An Introduction to ZTA - Negative PID Once upon a time, the network perimeter was considered a solid defence against external threats. However, the evolution of attack vectors over the last twenty

An Introduction to ZTA

negativepid.blog/an-...

#zeroTrust #ZTA #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

How Stuxnet changed cyberwarfare - Negative PID For a long time, people have thought of the Internet as a completely separate world from reality. It was difficult to conceive that something that happened

How Stuxnet changed cyberwarfare

negativepid.blog/how...

#stuxnet #cyberwarfare #espionage #sabotage #hackers #PPT #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

Steganography, the art of digital hiding - Negative PID Have you ever thought that the digital files you usually handle might carry more than they were intended to? It might be a picture you share on social media,

Steganography, the art of digital concealment

negativepid.blog/ste...

#steganography #cryptography #encryption #espionage #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #digitalInvestigations #OSINT #negativepid

Government Remains Primary Target as Cyberattacks Grow in 2025   Government institutions were the most heavily targeted sector in 2025, according to newly published research from HPE Threat Labs, which documented 1,186 active cyberattack campaigns throughout the year. The dataset reflects activity tracked between January 1 and December 31, 2025, and spans a wide range of industries and attack techniques, offering a broad view of how threat actors are operating at scale. Out of all industries analyzed, government bodies accounted for the largest share, with 274 recorded campaigns. The financial services sector followed with 211, while technology companies experienced 179 campaigns. Defense-related organizations were targeted in 98 cases, and manufacturing entities saw 75. Telecommunications and healthcare sectors each registered 63 campaigns, while education and transportation sectors reported 61 incidents each. The distribution shows a clear trend: attackers are prioritizing sectors responsible for sensitive information, essential services, and large operational systems. Researchers also observed a growing reliance on automation and artificial intelligence to accelerate cyber operations. Some threat groups have adopted highly organized workflows resembling production lines, enabling faster execution of attacks. These operations are often coordinated through platforms such as Telegram, where attackers can manage tasks and extract compromised data in real time. In addition to automation, generative artificial intelligence is being actively used to enhance social engineering techniques. Cybercriminals are now creating synthetic voice recordings and deepfake videos to carry out vishing attacks and impersonate senior executives with greater credibility. In one identified case, an extortion group conducted detailed research into vulnerabilities in virtual private networks, allowing them to refine and improve their methods of gaining unauthorized access. When examining the types of threats, ransomware emerged as the most prevalent, making up 22 percent of all campaigns. Infostealer malware followed at 19 percent, with phishing attacks accounting for 17 percent. Remote Access Trojans represented 11 percent, while other forms of malware comprised 9 percent of the total activity. The scale of malicious infrastructure uncovered during the analysis further underscores the intensity of the threat environment. Investigators identified 147,087 harmful domains and 65,464 malicious URLs. In addition, 57,956 malicious files and 47,760 IP addresses were linked to cybercriminal operations. Over the course of the year, attackers exploited 549 distinct software vulnerabilities. Insights from a global deception network revealed 44.5 million connection attempts originating from 372,800 unique IP addresses. Among these, 36,600 requests matched known attack signatures and were traced to 8,200 distinct source IPs targeting five specific destination systems. A closer examination of attack patterns shows that cybercriminals frequently focus on exposed systems and known weaknesses. Remote code execution vulnerabilities in digital video recorders were triggered approximately 4,700 times. Exploitation attempts targeting Huawei routers were observed 3,490 times, while misuse of Docker application programming interfaces occurred in about 3,400 cases. Other commonly exploited weaknesses included command injection vulnerabilities in PHPUnit and TP-Link systems, each recorded around 3,100 times. Printer-related enumeration attacks using Internet Printing Protocol, along with Realtek UPnP exploitation, were each observed roughly 2,700 times. The vulnerabilities most frequently targeted during these campaigns included CVE-2017-17215, CVE-2023-1389, CVE-2014-8361, CVE-2017-9841, and CVE-2023-26801, all of which have been widely documented and continue to be exploited in systems that remain unpatched. Beyond the raw data, the findings reflect a dynamic development in cybercrime. Attackers are combining automation, artificial intelligence, and well-known vulnerabilities to increase both the speed and scale of their operations. This shift reduces the time required to identify targets, exploit weaknesses, and generate impact, making modern cyberattacks more efficient and harder to contain. The report points to the crucial need for organizations to strengthen their defenses by continuously monitoring systems, addressing known vulnerabilities, and adapting to rapidly evolving threat techniques. As attackers continue to refine their methods, proactive security measures are becoming essential to limit exposure and reduce risk across all sectors.

