CyberSecurity news

FlagThis - #microsoft

@www.microsoft.com //
References: www.microsoft.com
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.

As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents.

To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots.

Recommended read:
References :

Ddos@securityonline.info //
A new cyber-espionage campaign has been uncovered, targeting public sector organizations in Tajikistan. The threat actor behind this campaign is TAG-110, a group linked to Russia and also known as UAC-0063 and APT28 (BlueDelta). Recorded Future’s Insikt Group discovered that TAG-110 is using macro-enabled Microsoft Word templates (.dotm files) to gain access to and exfiltrate intelligence from Tajik government, educational, and research institutions, particularly those involved in military affairs or electoral processes. This campaign reflects Russia’s strategic interest in Central Asia through intelligence-gathering operations.

These malicious Word templates are deployed through phishing lures disguised as official Tajik government documents. The templates are saved in the Microsoft Word STARTUP folder, ensuring automatic execution each time Word is launched. This tactic represents a shift from TAG-110’s previous use of HTA-based payloads like HATVIBE. The two malicious documents identified are themed around radiation safety for Tajikistan’s armed forces and election schedules in Dushanbe.

Upon execution, the embedded VBA macros collect system metadata such as username, computer name, language, and resolution. This data is then sent to a hardcoded command-and-control (C2) server. The macros also establish persistence by copying themselves to the %APPDATA%\Microsoft\Word\STARTUP\ directory. Researchers state that this evolution highlights a tactical shift prioritizing persistence. The use of .dotm files and VBA macros allows TAG-110 to maintain a stealthy presence and collect data from compromised systems, turning them into surveillance nodes.

Recommended read:
References :
  • securityonline.info: Russian-Aligned TAG-110 Targets Tajikistan Governments with Stealthy Cyber-Espionage
  • cyberpress.org: TAG-110 Hackers Use Malicious Word Templates for Targeted Attacks
  • gbhackers.com: TAG-110 Hackers Deploy Malicious Word Templates in Targeted Attacks
  • securityonline.info: Russian-Aligned TAG-110 Targets Tajikistan Governments with Stealthy Cyber-Espionage
  • The Hacker News: The Russia-aligned threat actor known as TAG-110 has been observed conducting a spear-phishing campaign targeting Tajikistan using macro-enabled Word templates as an initial payload.

Dhara Shrivastava@cysecurity.news //
Marks & Spencer (M&S) and Co-op, major UK retailers, have been hit by a Scattered Spider cyberattack involving DragonForce ransomware. The attack has caused weeks-long disruptions, impacting online transactions and the availability of food, fashion, and home goods. M&S warns that the disruption to online transactions could last until July. The cybercrime gang Scattered Spider is also believed to be behind attacks on other UK retailers, including Harrods.

The financial impact on M&S is expected to be significant. The company anticipates the cyberattack will cut $400 million from its profits and reported losing over £40 million in weekly sales since the attack began over the Easter bank holiday weekend. As a precaution, M&S took down some of its systems, resulting in short-term disruptions. This decision was made to protect its systems, customers, and partners from further compromise.

In response to the attack, M&S plans to accelerate its technology improvement plan, shortening the timeframe from two years to six months. This reflects the urgent need to bolster its cybersecurity defenses and prevent future disruptions. The company previously outlined plans in 2023 to improve its technology stack, including investments in infrastructure, network connectivity, store technology, and supply-chain systems. M&S acknowledged that personal data of customers had been stolen, including names, dates of birth, telephone numbers, home and email addresses, and online order histories. However, the retailer insisted that the data theft did not include usable card, payment, or login information.

Recommended read:
References :
  • www.cysecurity.news: Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption
  • www.cybersecuritydive.com: M&S warns April cyberattack will cut $400 million from profits
  • Tech Monitor: Marks & Spencer faces £300m impact on profit from cyberattack
  • techxplore.com: Marks & Spencer cyberattack: How can retailers regain customers' trust after a hack?

@www.microsoft.com //
References: cyberinsider.com , Dan Goodin , medium.com ...
Microsoft is taking a significant step towards future-proofing cybersecurity by integrating post-quantum cryptography (PQC) into Windows Insider builds. This move aims to protect data against the potential threat of quantum computers, which could render current encryption methods vulnerable. The integration of PQC is a critical step toward quantum-resilient cybersecurity, ensuring that Windows systems can withstand attacks from more advanced computing power in the future.

Microsoft announced the availability of PQC support in Windows Insider Canary builds (27852 and above). This release allows developers and organizations to begin experimenting with PQC in real-world environments, assessing integration challenges, performance trade-offs, and compatibility. This is being done in an attempt to jump-start what’s likely to be the most formidable and important technology transition in modern history.

The urgency behind this transition stems from the "harvest now, decrypt later" threat, where malicious actors store encrypted communications today, with the intent to decrypt them once quantum computers become capable. These captured secrets, such as passwords, encryption keys, or medical data, could remain valuable to attackers for years to come. By adopting PQC algorithms, Microsoft aims to safeguard sensitive information against this future risk, emphasizing the importance of starting the transition now.

Recommended read:
References :
  • cyberinsider.com: Microsoft has begun integrating post-quantum cryptography (PQC) into Windows Insider builds, marking a critical step toward quantum-resilient cybersecurity. Microsoft announced the availability of PQC support in Windows Insider Canary builds (27852 and above). This release allows developers and organizations to begin experimenting with PQC in real-world environments, assessing integration challenges, performance trade-offs, and compatibility with …
  • Dan Goodin: Microsoft is updating Windows 11 with a set of new encryption algorithms that can withstand future attacks from quantum computers in an attempt to jump-start what’s likely to be the most formidable and important technology transition in modern history.
  • Red Hat Security: In their article on post-quantum cryptography, Emily Fox and Simo Sorce explained how Red Hat is integrating post-quantum cryptography (PQC) into our products. PQC protects confidentiality, integrity and authenticity of communication and data against quantum computers, which will make attacks on existing classic cryptographic algorithms such as RSA and elliptic curves feasible. Cryptographically relevant quantum computers (CRQCs) are not known to exist yet, but continued advances in research point to a future risk of successful attacks. While the migration to algorithms resistant against such
  • medium.com: Post-Quantum Cryptography Is Arriving on Windows & Linux
  • www.microsoft.com: The recent advances in quantum computing offer many advantages—but also challenge current cryptographic strategies. Learn how FrodoKEM could help strengthen security, even in a future with powerful quantum computers. The post first appeared on .

info@thehackernews.com (The@The Hacker News //
A critical privilege escalation vulnerability has been discovered in the delegated Managed Service Account (dMSA) feature of Windows Server 2025's Active Directory. This flaw, dubbed "BadSuccessor," allows attackers with minimal permissions, specifically the ability to create objects inside an Active Directory organizational unit, to gain control over any user in the Active Directory domain, including Domain Admins. The vulnerability stems from improper permission handling during dMSA migration, where unauthorized users can simulate a migration process and inherit permissions of other accounts, even those with Domain Admin privileges. Security researchers have detailed that only write permissions over the attributes of a dMSA are required to execute this attack.

Microsoft has acknowledged the "BadSuccessor" issue in Windows Server 2025 but has rated it as moderate severity, sparking disagreement from security researchers who believe it poses a significant risk. Currently, there is no official patch available from Microsoft to address this vulnerability. This lack of an immediate patch has led security firms such as Akamai to document the privilege escalation flaw, emphasizing the potential for attackers to fully compromise an Active Directory domain by exploiting the dMSA feature. Akamai researchers found that in 91% of the environments they examined, users outside the domain admins group had the required permissions to perform this attack.

