. The attacks, attributed to the threat cluster Educated Manticore, employ AI to craft messages that leverage current geopolitical tensions. The phishing tools used include a React-based Single Page Application, real-time data theft via WebSocket connections, and a passive keylogger. As part of the social engineering strategy, attackers build trust over time before sharing malicious links designed to harvest credentials and bypass two-factor authentication. The fake sites closely mimic legitimate Google platforms, increasing their deceptive appearance and effectiveness in credential theft. Ongoing since mid-June 2025, these attacks reflect heightened cyber efforts following the recent escalation in Iran-Israel tensions. Check Point emphasizes the persistence and adaptability of Educated Manticore despite increased efforts to take down their operations.

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a critical vulnerability in AMI's MegaRAC BMC firmware, which is used for remote server management. The flaw, identified as CVE-2024-54085, allows unauthenticated attackers to bypass security measures, take control of servers, deploy malware, and cause physical damage to server components. This vulnerability impacts several server vendors including HPE, Asus, and ASRock, affecting cloud service providers and data centers globally. Security firm Eclypsium discovered the vulnerability while analyzing previous patches for another security issue and noted that the exploit development is relatively straightforward due to unencrypted firmware binaries. More than 1,000 servers were found to be potentially exposed to this threat as of March, when AMI issued patches to mitigate the vulnerability. CISA has added this bug to its Known Exploited Vulnerabilities catalog and mandates Federal Civilian Executive Branch agencies to patch affected systems within three weeks. While the directive specifically targets federal agencies, CISA advises all network defenders to prioritize patching this severe vulnerability to prevent potential breaches and significant operational risk.

Iceland, a UK-based frozen food retailer, is trialing facial recognition technology (FRT) at several stores to reduce crime. The technology, provided by Facewatch, has been employed at two pilot locations and is targeted to expand. FRT connects to a database containing images of individuals suspected of prior crimes at participating stores, aiming to enhance security. If no match occurs within the system, the technology deletes the unverified images to protect shopper privacy. Iceland's CEO, Richard Walker, defends the use of FRT, citing protection against organized retail crime and the need to safeguard store employees. Privacy advocacy groups express concerns, suggesting FRT infringes on personal privacy and treats all customers as suspects. The Information Commissioner's Office advises that the use of FRT should be balanced, adhering to privacy rights and ensuring compliance with data protection laws. Instances of mistaken identity and improper management of personal data have been reported, raising questions about the technology’s deployment and oversight.

Iranian cyber group Charming Kitten began a spear-phishing campaign targeting Israeli journalists, cybersecurity experts, and university professors in computer science. The phishing campaign was initiated by Iran's Islamic Revolutionary Guard Corps following air strikes by Israel against Iran. Over 130 unique domains were created for the campaign, each targeting individual victims, with the aim of stealing credentials. Fake communications were sent via email and WhatsApp, impersonating analysts from Israeli cybersecurity firms and discussing topics like cyberthreats to energy infrastructure. Some phishing messages suggested in-person meetings to discuss cybersecurity strategies, potentially extending the threats beyond cyberspace. Phishing sites mimicked Gmail login pages and Google Meet invitations, aiming to capture victims' credentials and enable full account takeovers. Check Point Research has listed all domains involved and other indicators of compromise in a detailed report.

Cybersecurity experts have identified an ongoing series of cyber attacks on financial institutions across Africa since July 2023. Attackers utilize a combination of open-source and public tools to forge initial access then potentially sell this access on dark web forums. Palo Alto Networks’ Unit 42, which monitors these incidents, has named the campaign CL-CRI-1014, indicating criminal motives behind the attacks. The criminal actors employ tools such as PoshC2 for command control, Chisel for tunneling, and Classroom Spy for remote administration, often disguising these tools as legitimate software like Microsoft Teams. Techniques for initial network breaches remain unclear, but subsequent actions involve deploying further malware, stealing credentials, and establishing control over networked machines. Security firms also noted previous similar incidents, including a campaign named DangerousSavanna targeting financial sectors in several other African countries. Additional global cybersecurity concerns were raised with the emergence of a new ransomware group, Dire Wolf, affecting multiple sectors across various countries.

