Daily Brief

Researchers at Datadog Security Labs identified a new phishing tactic, CoPhish, leveraging Microsoft Copilot Studio agents to steal OAuth tokens through fraudulent consent requests. The attack exploits the flexibility of Copilot Studio, allowing malicious actors to use legitimate Microsoft domains to deceive users into granting unauthorized access. CoPhish relies on social engineering, targeting both unprivileged users and administrators, with potential to compromise high-privileged roles despite upcoming Microsoft policy changes. Attackers create malicious multi-tenant apps to capture session tokens, exploiting the legitimate appearance of URLs and Microsoft IP addresses to avoid detection. Microsoft plans to address these vulnerabilities in future updates, emphasizing the need for stronger governance and consent policies to prevent misuse. Organizations are advised to restrict administrative privileges, enforce application consent policies, and monitor application creation activities to mitigate risks. Datadog suggests disabling default user application creation and enhancing monitoring of consent events to close security gaps in Microsoft's baseline configurations.

Researchers at Datadog Security Labs discovered a new phishing technique, CoPhish, leveraging Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests via trusted Microsoft domains. CoPhish exploits the flexibility of Copilot Studio, allowing attackers to create malicious applications that appear legitimate and trick users into granting access. The attack involves configuring Copilot agents to redirect users to malicious URLs, collecting session tokens without user awareness. Microsoft's response includes plans to address these vulnerabilities in future updates, focusing on hardening governance and consent processes. Current protective measures include limiting administrative privileges, reducing application permissions, and enforcing stringent governance policies. Despite upcoming changes, high-privileged roles remain susceptible to CoPhish attacks, necessitating robust application consent policies. Organizations are advised to disable user application creation defaults and closely monitor application consent activities to mitigate risks.

The UK House of Commons committee urges tech giants to implement measures making stolen phones unusable, addressing the surge in phone thefts. Metropolitan Police report 117,211 phones stolen in 2024, marking a 25% increase since 2019, with only a 1% conviction rate. Committee Chair Dame Chi Onwurah emphasizes the need for smartphone makers to deploy existing technologies to deter phone theft. Apple, Google, and Samsung are called upon to enhance security measures, such as cloud-based blocking and IMEI-linked device locks. The committee suggests that tech companies' current deterrents are insufficient, urging government intervention for effective collaboration. Darren Scates of the Met Police highlights that 80% of stolen phones in London are iPhones, with a significant portion resold internationally. Tech companies express commitment to addressing theft, though privacy concerns and technical challenges are cited as barriers to implementing solutions.

A widespread attack campaign is targeting WordPress sites using outdated GutenKit and Hunk Companion plugins, exploiting critical vulnerabilities for remote code execution. Wordfence reported blocking 8.7 million attack attempts over a two-day period, underscoring the scale of this exploitation effort. The vulnerabilities, CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, allow unauthorized installation of plugins, posing significant security risks. Despite fixes being available for nearly a year, many sites remain vulnerable, highlighting issues with patch management and update practices. Attackers are using GitHub-hosted malicious plugins to maintain persistence and execute unauthorized commands on compromised sites. Wordfence has provided indicators of compromise and recommended monitoring specific site access logs and directories for suspicious activity. Administrators are advised to ensure all plugins are updated to the latest versions to mitigate these risks effectively.

Microsoft addressed a security vulnerability in Microsoft 365 Copilot that allowed data theft through indirect prompt injection attacks, potentially exposing sensitive tenant information such as emails. The vulnerability exploited Mermaid diagrams, a JavaScript-based tool, to execute malicious instructions embedded in text prompts, enabling unauthorized data exfiltration. Researcher Adam Logue, who discovered the flaw, demonstrated how the attack could retrieve and encode user emails, sending them to a malicious server via a fake login button. Despite the successful identification and reporting of the bug, Microsoft deemed M365 Copilot outside the scope of its bug bounty program, resulting in no reward for the researcher. The patch has been verified, preventing further exploitation of this specific vulnerability, though the incident raises concerns about the security of AI-driven tools in handling sensitive data. Organizations using AI tools like M365 Copilot should remain vigilant and ensure robust security measures are in place to mitigate similar risks. The incident underscores the importance of expanding bug bounty programs to cover emerging technologies and platforms to encourage proactive vulnerability discovery and reporting.