Organizations utilizing Active Directory are strongly advised to be aware of this vulnerability and actively monitor for suspicious activity related to dMSA objects. Security researchers are suggesting workarounds to mitigate the risk until Microsoft releases a formal patch. The core of the attack involves abusing the dMSA feature to elevate privileges, highlighting the importance of carefully reviewing and restricting permissions related to dMSA creation and management. Furthermore, the discovery of this vulnerability emphasizes the need for organizations to stay informed about the latest security research and apply necessary security measures to protect their Active Directory environments.

Recommended read:
References :
  • thecyberexpress.com: Active Directory dMSA Privilege Escalation Attack Detailed by Researchers
  • Davey Winder: New Windows Server 2025 Attack Compromises Any Active Directory User
  • The Hacker News: Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise
  • www.csoonline.com: BadSuccessor: Unpatched Microsoft Active Directory attack enables domain takeover
  • Help Net Security: A privilege escalation vulnerability in Windows Server 2025 can be used by attackers to compromise any user in Active Directory (AD), including Domain Admins.
  • hackplayers: BadSuccessor: escalada de privilegios abusando de dMSA en Active Directory
  • www.helpnetsecurity.com: Unpatched Windows Server vulnerability allows full domain compromise
  • borncity.com: BadSuccessor: Abusing dMSA to elevate privileges in Active Directory
  • thecyberexpress.com: Active Directory dMSA Privilege Escalation Attack Detailed by Researchers
  • borncity.com: BadSuccessor: Abusing dMSA to elevate privileges in Active Directory
  • www.scworld.com: Details - Cyber Security News
  • hackread.com: BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover
  • Assura, Inc.: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025
  • www.assurainc.com: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025
  • securityboulevard.com: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025
  • ciso2ciso.com: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025 – Source: securityboulevard.com
  • securityboulevard.com: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025
  • gbhackers.com: SharpSuccessor PoC Released to Weaponize Windows Server 2025 BadSuccessor Flaw
  • cyberpress.org: SharpSuccessor: Weaponizing Windows Server 2025 BadSuccessor Vulnerability
  • securityonline.info: Windows Server 2025 “BadSuccessor” Flaw Allows Domain Takeover (PoC Available, No Patch)
  • securityonline.info: Akamai security researcher Yuval Gordon has uncovered an Active Directory privilege escalation vulnerability in Windows Server 2025, revealing
  • Cyber Security News: Critical privilege escalation vulnerability in Windows Server 2025’s Active Directory infrastructure has been weaponized through a new proof-of-concept tool called SharpSuccessor
  • gbhackers.com: A critical privilege escalation vulnerability in Windows Server 2025’s delegated Managed Service Account (dMSA) feature enables attackers to compromise Active Directory domains using tools like SharpSuccessor.
  • SOC Prime Blog: BadSuccessor Detection: Critical Windows Server Vulnerability Can Compromise Any User in Active Directory

@arstechnica.com //
Signal, the privacy-focused messaging application, has taken action to block Microsoft's controversial Recall feature from capturing screenshots of its desktop app content on Windows 11. Citing privacy concerns over Recall's ability to automatically take screenshots of on-screen activity, Signal has implemented a "screen security" setting, enabled by default, that leverages Digital Rights Management (DRM) to prevent the tool from accessing and recording private conversations. This move comes as Signal expresses discontent with Microsoft's approach, arguing that Recall lacks sufficient developer controls to exclude specific apps and protect sensitive information.

Microsoft's Recall feature, designed for Copilot+ PCs, works by continuously taking screenshots and creating a searchable database of user activity. Signal argues that this poses a significant risk to the privacy of its users, as private conversations could be inadvertently captured and stored. By implementing DRM, Signal sets a flag on its application window that instructs Recall, and any other screenshotting application, to ignore its content. While Signal acknowledges this is a blunt tool that may interfere with accessibility software, it believes Microsoft left them with no other choice.

Signal has criticized Microsoft for not providing developers with the necessary tools to manage how Recall interacts with their applications. The messaging app argues that it shouldn't have to resort to using DRM "content protection hacks" to safeguard user privacy. Signal hopes that AI teams building systems like Recall will carefully consider the privacy implications and avoid forcing apps to use workarounds to protect the integrity of their services. They want the AI teams to know that this will potentially affect accessibility options like screen readers.

Recommended read:
References :
  • security ? Ars Technica: “Microsoft has simply given us no other option,†Signal says as it blocks Windows Recall
  • The Register - Software: Signal shuts the blinds on Microsoft Recall with the power of DRM
  • www.techradar.com: Signal blasts Microsoft over Recall privacy failings, as secure messaging app is forced to fudge a way of blocking the controversial Windows 11 feature
  • Dropsafe: By Default, Signal Doesn’t Recall | Signal Windows app leverages DRM content protection hacks to hide messages from Windows Recall
  • Dan Goodin: Signal writes: "We hope that the AI teams building systems like Recall will think through these implications more carefully in the future. Apps like Signal shouldn’t have to implement “one weird trick†in order to maintain the privacy and integrity of their services without proper developer tools. People who care about privacy shouldn’t be forced to sacrifice accessibility upon the altar of AI aspirations either."
  • www.bleepingcomputer.com: Signal now blocks Microsoft Recall screenshots on Windows 11
  • CyberInsider: Signal Deploys Countermeasure to Shield Messages from Windows Recall
  • securityaffairs.com: New Signal update stops Windows from capturing user chats
  • Schneier on Security: Signal Blocks Windows Recall
  • cyberinsider.com: Signal Deploys Countermeasure to Shield Messages from Windows Recall

Dhara Shrivastava@cysecurity.news //
British retailer giant Marks & Spencer (M&S) is facing a major financial impact following a recent cyberattack, with potential profit losses estimated at £300 million, equivalent to $402 million. The attack has caused widespread operational and sales disruptions, particularly affecting the company's online retail systems. According to a recent filing with the London Stock Exchange, M&S anticipates these disruptions to continue until at least July, impacting its fiscal year 2025/26 profits.

The cyberattack has significantly impacted M&S’s online sales channels, forcing the company to temporarily halt online shopping in its Fashion, Home & Beauty divisions. This downtime has led to substantial revenue loss, despite the resilience of its physical stores. The company has also faced increased logistics and waste management costs as it reverted to manual processes. CEO Stuart Machin acknowledged the challenging situation but expressed confidence in the company's recovery, emphasizing a focus on restoring systems and accelerating technical transformation.

M&S is actively implementing strategies to mitigate the financial repercussions, including cost management, insurance claims, and strategic trading actions. The retailer is reportedly preparing to claim up to £100 million from its cyber insurance policy to offset some of the losses. The company views this crisis as an opportunity to expedite its technical transformation, although specific details of this transformation have not yet been disclosed. The costs related to the attack itself and technical recovery are expected to be communicated at a later date as an adjustment item.