CISA added three vulnerabilities to its KEV catalog, indicating active exploitations in technology products from AMI MegaRAC, D-Link, and Fortinet. Eclypsium disclosed a significant flaw in AMI MegaRAC firmware, potentially allowing widespread malicious activities like malware deployment and firmware tampering. D-Link DIR-859 routers, which are no longer supported as of December 2020, will not receive patches for the exploited vulnerabilities, increasing risks for users. CVE-2024-0769, identified in the D-Link router, was used in attacks aiming to extract user details such as account names and passwords. Attackers have utilized CVE-2019-6693 in Fortinet's FortiOS for initial access in the Akira ransomware attacks, showcasing the severity of the threat. Federal agencies are mandated to implement necessary mitigation measures by July 2025 as per the new directive to safeguard against these vulnerabilities.

WhatsApp has launched a new AI feature called Message Summaries to help users preview unread messages quickly. The feature uses Meta AI to provide summaries and is initially available in English to U.S. users, with future plans for global expansion. Message Summaries is optional, disabled by default, and can be activated or customized with "Advanced Chat Privacy" settings. The technology, Private Processing, ensures AI processing is done securely without exposing message contents to third parties, including Meta. Private Processing operates within a confidential virtual machine (CVM) and establishes a secure link between the user's device and the Trusted Execution Environment (TEE) using Oblivious HTTP (OHTTP). WhatsApp and Meta cannot access the actual messages due to this technology, enhancing user privacy. The introduction coincides with heightened security scrutiny, evidenced by the U.S. House of Representatives banning WhatsApp on government-issued devices.

British national Kai West, alias "IntelBroker," charged in the U.S. for cybercrimes causing $25 million in damages. West allegedly stole and sold sensitive data from government agencies, companies, and critical infrastructure globally. The data included health records, telecommunications, and cybersecurity firms’ internal files, among others. Breaches linked to West include major entities like Europol, General Electric, and AMD. U.S. Department of Justice claims the damages affected dozens of victims; IntelBroker faces a potential 25-year prison term. West's identity was confirmed by an FBI agent purchasing a stolen API key, which led to tracing his financial transactions. The FBI's investigation tied West to the IntelBroker persona using digital and physical evidence, including invoices and a UK driver's license. IntelBroker had administrative roles at BreachForums, a notable hacking forum, before stepping down recently.

Threat actors have modified the authenticode signature of ConnectWise ScreenConnect installers to create signed malware capable of remote access. The altered configurations within the software's certificate table allow the malware to retain its valid digital signature. G DATA cybersecurity researchers identified these malicious binaries, noting only the certificate table varied across files with the same hash values. Victims reported falling for phishing tactics involving PDFs or links on Canva that directed to the malicious executable hosted on Cloudflare’s R2 servers. The infected ScreenConnect client was disguised with UI elements like a fake Windows Update screen to deceive users. ConnectWise revoked the certificates used in these attacks following contact from G DATA, who labeled the malware under two classifications: Win32.Backdoor.EvilConwi.* and Win32.Riskware.SilentConwi.*. Another similar misuse involved trojanized SonicWall NetExtender VPN clients aimed at stealing login credentials. ScreenConnect and SonicWall users are urged to download software exclusively from official sources to avoid such security risks.

Citrix released emergency patches for two critical vulnerabilities affecting NetScaler ADC and Gateway products, with one already exploited as a zero-day. The new vulnerability, tracked as CVE-2025-6543, features a 9.2 severity score and allows for unintended control flow and potential denial of service. CVE-2025-6543 exploitation led to unauthorized access before Citrix could distribute fixes, indicating attacks beyond simple denial-of-service outcomes. Security experts observed that patching might not remove potential backdoors installed during the exploitation period, posing ongoing risks. The earlier vulnerability, CVE-2025-5777, also critical, could permit attackers to read session tokens or sensitive data without authentication. Charles Carmakal from Mandiant Consulting emphasized the necessity of not only patching but also terminating active sessions to fully mitigate risks, learning from past exploitations leading to espionage or ransomware deployment. Citrix has been slow to respond to inquiries about the specifics of the exploits and the extent of the breaches or the measures needed beyond patching.