Government Remains Primary Target as Cyberattacks Grow in 2025 #ArtificialIntelligence #CyberAttacks #Government

What is the Lazarus group? - Negative PID At the beginning of December 2025, some of the members of the Lazarus group were caught on camera while conducting infiltration through a fake-job scheme. But

What is the Lazarus group?

negativepid.blog/wha...

#lazarus #cyberwarfare #organizedCrime #stateSponsoredCrime #cyberUnits #LazarusGroup #hackers #onlineRecruitment #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

Stryker Cyberattack Disrupts Operations as Pro-Iran Hackers Allegedly Wipe Employee Devices   Medical technology leader Stryker has begun restoring its systems after a cyberattack that reportedly enabled pro-Iranian hackers to remotely erase data from tens of thousands of employee devices. The incident caused significant operational disruption and is being viewed as potentially the first large-scale cyberattack in the United States linked to tensions surrounding the Donald Trump administration’s conflict with Iran. In a weekend update, Stryker confirmed that the March 11 breach was limited to its internal Microsoft environment, emphasizing that its internet-connected medical devices are “safe to use.” Although investigations into the root cause are ongoing, the company stated it has found no evidence of ransomware or malware involvement. However, disruptions to order processing, manufacturing, and shipping operations persist. A pro-Iran hacking group known as Handala claimed responsibility for the attack, stating it was retaliation for a U.S. airstrike on an Iranian school that reportedly killed at least 175 people, most of them children. The group also defaced Stryker’s login portals with its branding. According to Bleeping Computer, the attackers may have gained entry through an internal administrator account, granting them extensive access to Stryker’s Windows network. Reports suggest the hackers accessed Microsoft Intune dashboards, a system used to manage employee devices remotely, including the ability to erase data if devices are lost or stolen. A successful breach of these dashboards would have allowed attackers to remotely wipe both corporate and personal devices without deploying malware. The Wall Street Journal also reported that Intune systems were a primary target in the attack. Stryker has not publicly responded to questions regarding the breach, including whether the compromised account was secured with multi-factor authentication. The initial entry point for the attackers remains unclear. Researchers from Palo Alto Networks suggested phishing could have been used to infiltrate the network. IBM noted that Iran-linked groups like Handala are known for phishing campaigns and destructive cyber operations, particularly targeting healthcare and energy industries. Infostealer malware, which captures login credentials and sensitive data, may also have contributed to the breach. Stryker employs approximately 56,000 people globally and operates across more than 60 countries, according to Reuters.

Stryker Cyberattack Disrupts Operations as Pro-Iran Hackers Allegedly Wipe Employee Devices #CyberAttacks #Handalahackers #Healthcarecybersecurity

email security guide for small business A practical email security guide for small business. Identify your weakest link, reduce risk, and improve protection without technical complexity.

Most #cyberattacks don’t start with a with an email. Over 90% of cyber incidents begin with a phishing message. This guide is not another technical deep dive. Instead, it provides a practical audit designed to help you quickly identify where your business. shorturl.at/XFOFQ

Autism, Asperger traits, and hacking - Negative PID The hacking world has always attracted people with a strong interest in systems, logic, and digital problem solving. Several well known figures, such as Gary

Autism, Asperger traits, and hacking

negativepid.blog/aut...