Recommended read:
References :
  • The Register - Security: Marks & Spencer warns of a £300M dent in profits from cyberattack
  • The DefendOps Diaries: Marks & Spencer Faces Major Financial Impact from Cyberattack
  • BleepingComputer: Marks & Spencer faces $402 million profit hit after cyberattack
  • ComputerWeekly.com: M&S cyber attack disruption likely to last until July
  • BleepingComputer: British retailer giant Marks & Spencer (M&S) is bracing for a potential profit hit of up to £300 million £300 million ($402 million) following a recent cyberattack that led to widespread operational and sales disruptions.
  • techxplore.com: Marks & Spencer cyberattack: How can retailers regain customers' trust after a hack?
  • www.cybersecuritydive.com: M&S warns April cyberattack will cut $400 million from profits
  • The Hacker News: Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022.
  • DataBreaches.Net: Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • techxplore.com: Cyberattack costs UK retailer Marks & Spencer £300 mn
  • www.cysecurity.news: Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption
  • Tech Monitor: Marks & Spencer faces £300m impact on profit from cyberattack
  • www.bleepingcomputer.com: Marks & Spencer faces $402 million profit hit after cyberattack
  • socprime.com: A joint advisory from cybersecurity and intelligence agencies across North America, Europe, and Australia confirms a two-year-long cyberespionage campaign by russian GRU Unit 26165 (APT28, Forest Blizzard, Fancy Bear).
  • www.esecurityplanet.com: Russian military hackers are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments.

@www.eweek.com //
Microsoft is embracing the Model Context Protocol (MCP) as a core component of Windows 11, aiming to transform the operating system into an "agentic" platform. This integration will enable AI agents to interact seamlessly with applications, files, and services, streamlining tasks for users without requiring manual inputs. Announced at the Build 2025 developer conference, this move will allow AI agents to carry out tasks across apps and services.

MCP functions as a lightweight, open-source protocol that allows AI agents, apps, and services to share information and access tools securely. It standardizes communication, making it easier for different applications and agents to interact, whether they are local tools or online services. Windows 11 will enforce multiple security layers, including proxy-mediated communication and tool-level authorization.

Microsoft's commitment to AI agents also includes the NLWeb project, designed to transform websites into conversational interfaces. NLWeb enables users to interact directly with website content through natural language, without needing apps or plugins. Furthermore, the NLWeb project turns supported websites into MCP servers, allowing agents to discover and utilize the site’s content. GenAIScript has also been updated to enhance security of Model Context Protocol (MCP) tools, addressing vulnerabilities. Options for tools signature hashing and prompt injection detection via content scanners provide safeguards across tool definitions and outputs.

Recommended read:
References :
  • Ken Yeung: AI Agents Are Coming to Windows—Here’s How Microsoft Is Making It Happen
  • www.eweek.com: Microsoft’s Big Bet on AI Agents: Model Context Protocol in Windows 11
  • www.marktechpost.com: Critical Security Vulnerabilities in the Model Context Protocol (MCP): How Malicious Tools and Deceptive Contexts Exploit AI Agents
  • GenAIScript | Blog: MCP Tool Validation
  • Ken Yeung: Microsoft’s NLWeb Project Turns Websites into Conversational Interfaces for AI Agents
  • blogs.microsoft.com: Microsoft Build 2025: The age of AI agents and building the open agentic web
  • www.eweek.com: Microsoft’s Big Bet on AI Agents: Model Context Protocol in Windows 11

@www.bleepingcomputer.com //
Cybercriminals have been actively distributing trojanized versions of the KeePass password manager for at least eight months, leading to significant security breaches. These malicious versions are designed to install Cobalt Strike beacons, steal stored credentials, and ultimately deploy ransomware on compromised networks. The attacks often begin with users downloading fake KeePass installers promoted through malicious advertisements on search engines like Bing and DuckDuckGo, which redirect victims to lookalike websites.

Once installed, the trojanized KeePass variants, sometimes referred to as "KeeLoader," function as both a credential stealer and a loader for additional malware. These altered versions export the password database in clear text, relaying it to attackers via the Cobalt Strike beacon. This allows the cybercriminals to gain unauthorized access to sensitive networks, VPNs, and cloud services. The compromised credentials enable attackers to deploy ransomware payloads, often targeting VMware ESXi servers to encrypt datastores, disrupting operations and demanding ransom payments.

Researchers at WithSecure have uncovered that the attackers modify the open-source KeePass code, embedding malicious functionality directly into the application. This makes the altered KeePass builds difficult to detect as they retain all legitimate functionalities while secretly logging credentials and exporting them as CSV files. The use of valid, trusted code-signing certificates further helps the malicious versions evade detection. Security experts emphasize the importance of downloading software only from official websites and verifying the application's authenticity to avoid falling victim to these sophisticated attacks.

Recommended read:
References :
  • BleepingComputer: Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network.
  • securityonline.info: Trojanized KeePass Used to Deploy Cobalt Strike and Steal Credentials
  • The DefendOps Diaries: Revised Analysis of KeePass Exploitation and Ransomware Deployment
  • www.bleepingcomputer.com: Fake KeePass password manager leads to ESXi ransomware attack
  • cyberinsider.com: KeePass Clone Used for Deploying Malware and Stealing Credentials
  • BleepingComputer: Fake KeePass password manager leads to ESXi ransomware attack
  • www.helpnetsecurity.com: Trojanized KeePass opens doors for ransomware attackers
  • www.scworld.com: 'Textbook identity attack' dropped ransomware via fake KeePass site
  • www.techradar.com: Hackers are distributing a cracked password manager that steals data, deploys ransomware
  • bsky.app: Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network.
  • securityonline.info: Trojanized KeePass Used to Deploy Cobalt Strike and Steal Credentials
  • Help Net Security: Trojanized KeePass opens doors for ransomware attackers

@www.csoonline.com //
A new cybersecurity threat has emerged, putting Windows users at risk. A tool called 'Defendnot' can disable Microsoft Defender, the built-in antivirus software in Windows 10 and 11. This is achieved by registering a fake antivirus product through an exploited vulnerability in the Windows Security Center (WSC) API. This exploit tricks Windows into thinking another antivirus solution is managing real-time protection, causing it to automatically disable Microsoft Defender to avoid conflicts. Even if no real antivirus software is installed, Defendnot can still successfully deactivate the system's primary defense, leaving the computer vulnerable to malicious attacks.

The Defendnot tool, created by a security researcher known as es3n1n, takes advantage of an undocumented WSC API intended for antivirus software manufacturers. This API allows legitimate antivirus programs to inform Windows that they are installed and handling real-time protection. Defendnot abuses this functionality by simulating a valid antivirus product, passing all of Windows' verification checks. This exploitation raises concerns about the security of the WSC API and the potential for other malicious actors to utilize similar techniques to bypass Windows' built-in security measures.

This isn't the first attempt to exploit this vulnerability. An earlier tool, named "no-defender," was previously released but faced a DMCA takedown request after gaining significant attention. The developer was accused of using code from a third-party antivirus product to spoof registration with the WSC. Defendnot is a replacement for that tool, and it also features a loader enabling customized antivirus names, registration deactivation, and verbose logging, as well as allows automated execution via the Windows Task Scheduler for persistence. Microsoft is aware of the problem and has begun flagging the tool as potentially malicious software, being tracked and quarantined as 'Win32/Sabsik.FL.!ml'.