Palo Alto Networks Unit 42 has linked the Smishing Triad to over 194,000 malicious domains since early 2024, targeting various global services with phishing attacks. The group's infrastructure, though registered in Hong Kong, is mainly hosted on U.S. cloud services, complicating efforts to trace and mitigate the threat. The Smishing Triad deceives users with fake toll violation and package delivery notices, amassing over $1 billion in revenue over the past three years. Recent reports indicate a significant increase in attacks on brokerage accounts, with a fivefold rise in incidents aimed at stealing banking credentials and authentication codes. The group employs "ramp and dump" tactics to manipulate stock prices, posing severe financial risks and leaving minimal evidence for investigators. The Smishing Triad operates as a phishing-as-a-service ecosystem, involving various contributors like phishing kit developers, data brokers, and spammers. The campaign's strategy relies on rapidly cycling through newly registered domains to evade detection, with most domains active for less than a week. The decentralized nature of this operation, impersonating multiple sectors globally, presents significant challenges to cybersecurity defenses and requires coordinated international response efforts.

Microsoft issued an emergency patch for a critical vulnerability in Windows Server Update Service (WSUS), identified as CVE-2025-59287, which is actively being exploited. The vulnerability, with a CVSS score of 9.8, allows unauthorized remote code execution through unsafe deserialization of untrusted data, affecting servers with WSUS enabled. Researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange discovered the flaw, which involves the unsafe deserialization of AuthorizationCookie objects. Microsoft advises immediate application of the out-of-band security update across several Windows Server versions to prevent exploitation, with a system reboot required post-installation. The Dutch National Cyber Security Centre reported observing abuse of this vulnerability, emphasizing the urgency of applying the patch to protect systems. Users unable to apply the update should implement recommended workarounds and avoid reversing them until the patch is installed. The vulnerability's active exploitation and the availability of a proof-of-concept exploit necessitate swift action to mitigate potential security risks.

A critical vulnerability in Windows Server Update Service (WSUS), CVE-2025-59287, is actively exploited, allowing remote code execution with SYSTEM privileges on affected servers. This flaw impacts Windows servers configured as WSUS update sources, a non-default setting, and could potentially spread between servers. Microsoft released out-of-band security updates to address the vulnerability and advised immediate patch deployment, also offering workarounds for those unable to patch promptly. Proof-of-concept exploit code was released by HawkTrace Security, though it does not enable arbitrary command execution. Eye Security reported active exploitation attempts, compromising at least one system using a different method than the public exploit. Approximately 2,500 WSUS servers are exposed globally, with significant numbers in Germany and the Netherlands, raising concerns about widespread exploitation. The Netherlands National Cyber Security Centre confirmed the vulnerability's exploitation and warned of increased risks due to the available proof-of-concept code.

LastPass warns users of a phishing campaign by CryptoChameleon, exploiting the password vault inheritance feature to steal credentials. The campaign sends emails claiming a family member requested access to the user's vault with a fake death certificate. Victims are redirected to a fraudulent website mimicking LastPass, where they are prompted to enter their master password. CryptoChameleon targets cryptocurrency wallets like Binance and Coinbase using fake sign-in pages for services like Okta and Gmail. The campaign now includes passkey-focused phishing, indicating a shift towards targeting passwordless authentication standards. LastPass advises users to verify inheritance requests and remain vigilant against unsolicited communications claiming to be from LastPass staff. This incident follows a 2022 breach where attackers stole encrypted vault backups, leading to significant cryptocurrency losses.

Self-service password resets (SSPR) are essential for reducing operational costs and improving efficiency, as password-related issues account for 40% of IT help desk calls. Forrester estimates each password reset costs $70, while Specops reports savings of approximately $136 per user with their uReset solution, highlighting significant financial and time efficiencies. Effective SSPR implementation requires robust security measures to prevent fraud, such as SIM-swapping attacks, and should include tiered user risk assessments. The UK’s National Cyber Security Centre recommends matching password recovery options to account risk levels, using multi-factor authentication and service desk involvement for higher-risk accounts. Specops uReset enhances security with MFA for Windows Logon, RDP, and VPN, and blocks over four billion compromised passwords, aligning with Verizon's finding that stolen credentials are involved in 44.7% of breaches. User experience is crucial; progressive profiling and A/B testing can reduce friction while measuring security improvements and support ticket reductions. Specops uReset facilitates seamless password management for remote and hybrid teams, allowing secure password resets from any location, device, or browser.