#autism #asperger #hacking #hackers #neurodiversity #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

CYBER THREAT INTELLIGENCE BRIEFING Reporting Period: February 10 – March 27, 2026 Runtime: March 27, 2026 Classification: UNCLASSIFIED // OSINT

Just updated my weekly cyber threat report on Russia, China, North Korea, and Iran. #russia #china #northkorea #iran #cybersecurity #cyberattacks #threatintel

CYBER THREAT INTELLIGENCE BRIEFING open.substack.com/pub/cyberwar...

Neurodiversity in cybersecurity work - Negative PID Cybersecurity relies on a wide range of cognitive skills. Threat hunting, OSINT investigation, incident response, red team operations, and policy design all

Neurodiversity in cybersecurity work

negativepid.blog/neu...

#neurodiversity #neurodivergent #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid #Internet #tech #IT #science #STEM #computing #AI #innovation #negativepid

Breaking into offensive security - Negative PID Offensive security roles attract people who enjoy thinking creatively, solving puzzles, and understanding systems from the inside out. Whether you want to

Breaking into offensive security

negativepid.blog/bre...

#OffSec #offensiveSecurity #ethicalHacking #redTeam #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

Ransomware Attack Hits Ticketing System Used by Major Museums and Theme Parks The incident speaks to the ongoing importance of cybersecurity both for your own company and downstream partners. Skift...

#Experiences #Travel #Technology #cyberattacks #events […]

[Original post on skift.com]

Steganography, the art of digital hiding - Negative PID Have you ever thought that the digital files you usually handle might carry more than they were intended to? It might be a picture you share on social media,

Steganography, the art of digital concealment

negativepid.blog/ste...

#steganography #cryptography #encryption #espionage #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #digitalInvestigations #OSINT #negativepid

A beginner’s guide to Blockchain - Negative PID Everybody talks about Bitcoin and Blockchain. In recent years, they have become a common topic in tech, finance, cybersecurity, and even politics. But what do

A beginner’s guide to Blockchain

negativepid.blog/a-b...

#blockchain #bitcoin #crypto #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

Google warns quantum computers could hack encrypted systems by 2029 Banks, governments and tech providers urged to upgrade security because current systems will soon be obsolete

Banks, governments and technology providers need to be prepared for #quantumcomputer hackers capable of breaking most existing encryption systems by 2029, #Google has warned. We’ve adjusted our threat model and urge other companies to follow its lead www.theguardian.com/technology/2... #CyberAttacks

Deepfake Cyberattacks Exploit Human Trust and Bypass Traditional Defenses, Finds Info-Tech Research Group Deepfakes have evolved into a material enterprise threat as AI enables increasingly convincing impersonation attacks that bypass traditional controls. New insights from Info-Tech Research Group show that these attacks target human trust rather than technical vulnerabilities, leaving many organizations unprepared. The global research and advisory firm’s newly published blueprint, Defend Against Deepfake Cyberattacks, outlines a framework to help IT and security leaders assess exposure and strengthen defenses. ARLINGTON, Va., March 26, 2026 /PRNewswire/ – Deepfakes are rapidly emerging as a new class of cyberattack that bypasses traditional security controls by exploiting human trust, exposing organizations to fraud, data theft, regulatory […]

Deepfake Cyberattacks Exploit Human Trust and Bypass Traditional Defenses, Finds Info-Tech Research Group #Deepfake #Cybersecurity #AIThreats #InfoTech #Cyberattacks