Recommended read:
References :
  • The DefendOps Diaries: Explore how the Defendnot tool exploits Windows vulnerabilities to disable Microsoft Defender, highlighting cybersecurity challenges.
  • BleepingComputer: New 'Defendnot' tool tricks Windows into disabling Microsoft Defender
  • www.csoonline.com: Windows Defender can be tricked into disabling itself by faking the presence of another antivirus solution–a behavior that threat actors can abuse to run malicious code without detection.
  • www.scworld.com: Microsoft Defender deactivated by new tool
  • borncity.com: Windows 10/11: Defender can be deactivated with a simple tool (Defendnot)
  • www.techradar.com: Hackers can turn off Windows Defender with this sneaky new tool

@siliconangle.com //
References: Techmeme , SiliconANGLE , siliconangle.com ...
Microsoft Corp. has announced a significant expansion of its AI security and governance offerings, introducing new features aimed at securing the emerging "agentic workforce," where AI agents and humans work collaboratively. The announcement, made at the company’s annual Build developer conference, reflects Microsoft's commitment to addressing the growing challenges of securing AI systems from vulnerabilities like prompt injection, data leakage, and identity sprawl, while also ensuring regulatory compliance. This expansion involves integrating Microsoft Entra, Defender, and Purview directly into Azure AI Foundry and Copilot Studio, enabling organizations to secure AI applications and agents throughout their development lifecycle.

Leading the charge is the launch of Entra Agent ID, a new centralized solution for managing the identities of AI agents built in Copilot Studio and Azure AI Foundry. This system automatically assigns each agent a secure and trackable identity within Microsoft Entra, providing security teams with visibility and governance over these nonhuman actors within the enterprise. The integration extends to third-party platforms through partnerships with ServiceNow Inc. and Workday Inc., supporting identity provisioning across human resource and workforce systems. By unifying oversight of AI agents and human users within a single administrative interface, Entra Agent ID lays the groundwork for broader nonhuman identity governance across the enterprise.

In addition, Microsoft is integrating security insights from Microsoft Defender for Cloud directly into Azure AI Foundry, providing developers with AI-specific threat alerts and posture recommendations within their development environment. These alerts cover more than 15 detection types, including jailbreaks, misconfigurations, and sensitive data leakage. This integration aims to facilitate faster response to evolving threats by removing friction between development and security teams. Furthermore, Purview, Microsoft’s integrated data security, compliance, and governance platform, is receiving a new software development kit that allows developers to embed policy enforcement, auditing, and data loss prevention into AI systems, ensuring consistent data protection from development through production.

Recommended read:
References :
  • Techmeme: Microsoft expands Entra, Defender, and Purview, embedding them directly into Azure AI Foundry and Copilot Studio to help organizations secure AI apps and agents (Duncan Riley/SiliconANGLE)
  • SiliconANGLE: Microsoft Corp. today unveiled a major expansion of its artificial intelligence security and governance offerings with the introduction of new capabilities designed to secure the emerging “agentic workforce,†a world where AI agents and humans collaborate and work together.
  • www.zdnet.com: Trusting AI agents to deal with your data is hard, and these features seek to make it easier.
  • siliconangle.com: Microsoft expands AI platform security with new identity protection threat alerts and data governance

@blogs.microsoft.com //
Microsoft Build 2025 showcased the company's vision for the future of AI with a focus on AI agents and the agentic web. The event highlighted new advancements and tools aimed at empowering developers to build the next generation of AI-driven applications. Microsoft introduced Microsoft Entra Agent ID, designed to extend industry-leading identity management and access capabilities to AI agents, providing a secure foundation for AI agents in enterprise environments using zero-trust principles.

The announcements at Microsoft Build 2025 demonstrate Microsoft's commitment to making AI agents more practical and secure for enterprise use. A key advancement is the introduction of multi-agent systems within Copilot Studio, enabling AI agents to collaborate on complex business tasks. This system allows agents to delegate tasks to each other, streamlining processes such as sales data retrieval, proposal drafting, and follow-up scheduling. The integration of Microsoft 365, Azure AI Agents Service, and Azure Fabric further enhances these capabilities, addressing limitations that have previously hindered the broader adoption of agent technology in business settings.

Furthermore, Microsoft is emphasizing interoperability and user-friendly AI interaction. Support for the agent-to-agent protocol announced by Google could enable cross-platform agent communication. The "computer use" feature for Copilot Studio agents allows them to interact with desktop applications and websites by directly controlling user interfaces, even without API dependencies. This feature enhances the functionality of AI agents by enabling them to perform tasks that require interaction with existing software and systems, regardless of API availability.

Recommended read:
References :
  • www.microsoft.com: Microsoft extends Zero Trust to secure the agentic workforce
  • blogs.microsoft.com: Microsoft Build 2025: The age of AI agents and building the open agentic web
  • Source Asia: Microsoft Build 2025: The age of AI agents and building the open agentic web
  • techstrong.ai: Microsoft Commits to Building Open Agentic AI Ecosystem
  • www.techradar.com: Microsoft secures the modern workforce against AI agents
  • news.microsoft.com: Microsoft Build 2025: The age of AI agents and building the open agentic web
  • Source: The agentic web is reshaping the entire tech stack, and we are creating new opportunity for devs at every layer. You can watch my full Build keynote here.
  • malware.news: Microsoft extends Zero Trust to secure the agentic workforce
  • The Microsoft Cloud Blog: Microsoft Build 2025: The age of AI agents and building the open agentic web
  • Microsoft Security Blog: Microsoft extends Zero Trust to secure the agentic workforce
  • Source: Today, at Microsoft Build we showed you how we are building the open agentic web. It is reshaping every layer of the stack, and our goal is simple: help every dev build apps and agents that empower people and orgs everywhere. Here are 5 big things we announced today…
  • Ken Yeung: Microsoft Introduces Entra Agent ID to Bring Zero Trust to AI Agents
  • www.eweek.com: Microsoft’s Big Bet on AI Agents: Model Context Protocol in Windows 11
  • www.eweek.com: Microsoft’s Big Bet on AI Agents: Model Context Protocol in Windows 11

@gbhackers.com //
References: cyberpress.org , isc.sans.edu ,
Cybersecurity researchers have recently uncovered a sophisticated malware campaign targeting Windows systems through the exploitation of AutoIT scripts. AutoIT, a scripting language initially designed for Windows automation, has become a popular tool in the malware ecosystem due to its simplicity and ability to interact with various Windows components. This particular campaign stands out for its use of a double layer of AutoIT code and intricate obfuscation techniques, allowing it to evade detection and maintain persistence on infected machines.

The attack begins with a compiled AutoIT executable file named "1. Project & Profit.exe" (SHA256: b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). Upon execution, this file downloads an AutoIT interpreter, saving it as "C:\Users\Public\Guard.exe," along with another AutoIT script, stored as "Secure.au3," and a PowerShell script named "PublicProfile.ps1." The "PublicProfile.ps1" script is immediately generated and executed, facilitating further stages of the infection. Persistence is achieved by creating a .url shortcut in the Windows Startup directory, ensuring that a JavaScript file is triggered upon each user login. This JavaScript file then re-executes the AutoIT interpreter with a second-stage script, keeping the malicious processes active.

The second layer of AutoIT code, referred to as script "G," employs heavy obfuscation to hinder analysis. All strings within this script are encoded using a custom function called "Wales," which transforms ASCII values into a readable format only after decoding. An example of this obfuscation is the encoded sequence "80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41," which, when decoded, reveals "ProcessExists('avastui.exe')." This suggests the malware checks for antivirus processes to potentially avoid detection or alter its behavior. The attack culminates in the execution of a malicious DLL named "Urshqbgpm.dll" by injecting it into a "jsc.exe" process.