APT36, linked to Pakistan, has targeted Indian government entities with spear-phishing attacks, utilizing a Golang-based malware named DeskRAT. The campaign, observed in August and September 2025, involves phishing emails with ZIP attachments or links to archives on platforms like Google Drive. The malicious ZIP files contain a Desktop file that executes a decoy PDF while deploying the main malware payload from an external server. DeskRAT targets BOSS Linux systems, establishing command-and-control via WebSockets and employing four persistence methods, including systemd services and cron jobs. The malware's command-and-control infrastructure uses stealth servers, avoiding public visibility, with a cross-platform focus targeting both Linux and Windows systems. Recent findings reveal the group's shift from cloud platforms to dedicated staging servers, enhancing their operational security. The campaign is part of a broader trend of South Asia-focused threat actors targeting sensitive communications, including WhatsApp, using custom malware tools. APT36's evolution into a sophisticated threat actor with custom malware arsenal poses a significant risk to regional government and foreign affairs sectors.

Microsoft issued an out-of-band update addressing CVE-2025-59287, a critical remote code execution flaw in Windows Server Update Services (WSUS) affecting versions 2012 through 2025. The vulnerability arises from insecure deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code; a proof-of-concept exploit is publicly available. This critical flaw impacts only servers with the WSUS role enabled; Microsoft advises disabling the role or blocking inbound traffic to ports 8530 and 8531 if immediate patching is not feasible. The update is cumulative, including October's patches, and requires a server reboot; swift action is recommended due to the potential for remote code execution. WSUS is on the deprecated list for Windows Server, raising concerns about its long-term viability despite continued support for driver update synchronization until April 2025. Microsoft's guidance suggests transitioning to alternatives like its cloud-based Intune service, highlighting a strategic shift away from legacy systems. The urgency of this patch underscores the ongoing risks associated with legacy code in critical infrastructure, necessitating proactive vulnerability management.

UK Prime Minister Keir Starmer has repositioned the digital ID scheme as a convenience tool, following public backlash over its initial presentation as a measure against illegal working. The digital ID will be mandatory for individuals starting new jobs, impacting 30.3 million Britons in payrolled employment, while remaining optional for retirees and those with current employers. Starmer assured the public that the digital ID will not be used for surveillance or required for accessing services like healthcare, aiming to alleviate privacy concerns. The Cabinet Office will now lead the digital ID initiative, focusing on policy development and oversight, while the Department for Science, Innovation and Technology will manage design and implementation. Public opposition is significant, with an online petition against the scheme garnering over 2.9 million signatures, reflecting widespread concern and political contention. The scheme's future is uncertain, with other political parties opposing it and potential challenges if Labour loses the upcoming general election. The government plans to initiate a public consultation on the digital ID scheme by the end of the year, inviting further public input and discussion.

Bitdefender's 2025 Cybersecurity Assessment reveals a significant perception gap between executives and IT professionals regarding cyber risk management. The survey of 1,200 cybersecurity and IT professionals shows 93% express confidence in managing cyber risk, yet confidence varies widely between C-level executives and mid-level managers. C-level executives are over twice as likely to feel "very confident" in their organization's cybersecurity readiness compared to mid-level managers, potentially leading to underinvestment in critical areas. The perception gap is driven by differing focuses: executives prioritize strategic planning, while operational teams face daily cybersecurity challenges. Effective communication and mutual understanding between executives and practitioners are essential to bridge this gap and align cybersecurity strategies with operational realities. Closing the perception gap enhances organizational resilience by fostering shared visibility and trust, enabling smarter and faster decision-making. The assessment also highlights differing cybersecurity priorities for 2025 and varying views on the global skills shortage, urging organizations to align strategies accordingly.

Check Point identified a malicious network, dubbed "YouTube Ghost Network," using YouTube to distribute malware through over 3,000 videos since 2021. The network exploits hacked YouTube accounts, replacing content with videos promoting pirated software and game cheats, leading to malware downloads. Videos within this network have amassed significant views, ranging from 147,000 to 293,000, leveraging trust signals like likes and comments to appear legitimate. Google has intervened, removing the majority of these malicious videos, but the network's role-based structure allows rapid replacement of banned accounts. Malware distributed includes various stealer families such as Lumma Stealer and RedLine Stealer, using platforms like MediaFire and Google Drive for delivery. The operation exemplifies a growing trend where threat actors repurpose trusted platforms for malware distribution, bypassing conventional security measures. This campaign highlights the need for enhanced vigilance and security measures on popular platforms to prevent misuse and protect users.