Mazda Reports Limited Data Exposure After Warehouse System Breach  Early reports indicate Mazda Motor Corporation faced a data leak following suspicious activity uncovered in its systems during December 2025. Information belonging to staff members, along with details tied to external partners, became accessible due to the intrusion. Investigation results point to a weak spot found within software managing storage logistics. This particular setup supports component sourcing tasks based in Thailand. Findings suggest the flaw allowed outside parties to enter without permission.  Despite early concerns, investigators confirmed the breach touched only internal systems - no client details were involved. A count later showed 692 records may have been seen by unauthorized parties. Among what was accessed: login codes, complete names, work emails, firm titles, along with tags tied to collaboration networks. What escaped exposure? Anything directly linked to customers.  After finding the issue, Mazda notified Japan’s privacy regulator while launching a probe alongside outside experts focused on digital security. So far, no signs have appeared showing the leaked details were exploited. Still, people touched by the event are being urged to watch closely for suspicious messages or fraud risks tied to the breach. Despite limited findings now, caution remains key given how personal information might be used later.   Mazda moved quickly, rolling out several upgrades to protect its digital infrastructure. With tighter controls on who can enter systems, fewer services exposed online now limit entry points. Patches went live where needed most, closing known gaps before they could be used. Monitoring grew sharper, tuned to catch odd behavior faster than before. Each change connects to a clear goal - keeping past problems from repeating. Protection improves not by one fix but through layers put in place over time.  Mazda pointed out the breach showed no signs of ransomware or malicious software, yet operations remain unaffected. Though certain hacking collectives once said they attacked Mazda’s networks, the firm clarified this event holds no connection - no communication from any threat actor occurred.  Now more than ever, protection across suppliers and daily operations demands attention - the car company keeps watch, adjusts defenses continuously. Emerging risks push updates to digital safeguards forward steadily.

Mazda Reports Limited Data Exposure After Warehouse System Breach #CyberBreach #CyberSecurity #Cyberattacks

LeakNet Ransomware Uses ClickFix and Deno for Stealthy Attacks  LeakNet ransomware has changed its approach by pairing ClickFix social-engineering lures with a Deno-based loader, making its intrusion chain harder to spot. The group is using compromised websites to trick users into running malicious commands, then executing payloads in memory to reduce obvious traces on disk.  Security researchers say this is a notable shift because ClickFix replaces older access methods like stolen credentials with a user-triggered infection path. Once the victim interacts with the fake prompt, scripts such as PowerShell and VBS can launch the next stage, often with misleading file names that look routine rather than malicious.  The Deno runtime is the second major piece of the campaign. Deno is a legitimate JavaScript and TypeScript runtime, but LeakNet is abusing it in a “bring your own runtime” style so it can run Base64-encoded code directly in memory, fingerprint the host, contact command-and-control servers, and repeatedly fetch additional code.  That design helps the attackers stay stealthy because it minimizes the amount of malware written to disk and can blend in with normal software activity better than a custom loader might. Researchers also note that LeakNet is building a repeatable post-exploitation flow that can include lateral movement, payload staging, and eventually ransomware deployment.  For organizations, the primary threat is that traditional file-based detection may miss the earliest stages of the attack. A campaign that starts with a convincing browser prompt or a fake verification page can quickly turn into an internal breach if users are not trained to question unexpected instructions.  Safety recommendations  To mitigate threat, companies should train users to avoid following browser-based “fix” prompts, especially on unfamiliar or compromised sites. They should also restrict PowerShell, VBS, and other script interpreters where possible, monitor for Deno running outside developer workflows, watch for unusual PsExec or DLL sideloading activity, and segment networks so one compromised host cannot easily spread access. Finally, maintain tested offline backups and keep a playbook for rapid isolation, because fast containment is often the difference between a blocked intrusion and a full ransomware incident.

LeakNet Ransomware Uses ClickFix and Deno for Stealthy Attacks #ClickFix #CyberAttacks #Deno