Recommended read:
References :
  • cyberpress.org: Hackers Use AutoIT Scripts to Spread Malware on Windows Systems
  • isc.sans.edu: RAT Dropped By Two Layers of AutoIT Code, (Mon, May 19th)
  • gbhackers.com: Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems

@blogs.microsoft.com //
Microsoft is doubling down on its commitment to artificial intelligence, particularly through its Copilot platform. The company is showcasing Copilot as a central AI model for Windows users and is planning to roll out new features. A new memory feature is undergoing testing for Copilot Pro users, enabling the AI to retain contextual information about users, mimicking the functionality of ChatGPT. This personalization feature, accessible via the "Privacy" tab in Copilot's settings, allows the AI to remember user preferences and prior tasks, enhancing its utility for tasks like drafting documents or scheduling.

Microsoft is also making strategic moves concerning its Office 365 and Microsoft 365 suites in response to an EU antitrust investigation. To address concerns about anti-competitive bundling practices related to its Teams communication app, Microsoft plans to offer these productivity suites without Teams at a lower price point. Teams will also be available as a standalone product. This initiative aims to provide users with more choice and address complaints that the inclusion of Teams unfairly disadvantages competitors. Microsoft has also committed to improving interoperability, enabling rival software to integrate more effectively with its services.

Satya Nadella, Microsoft's CEO, is focused on making AI models accessible to customers through Azure, regardless of their origin. Microsoft's strategy involves providing various AI models to maximize profit gains, even those developed outside of Microsoft. Nadella emphasizes that Microsoft's allegiance isn't tied exclusively to OpenAI's models but encompasses a broader approach to AI accessibility. Microsoft believes ChatGPT and Copilot are similar however the company is working hard to encourage users to use Copilot by adding features such as its new memory function and not supporting the training of the ChatGPT model.

Recommended read:
References :
  • www.laptopmag.com: The big show could see some major changes for Microsoft.
  • TestingCatalog: Discover Microsoft's new memory feature in Copilot, improving personalization by retaining personal info. Users can now explore this update!
  • www.windowscentral.com: Microsoft says Copilot is ChatGPT, but better with a powerful user experience and enhanced security.
  • www.windowscentral.com: Microsoft Copilot gets OpenAI's GPT-4o image generation support to transform an image's style, generate photorealistic images, and follow complex directions.
  • blogs.microsoft.com: Microsoft Build 2025: The age of AI agents and building the open agentic web
  • AI News | VentureBeat: VentureBeat discusses Microsoft's AI agents' ability to communicate with each other.
  • The Microsoft Cloud Blog: Microsoft Build 2025: The age of AI agents and building the open agentic web
  • SiliconANGLE: Microsoft launches tools to streamline AI agent development
  • www.zdnet.com: Microsoft unveils new AI agent customization and oversight features at Build 2025
  • Techmeme: Microsoft Corp. today unveiled a major expansion of its artificial intelligence security and governance offerings with the introduction of new capabilities designed to secure the emerging “agentic workforce,” a world where AI agents and humans collaborate and work together. Announced at the company’s annual Build developer conference, Microsoft is expanding Entra, Defender and Purview, embedding these capabilities directly into Azure AI Foundry and Copilot Studio to help organizations secure AI apps and agents.
  • The Tech Portal: Microsoft Build 2025: GitHub Copilot gets AI boost with new coding agent
  • AI News | VentureBeat: GitHub Copilot evolves into autonomous agent with asynchronous code testing
  • Latest from ITPro in News: GitHub just unveiled a new AI coding agent for Copilot – and it’s available now
  • AI News | VentureBeat: Microsoft announces over 50 AI tools to build the 'agentic web' at Build 2025
  • www.zdnet.com: Copilot's Coding Agent brings automation deeper into GitHub workflows
  • WhatIs: New GitHub Copilot agent edges into DevOps
  • siliconangle.com: Microsoft launches tools to streamline AI agent development
  • Source Asia: Microsoft Build 2025: The age of AI agents and building the open agentic web
  • techvro.com: Microsoft Launches AI Coding Agent With Windows Getting Support for the ‘USB-C of AI Apps’
  • Ken Yeung: Microsoft Opens Teams to Smarter AI Agents With A2A Protocol and New Developer Tools
  • Techzine Global: Microsoft envisions a future in which AI agents from different companies can collaborate and better remember their previous interactions.
  • Ken Yeung: AI Agents Are Coming to Windows—Here’s How Microsoft Is Making It Happen
  • news.microsoft.com: Microsoft Build 2025: The age of AI agents and building the open agentic web
  • John Werner: As Microsoft and Google both make big announcements this week, Microsoft’s agentic AI platform, Azure AI Foundry, is powering key healthcare advances with Stanford.

@borncity.com //
Microsoft has confirmed that the May 2025 security updates for Windows 10 and Windows 11 are triggering BitLocker recovery issues on some systems. Specifically, cumulative update KB5058379, released on May 13, 2025, for Windows 10 22H2, is causing the operating system to request the BitLocker recovery key upon boot. In some instances, affected systems are hanging, effectively locking users out of their devices. The problem appears to extend to Windows 11 as well, with reports indicating similar BitLocker recovery prompts after installing the update.

Microsoft has acknowledged the issue and posted a support article in the Windows Release Health dashboard of Windows Server 10 22H2. The company stated that after installing KB5058379, Windows 10 22H2 might repeatedly display the BitLocker recovery screen at startup. The issue is particularly prevalent on devices with Intel Trusted Execution Technology (TXT) enabled on Intel vPro processors of the 10th generation or later. Microsoft has identified that the update can cause lsass.exe to terminate unexpectedly, triggering an automatic repair and subsequently prompting for the BitLocker recovery key.

The BitLocker recovery issue is causing widespread disruption, especially for businesses, with IT departments reporting numerous devices simultaneously stuck at the recovery prompt. While BitLocker typically only requests the recovery key after significant hardware or firmware changes, KB5058379 is triggering the prompt unexpectedly, even when no such changes have occurred. In addition to the BitLocker prompts, some users are reporting Blue Screens of Death (BSOD) during or immediately after the update process. While Microsoft works on a fix, IT professionals have found that disabling Intel Trusted Execution Technology (TXT) in the BIOS allows the update to complete without triggering the BitLocker prompt.

Recommended read:
References :
  • borncity.com: Microsoft confirms Bitlocker boot problems after Windows 10/11 May 2025 update
  • BleepingComputer: Microsoft confirms May Windows 10 updates trigger BitLocker recovery
  • Cyber Security News: KB5058379 Windows 10 Patch Causes Boot Failures, Demands BitLocker Unlock
  • borncity.com: Microsoft confirms Bitlocker boot problems after Windows 10/11 May 2025 update
  • bsky.app: ​Microsoft has confirmed that some Windows 10 and Windows 10 Enterprise LTSC 2021 systems will boot into BitLocker recovery after installing the May 2025 security updates.
  • Davey Winder: New Windows 10 Update Warning — Startup Loop Confirmed By Microsoft
  • cyberpress.org: KB5058379 Windows 10 Patch Causes Boot Failures, Demands BitLocker Unlock
  • borncity.com: Update KB5058379 for Windows 10 22H2 (and also the Windows 11 pendants) from May 13, 2025 has caused issues for some users and administrators.
  • borncity.com: Windows: Bitlocker encryption via Bitpixie (CVE-2023-21563) leveraged

@msrc.microsoft.com //
Microsoft has released its May 2025 Patch Tuesday updates, addressing a total of 71 or 72 vulnerabilities, depending on the source, across its software. This includes fixes for five actively exploited zero-day vulnerabilities and two publicly known vulnerabilities. The updates target flaws in various Windows components, including the Windows Common Log File System (CLFS), DWM Core Library, Scripting Engine, and Winsock.