24.5 Million Dollar Hack Exposes Vulnerabilities in Resolv DeFi   The concept of stability is fundamental to the architecture of decentralized finance - it is the foundation upon which trust is built. A stablecoin brings parity with the dollar to the decentralized finance system, providing a quiet assurance that one token will reliably mirror one unit of currency.  The premise of this proposition has been severely undercut with the case of Resolv, where the USR token now trades at less than a third of its intended peg and hovers around 27 cents, clearly demonstrating a structural breakdown that cannot be rectified by simple recalibration.  During the early hours of Sunday morning, at approximately 2:21 a.m. UTC, an attacker exploited a vulnerability within the protocol's minting contract, fabricating nearly 80 million tokens without backing. A swift and systematic unwinding of value followed-those artificially created assets were funneled through decentralized exchanges, exchanged for more liquid stablecoins, and eventually consolidated into Ether.  After completing the activity, the attacker had obtained digital assets worth approximately $25 million, leaving behind not only a depegged token, but also a stark reminder of how confidence can rapidly erode when mathematical foundations of financial systems fail to hold up. It is evident from the mechanics of the breach that there was a deeper architectural weakness rather than a momentary lapse that led to the breach.  A capital injection of $100,000 to $200,000 in USDC was sufficient to engage the protocol's minting interface under normal conditions at the beginning of the sequence. However, what occurred afterward diverged significantly from what was expected. By exploiting a flaw in the authorization flow, the adversary was able to generate approximately 80 million USR tokens, a number that is significantly greater than the initial collateral provided.  Ultimately, this breakdown occurred as a result of an off-chain signing service entrusted with a privileged private key that authorised the minting of mint quantities. The contract verified the presence of a valid cryptographic signature, but failed to impose any intrinsic ceiling on issuance. Therefore, a critical control was externalized without being enforced on the blockchain.  Having created the unbacked tokens, the attacker moved with calculated precision to convert USR into its staked derivative, wstUSR, and unwind the position using decentralized liquidity pools. Upon incremental exchange of the assets for stablecoins and then consolidation of Ether, the proceeds could be absorbed into deeper market liquidity, thereby providing a greater level of market liquidity.  Parallel to the sudden injection of uncollateralized supply, USR's market equilibrium was destabilized, resulting in a rapid depreciation of almost 80 percent. As a result of establishing the sequence of events, the incident demonstrates the importance of investigating the minting architecture and implicit trust assumptions that enabled such a breach to occur. Rather than limiting themselves to Resolv's immediate ecosystem, the repercussions of the exploit have been emitted across interconnected DeFi infrastructure protocols. A detailed internal assessment has now been initiated to determine the extent of exposure for organizations that integrated USR into shared liquidity pools, accepted it as collateral, or relied on its yield mechanisms.  Decentralized finance is based on the premise that it can be layered, enhancing efficiency as well as reducing risk, and this chain reaction is indicative of this. As a result of the sudden depegging of USR, platforms upstream have encountered balance sheet inconsistencies.  As a precautionary measure, select operations were suspended, withdrawals and deposits were restricted, and governance-driven responses were initiated to mitigate potential deficits. This requires a more detailed audit of smart contract states and liquidity positions to reconcile the impact of a compromised asset than surface-level accounting. As a result of the episode, DeFi remains aware of a persistent structural reality: vulnerabilities at a foundational layer can lead to instability throughout the entire stack, thereby exposing even indirectly exposed participants to disruption. There has been an increase in attention on the post-exploit environment, where the trajectory of stolen assets may influence recovery prospects.  On-chain observations indicate that the majority of the approximately $25 million extracted remains consolidated within wallets controlled by the attacker, with no visible signs of obfuscation by mixing or crossing chains. It has historically been observed that such inactivity precedes negotiation attempts, as demonstrated in prior incidents involving attackers engaging with protocol teams under whitehat or quasi-whitehat frameworks to return funds in exchange for incentives.  In addition to unclear whether Resolv's operators have initiated similar outreach or structured a formal bounty, no confirmation regarding direct communication with the attacker has been released to date. While blockchain analytics firms are actively tracing transaction flows, no parallel involvement by law enforcement agencies has been reported.  Near-term, the focus is on transparency and remediation for affected users and counterpart protocols monitoring official disclosures, evaluating exposure statements, and waiting for comprehensive post-incident analyses along with compensation frameworks.  Decentralized finance continues to gain momentum as it moves toward broader adoption; however, the incident once again illustrates that there is still a significant gap between innovation and security assurance in systems where trust is distributed but accountability can become muddled. A number of factors contribute to the shift in focus from attribution to prevention in the aftermath of the incident, underlining the need for more resilient design principles across decentralized systems. Consequently, security in DeFi cannot be partially delegated to off-chain mechanisms or implicit trust models; critical controls must be enforced at the protocol level by ensuring deterministic safeguards, limiting minting logic, and continuously validating changes to the state.  During this conference, protocol architects and developers are reminded of the importance of minimizing privileged dependencies, implementing rigorous audit layers, and stress testing composability risks under adversarial conditions.  Participants are reminded that it is imperative that not only yield opportunities are evaluated, but that underlying mechanisms are also examined for structural integrity. It is expected that sustained credibility will be dependent less on the speed at which innovations are implemented, and more on the discipline with which security assumptions are developed, verified, and communicated transparently.

24.5 Million Dollar Hack Exposes Vulnerabilities in Resolv DeFi #BlockchainSecurity #CryptoHack #CyberAttacks

How to become a bug bounty hunter - Negative PID Many people entering the cybersecurity field believe that the only way to demonstrate their skills to a prospective employer is to hack into their systems.

How to become a bug bounty hunter

negativepid.blog/how...

#bugBounty #securityResearch #cybersecurityCareers #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid #offSec

An Introduction to ZTA - Negative PID Once upon a time, the network perimeter was considered a solid defence against external threats. However, the evolution of attack vectors over the last twenty

An Introduction to ZTA

negativepid.blog/an-...

#zeroTrust #ZTA #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

What is cybercrime? - Negative PID Every day, you hear about cybercrime. More and more, it is presented as a problem to society: hacking, fraud, obscene behaviour, hate speech, fake news,

What is cybercrime?

negativepid.blog/wha...

#Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #scams #fraud #internetFraud #identityTheft #onlineIdentity #romanceScams #financialScams #socialMedia #accounts #negativepid

1-15 March 2026 Cyber Attacks Timeline In the first half of March 2026 I collected 95 events (6.34 events/day) with a threat landscape dominated by malware once ahead of account takeovers and ransomware.

The 1-15 March 2026 #cyberattacks timeline is out! 🔊

The #threat landscape was dominated by #malware and driven by #cybercrime.

#phishing was the main initial access vectors and targets in the #information & #communication sector were hit the most.

www.hackmageddon.com/2026/03/26/1...

Update on #Stress, #Logistics, #Cyberattacks, #TradeUncertainty, #HealthCare and other issues in the #Workplace. Survey of 1,250 executives. See #ThoughtsAndObservations on Substack at substack.com/@miketemkin/...

Original post on social.heise.de

LLMs have become an arm's race.

"AI models can be misused for #cyberattacks at this scale, why continue to develop and release them?", asks
#Claude. "The answer is that the very abilities that allow Claude to be used in these attacks also make it crucial for cyber #defense."

Spoken like a […]

Original post on techcrunch.com

FCC bans import of new consumer routers made overseas, citing security risks The FCC ban will affect the import of all new, foreign-made consumer routers, the agency's head Brendan Carr said.

#Government #& #Policy #Security #FCC #Routers #cybersecurity […]

[Original post on techcrunch.com]

Original post on techcrunch.com

FCC bans import of new consumer routers made overseas, citing security risks The FCC ban will affect the import of all new, foreign-made consumer routers, the agency's head Brendan Carr said.

#Government #& #Policy #Security #cyberattacks #cybersecurity […]

[Original post on techcrunch.com]

Original post on techcrunch.com

FCC bans import of new consumer routers made overseas, citing security risks The FCC ban will affect the import of all new, foreign-made consumer routers, the agency's head Brendan Carr said.

#Government #& #Policy #Security #cyberattacks #cybersecurity #FCC […]

[Original post on techcrunch.com]