Among the critical issues addressed are elevation of privilege (EoP) and remote code execution (RCE) vulnerabilities. Specifically, two zero-days in the CLFS (CVE-2025-32701 and CVE-2025-32706) allow attackers to gain SYSTEM privileges. Another zero-day (CVE-2025-30400) is a use-after-free vulnerability in the Windows Desktop Window Manager (DWM) Core Library, which can also lead to privilege escalation. A scripting engine memory corruption vulnerability (CVE-2025-30397) could allow for remote code execution if a user visits a malicious web page while using Internet Explorer mode in Edge.

The Cybersecurity and Infrastructure Security Agency (CISA) has added all five exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging administrators to patch these flaws by June 3, 2025. Security experts emphasize the importance of prioritizing these updates to prevent potential privilege escalation, code execution, and other malicious activities. The identified vulnerabilities highlight the ongoing risk posed by CLFS exploitation and the need for continuous monitoring and patching efforts.

Recommended read:
References :
  • borncity.com: Microsoft Security Update Summary (May 13, 2025)
  • Threats | CyberScoop: Microsoft’s Patch Tuesday closes 72 vulnerabilities, including 5 zero-days
  • isc.sans.edu: Microsoft Patch Tuesday: May 2025, (Tue, May 13th)
  • Tenable Blog: Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)
  • CyberInsider: Microsoft Patches Five Actively Exploited Flaws in May 2025 Windows 11 Update
  • securityaffairs.com: Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days
  • www.bleepingcomputer.com: Microsoft May 2025 Patch Tuesday fixes 5 exploited zero-days, 72 flaws
  • The Hacker News: Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server
  • krebsonsecurity.com: Patch Tuesday, May 2025 Edition
  • socradar.io: May 2025 Patch Tuesday: 78 Flaws, 5 Exploited, & Critical SAP Fixes
  • thecyberexpress.com: Microsoft Patch Tuesday May 2025: 5 Zero Days, 8 High-Risk Vulnerabilities
  • www.action1.com: May 2025 Vulnerability Digest Recording
  • Blog RSS Feed: May 2025 Patch Tuesday Analysis
  • Action1: Watch this webinar to explore the latest Microsoft patches from May 2025 Patch Tuesday and updates on third-party application vulnerabilities addressed in the past month.
  • www.computerworld.com: May’s Patch Tuesday serves up 78 updates, including 5 zero-day fixes
  • borncity.com: Microsoft confirms Bitlocker boot problems after Windows 10/11 May 2025 update
  • cyberpress.org: KB5058379 Windows 10 Patch Causes Boot Failures, Demands BitLocker Unlock

info@thehackernews.com (The@The Hacker News //
A Türkiye-linked hacking group, tracked by Microsoft as Marbled Dust, has been exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger application since April 2024. This espionage campaign has targeted Kurdish military personnel operating in Iraq, resulting in the collection of related user data. The vulnerability impacts Output Messenger version 2.0.62 and involves a directory traversal flaw that allows remote attackers to access and execute arbitrary files. A fix was released by the developer, Srimax, in late December 2024 with version 2.0.63.

The attack chain commences with the threat actor gaining authenticated access to Output Messenger's Server Manager. It is suspected that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. This access is then abused to collect user credentials and exploit CVE-2025-27920 to drop malicious payloads. These payloads include scripts like "OM.vbs" and "OMServerService.vbs" into the server's startup folder, and an executable "OMServerService.exe" into the server's "Users/public/videos" directory.

The final stage involves the execution of a multi-stage backdoor deployment. The "OMServerService.vbs" script is used to invoke "OM.vbs" and "OMServerService.exe." The latter is a Golang backdoor that connects to a hard-coded domain, "api.wordinfos[.]com," for data exfiltration. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe file and OMClientService.exe, another Golang backdoor. This client-side backdoor also connects to a Marbled Dust command-and-control (C2) domain, enabling further malicious activities.

Recommended read:
References :
  • BleepingComputer: Fortinet released security updates to patch a critical remote code execution vulnerability exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems.
  • The DefendOps Diaries: Fortinet's Swift Response to Zero-Day Exploits in FortiVoice Systems
  • BleepingComputer: Fortinet fixes critical zero-day exploited in FortiVoice attacks
  • Help Net Security: Zero-day exploited to compromise Fortinet FortiVoice systems (CVE-2025-32756)
  • gbhackers.com: Gbhackers post on fortinet zero-day
  • Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • malware.news: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • arcticwolf.com: Arctic Wolf blog post on CVE-2025-32756
  • cert.europa.eu: 2025-019: Critical Vulnerabilities in Fortinet Products
  • RedPacket Security: Fortinet Products Multiple Vulnerabilities
  • securityaffairs.com: Fortinet fixed actively exploited FortiVoice zero-day
  • The Hacker News: Fortinet Patches CVE-2025-32756 Zero-Day RCE Flaw Exploited in FortiVoice Systems
  • www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
  • www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
  • socradar.io: Critical Vulnerabilities in Fortinet and Ivanti Products: Multiple Zero-Day Threats Addressed
  • Tenable Blog: CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
  • Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • arcticwolf.com: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • Virus Bulletin: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
  • securityaffairs.com: APT group exploited Output Messenger Zero-Day to target Kurdish military operating in Iraq
  • The Hacker News: Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers
  • www.microsoft.com: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
  • securityaffairs.com: U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog
  • Rapid7 Cybersecurity Blog: CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products

@cyberscoop.com //
CISA has added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This action follows Microsoft's May 2025 Patch Tuesday, which addressed a total of 72 vulnerabilities, including these five zero-day exploits. The vulnerabilities affect various Windows components, posing a significant risk to systems if left unpatched. The addition to the KEV catalog underscores the urgency for organizations to apply the relevant Microsoft patches.

The zero-day vulnerabilities include CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709. CVE-2025-30397 is a memory corruption vulnerability in the Windows scripting engine, while CVE-2025-30400 affects the Microsoft DWM Core Library. CVE-2025-32701 and CVE-2025-32706 are defects in the Windows Common Log File System (CLFS) Driver, which are particularly concerning as they can lead to elevation of privilege to SYSTEM. CVE-2025-32709 resides in the Windows Ancillary Function Driver for WinSock.

Security experts recommend immediate patching, especially for the CLFS driver vulnerabilities. Mike Walters of Action1 warned that attackers could exploit the CLFS zero-days to gain full control of systems, allowing them to run arbitrary code, install malware, modify data, or disable security protections. The Cybersecurity and Infrastructure Security Agency (CISA) encourages all organizations to review and apply the necessary updates to mitigate the risk of exploitation.

Recommended read:
References :
  • isc.sans.edu: Microsoft Patch Tuesday: May 2025, (Tue, May 13th)
  • Threats | CyberScoop: Microsoft’s Patch Tuesday closes 72 vulnerabilities, including 5 zero-days
  • Help Net Security: Patch Tuesday: Microsoft fixes 5 actively exploited zero-days
  • cyberinsider.com: Microsoft Patches Five Actively Exploited Flaws in May 2025 Windows 11 Update
  • ComputerWeekly.com: May Patch Tuesday brings five exploited zero-days to fix
  • cyberscoop.com: Microsoft’s Patch Tuesday closes 72 vulnerabilities, including 5 zero-days
  • securityaffairs.com: Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days
  • socradar.io: May 2025 Patch Tuesday: 78 Flaws, 5 Exploited, & Critical SAP Fixes
  • The Hacker News: Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server
  • securityaffairs.com: U.S. CISA adds Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog
  • Cisco Talos Blog: Microsoft has released its monthly security update for May of 2025 which includes 78 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “criticalâ€.
  • www.helpnetsecurity.com: Microsoft patches 5 actively exploited 0-days, recently fixed Chrome vulnerability exploited

@cyberpress.org //
References: cyberpress.org , gbhackers.com , MeatMutts ...
A new method has emerged for stealing Microsoft Entra refresh tokens using Beacon Command & Control (C2) frameworks. This novel technique leverages browser-based authorization flows and Windows API functions to bypass traditional detection mechanisms, allowing attackers to maintain persistent access to cloud resources, even on devices not joined to a domain. The exploit utilizes Beacon Object Files (BOFs) to extract Entra tokens from compromised endpoints, posing a significant risk to enterprise cloud environments. By exploiting the OAuth 2.0 authorization code flow with modifications for offensive operations, attackers can initiate a hidden browser session and scrape the authorization code from the browser window title using the GetWindowTextA Win32 API.

The attack method capitalizes on First-Party Client IDs (FOCI) such as Microsoft Teams, allowing access to multiple Microsoft services through "family refresh tokens." This provides operational advantages by blending token requests with legitimate user activity as they originate from the compromised host's IP address. Furthermore, it is compatible with Bring Your Own Device (BYOD) scenarios, where traditional Primary Refresh Token (PRT) extraction methods fail. After acquiring refresh tokens, attackers can conduct AzureAD reconnaissance via tools like ROADrecon.

A separate but related flaw in Microsoft Entra ID's legacy login process has also been exploited to bypass MFA and Conditional Access, targeting admin accounts across various sectors including finance, healthcare, manufacturing, and technology. This vulnerability resides in the Basic Authentication Version 2 – Resource Owner Password Credential (BAV2ROPC), a legacy login method that allows authentication using simple usernames and passwords. The attacks, which occurred between March 18 and April 7, 2025, demonstrate the dangers of outdated authentication protocols in cloud environments, highlighting how attackers can circumvent modern protections by exploiting compatibility features within Entra ID.

Recommended read:
References :
  • cyberpress.org: A novel technique for extracting Microsoft Entra refresh tokens via Beacon Command & Control (C2) frameworks has emerged, leveraging browser-based authorization flows and Windows API functions to bypass traditional detection mechanisms.
  • gbhackers.com: A novel exploit method leveraging Beacon Object Files (BOFs) has emerged, enabling attackers to extract Microsoft Entra (formerly Azure AD) tokens from compromised endpoints
  • cyberpress.org: Legacy Protocol Flaws in Microsoft Entra ID Let Hackers Bypass MFA and Conditional Access
  • MeatMutts: Legacy Authentication Exploited: Microsoft Entra ID Breach Exposes Cloud Security Risks
  • www.techradar.com: This Microsoft 365 phishing campaign can bypass MFA - here's what we know

@cyberalerts.io //
A new malware campaign is exploiting the hype surrounding artificial intelligence to distribute the Noodlophile Stealer, an information-stealing malware. Morphisec researcher Shmuel Uzan discovered that attackers are enticing victims with fake AI video generation tools advertised on social media platforms, particularly Facebook. These platforms masquerade as legitimate AI services for creating videos, logos, images, and even websites, attracting users eager to leverage AI for content creation.

Posts promoting these fake AI tools have garnered significant attention, with some reaching over 62,000 views. Users who click on the advertised links are directed to bogus websites, such as one impersonating CapCut AI, where they are prompted to upload images or videos. Instead of receiving the promised AI-generated content, users are tricked into downloading a malicious ZIP archive named "VideoDreamAI.zip," which contains an executable file designed to initiate the infection chain.

The "Video Dream MachineAI.mp4.exe" file within the archive launches a legitimate binary associated with ByteDance's CapCut video editor, which is then used to execute a .NET-based loader. This loader, in turn, retrieves a Python payload from a remote server, ultimately leading to the deployment of the Noodlophile Stealer. This malware is capable of harvesting browser credentials, cryptocurrency wallet information, and other sensitive data. In some instances, the stealer is bundled with a remote access trojan like XWorm, enabling attackers to gain entrenched access to infected systems.

Recommended read:
References :

@securityonline.info //
Microsoft has recently addressed several critical security vulnerabilities affecting its Azure cloud services and Microsoft Power Apps. The flaws, identified in Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, highlighted the importance of proactive security measures within cloud-native development environments. One vulnerability, CVE-2025-29813, received the maximum Common Vulnerability Scoring System (CVSS) score of 10, indicating its severity.

The most critical vulnerability, found in Azure DevOps, allowed attackers with project-level access to escalate their privileges by exchanging short-term pipeline job tokens for long-term ones, potentially gaining extensive access within a project environment. Additional vulnerabilities included CVE-2025-29827 in Azure Automation, where improper authorization could enable a user to elevate privileges, CVE-2025-29972, an SSRF vulnerability in Azure Storage Resource Provider, and CVE-2025-47733 in Microsoft Power Apps, which allowed unauthorized information disclosure over a network through a Server-Side Request Forgery (SSRF).

Despite the severity of these vulnerabilities, Microsoft has assured users that no action is required on their part. The company has already mitigated the flaws at the platform level, preventing potential exploitation. These patches underscore Microsoft's commitment to maintaining a secure cloud environment and highlight the ongoing need for robust security practices within cloud-native development.

Recommended read:
References :
  • securityonline.info: Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
  • Talkback Resources: Microsoft addressed critical vulnerabilities in various Azure services, including Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, emphasizing the need for proactive security measures in cloud-native development environments.
  • Davey Winder: Microsoft has confirmed several cloud security vulnerabilities, including one with a maximum critical rating of 10.
  • Davey Winder: Critical 10/10 Microsoft Cloud Security Vulnerability Confirmed

@industrialcyber.co //
The UK's National Cyber Security Centre (NCSC) has issued a warning that critical systems in the United Kingdom face increasing risks due to AI-driven vulnerabilities. The agency highlighted a growing 'digital divide' between organizations capable of defending against AI-enabled threats and those that are not, exposing the latter to greater cyber risk. According to a new report, developments in AI are expected to accelerate the exploitation of software vulnerabilities by malicious actors, intensifying cyber threats by 2027.

The report, presented at the NCSC's CYBERUK conference, predicts that AI will significantly enhance the efficiency and effectiveness of cyber intrusions. Paul Chichester, NCSC director of operations, stated that AI is transforming the cyber threat landscape by expanding attack surfaces, increasing the volume of threats, and accelerating malicious capabilities. He emphasized the need for organizations to implement robust cybersecurity practices across their AI systems and dependencies, ensuring up-to-date defenses.

The NCSC assessment emphasizes that by 2027, AI-enabled tools will almost certainly improve threat actors' ability to exploit known vulnerabilities, leading to a surge in attacks against systems lacking security updates. With the time between vulnerability disclosure and exploitation already shrinking, AI is expected to further reduce this timeframe. The agency urges organizations to adopt its guidance on securely implementing AI tools while maintaining strong cybersecurity measures across all systems.

Recommended read:
References :
  • Industrial Cyber: GCHQ’s National Cyber Security Centre (NCSC) has warned that U.K. critical systems are facing growing risks due to...
  • NCSC News Feed: NCSC warns that organisations unable to defend AI-enabled threats are exposed to greater cyber risk and AI-driven vulnerabilities and threats
  • Tech Monitor: Report predicts that AI will enhance cyber intrusion efficiency and effectiveness by 2027

@securityonline.info //
The Play ransomware gang has been actively exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824. This high-severity flaw allows attackers to gain SYSTEM privileges on compromised systems, enabling them to deploy malware and carry out other malicious activities. The vulnerability was patched by Microsoft in April 2025; however, it was actively exploited in targeted attacks across various sectors before the patch was released.

The Play ransomware gang's attack methodology is sophisticated, employing custom tools and techniques such as dual extortion. A key tool used is the Grixba infostealer, which scans networks and steals information. In addition to the Grixba infostealer, the group uses a payload injection technique where a malicious payload is injected into the winlogon.exe process. This allows them to inject the Sysinternals procdump.exe tool into various processes for malicious purposes.

The Symantec Threat Hunter Team identified this zero-day vulnerability being actively exploited, including an attack targeting an unnamed organization in the United States. The attackers likely used a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. During the execution of the exploit, batch files are created to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user, and clean up traces of exploitation. The exploitation of CVE-2025-29824 highlights the trend of ransomware actors using zero-days to infiltrate targets, underscoring the importance of prompt patching and robust security measures.

Recommended read:
References :
  • securityaffairs.com: Security Affairs reports Play ransomware affiliate leveraged zero-day to deploy malware
  • The DefendOps Diaries: The Defend Ops Diaries discusses Understanding the Play Ransomware Threat: Exploiting Zero-Day Vulnerabilities.
  • The Hacker News: The Hacker News reports Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization
  • BleepingComputer: BleepingComputer reports Play ransomware exploited Windows logging flaw in zero-day attacks.
  • www.csoonline.com: Windows flaw exploited as zero-day by more groups than previously thought
  • securityonline.info: Zero-Day CLFS Vulnerability (CVE-2025-29824) Exploited in Ransomware Attacks
  • bsky.app: The Play ransomware group has exploited a Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.
  • Davey Winder: Play Ransomware Zero-Day Attacks — US, Saudi Arabia Have Been Targeted
  • www.techradar.com: Ransomware hackers target a new Windows security flaw to hit businesses
  • www.scworld.com: Windows CLFS zero-day leveraged in Play ransomware attacks

@zdnet.com //
Microsoft is rolling out a wave of new AI-powered features for Windows 11 and Copilot+ PCs, aiming to enhance user experience and streamline various tasks. A key addition is an AI agent designed to assist users in navigating and adjusting Windows 11 settings. This agent will understand user intent through natural language, allowing them to simply describe the setting they wish to change, such as adjusting mouse pointer size or enabling voice control. With user permission, the AI agent can then automate and execute the necessary adjustments. This feature, initially available to Windows Insiders on Snapdragon X Copilot+ PCs, seeks to eliminate the frustration of searching for and changing settings manually.

Microsoft is also enhancing Copilot with new AI skills, including the ability to act on screen content. One such action, "Ask Copilot," will enable users to draft content in Microsoft Word based on on-screen information, or create bulleted lists from selected text. These capabilities aim to boost productivity by leveraging generative AI to quickly process and manipulate information. Furthermore, the Windows 11 Start menu is undergoing a revamp, offering easier access to apps and a phone companion panel for quick access to information from synced iPhones or Android devices. The updated Start menu, along with the new AI features, will first be available to Windows Insiders running Snapdragon X Copilot Plus PCs.

In a shift toward passwordless security, Microsoft is removing the password autofill feature from its Authenticator app, encouraging users to transition to Microsoft Edge for password management. Starting in June 2025, users will no longer be able to save new passwords in the Authenticator app, with autofill functionality being removed in July 2025. By August 2025, saved passwords will no longer be accessible in the app. Microsoft argues that this change streamlines the process, as passwords will be synced with the Microsoft account and accessible through Edge. However, users who do not use Edge may find this transition less seamless, as they will need to install Edge and make it the default autofill provider to maintain access to their saved passwords.

Recommended read:
References :
  • cyberinsider.com: Microsoft to Retire Password Autofill in Authenticator by August 2025
  • www.bleepingcomputer.com: Microsoft ends Authenticator password autofill, moves users to Edge
  • Davey Winder: You Have Until June 1 To Save Your Passwords, Microsoft Warns App Users
  • The DefendOps Diaries: Microsoft's Strategic Shift: Transitioning Password Management to Edge
  • www.ghacks.net: Microsoft removes Authenticator App feature to promote Microsoft Edge
  • www.ghacks.net: Microsoft Removes Authenticator App feature to promote Microsoft Edge
  • Tech Monitor: Microsoft to phase out Authenticator autofill by August 2025
  • Davey Winder: You won't be able to save new passwords after June 1, Microsoft warns all authenticator app users. Here's what you need to do.
  • www.microsoft.com: The post appeared first on .
  • PCWorld: If you use Microsoft’s Authenticator app on your mobile phone as a password manager, here’s some bad news: Microsoft is discontinuing the “autofill†password management functionality in Authenticator.
  • securityaffairs.com: Microsoft announced that all new accounts will be “passwordless by default” to increase their level of security.
  • heise Security: Microsoft Authenticator: Zurück vom Passwort-Manager zum Authenticator Microsofts Authenticator-App kann neben erweiterter Authentifizierung als zweiter Faktor auch Passwörter verwalten. Das endet jetzt.
  • PCMag Middle East ai: Microsoft Tests Using Copilot AI to Adjust Windows 11 Settings for You
  • PCMag UK security: Microsoft Is Dropping A Useful Feature From Its Authenticator App
  • www.zdnet.com: Microsoft's new AI skills are coming to Copilot+ PCs - including some for all Windows 11 users
  • Dataconomy: Microsoft is revamping the Windows 11 Start menu and introducing several new AI features this month, initially available to Windows Insiders running Snapdragon X Copilot Plus PCs, including the newly announced Surface devices.
  • www.windowscentral.com: Microsoft just announced major Windows 11 and Copilot+ PC updates, adding a bunch of exclusive features and AI capabilities.
  • Microsoft Copilot Blog: Welcome to Microsoft’s Copilot Release Notes. Here we’ll provide regular updates on what’s happening with Copilot, from new features to firmware updates and more.
  • shellypalmer.com: Microsoft is officially going passwordless by default. On the surface, it’s a welcome step toward a safer, simpler future.
  • www.techradar.com: Microsoft has a big new AI settings upgrade for Windows 11 on Copilot+ PCs – plus 3 other nifty tricks
  • www.engadget.com: Microsoft introduces agent for AI-powered settings controls in Copilot+ PCs
  • www.ghacks.net: Finally! Microsoft is making AI useful in Windows by introducing AI agents
  • www.cybersecurity-insiders.com: Cybersecurity Insiders reports Microsoft is saying NO to passwords and to shut down Authenticator App
  • FIDO Alliance: PC Mag: RIP Passwords: Microsoft Moves to Passkeys as the Default on New Accounts
  • www.cybersecurity-insiders.com: Microsoft to say NO to passwords and to shut down Authenticator App