Cybercriminals Misuse Microsoft Azure Monitor Alerts for Phishing Operations Using trusted enterprise monitoring systems as a tool for credentialing their deception, threat actors have begun to make a subtle but highly effective shift in phishing tradecraft. Through the use of Microsoft Azure Monitor alerting mechanisms, attackers are orchestrating callback phishing campaigns that blur the line between legitimate security communication and malicious activity.  Organizations commonly rely upon these alerts to monitor system health and security events in real time, but they are now being repurposed to convey a false sense of urgency, encouraging recipients to initiate contact with attacker-controlled telephone numbers.  By using messages originating from authentic Microsoft infrastructure, the tactic represents a significant improvement over conventional phishing, thereby evading many of the technical and psychological safeguards users have been trained to rely on.  Microsoft Azure Monitor is now one of a growing number of legitimate enterprise tools increasingly repurposed to facilitate phishing operations, joining a growing roster of legitimate enterprise tools. The platform is widely deployed to aggregate telemetry across applications and infrastructure, which assists organizations in tracking performance metrics, uncovering anomalies, and responding to operational disruptions in real time. The adversaries are now exploiting precisely this trusted functionality.  The service is reporting that users are receiving alert emails directing them to purported "suspicious charges" or irregular "invoice activity" based upon recent activity. In order to ensure that such notifications merge seamlessly into routine administrative workflows, they align closely with the types of events that are flagged by the platform, making it extremely difficult to distinguish them from real alerts and increasing the likelihood that users will engage with them.  In the last several weeks, a noticeable increase in such activity has been observed, with multiple individuals reporting receiving alert notifications that alerts were received warning of suspicious charges or anomalous billing events connected to their accounts. To strengthen the authenticity of these messages, they often incorporate fabricated transaction metadata, such as merchant identifiers, transaction IDs, timestamps, and dollar amounts, to mirror legitimate security advisories. Upon receiving the message, recipients are urged to immediately act under the pretext of fraud prevention, typically by contacting a designated support number allegedly relating to the account security department.  In order to prompt quick response by users, the language employed is deliberately urgent yet procedural, implying risks of account suspension or additional financial exposure. Unlike more conventional phishing attempts, this campaign is distinguished not only by the narrative sophistication it contains, but also by the delivery mechanism it employs.  Alerts are sent directly through Microsoft Azure Monitor using legitimate Microsoft-associated email channels, including standard no-reply addresses, rather than through spoofed domains or lookalike infrastructure. These communications, as a result, successfully satisfy email authentication protocols such as SPF, DKIM, and DMARC, which enable them to pass through secure email gateways without raising typical red flags.  By combining technical legitimacy and social engineering precision, this attack is elevated significantly in credibility, complicating both automated detection and user-driven scrutiny of the attack. The campaign reveals a deliberate use of Microsoft Azure Monitor's configurability as a basis for generating alerts based on predefined conditions across applications, infrastructure, and billing workflows.  Users can create alert rules related to routine operational events, such as the confirmation of orders, the processing of payments, and the creation of invoices, in order to create granular alert rules. As a result of this flexibility, threat actors are embedding malicious content directly within alert metadata, primarily in custom description fields, which are normally used as administrative context fields.  After establishing these rules, the alerts will be triggered programmatically and routed through distribution lists controlled by the attacker, allowing broad dissemination while maintaining the appearance that the system has generated the alert.  In addition to benign-looking system events such as resource utilization spikes or storage constraints, the content of these notifications is deliberately varied, incorporating a variety of financial-oriented messages referencing successful fund transfers or billing updates in a format aligned with the standard Microsoft alert template format. A deliberate pivot toward callback-based social engineering is the cornerstone of this operation, which shifts the point of compromise from an inbox to a controlled voice interaction, shifting the point of compromise to the telephone. By instructing recipients to contact a designated support number instead of embedding malicious links, the alerts circumvent traditional URL-based detection mechanisms by preventing recipients from contacting malicious links. In their messaging, immediacy is consistently emphasized, citing potential account suspensions, financial penalties, or pending transaction verifications as a means to compel immediate response. Researchers who have observed similar campaigns note that the victim is often guided through a sequence of steps designed to escalate access, from revealing credentials and authorizing payments to installing remote access utilities.  Ultimately, such interactions can facilitate deeper intrusions into corporate environments, resulting in the exposure to persistent unauthorized access and system compromise that extends beyond initial fraud. Additionally, the campaign's operational scope demonstrates its calculated design, as attackers mimic routine billing notifications generated within enterprise environments using a variety of alert categories, primarily those related to invoicing and payments. When alerts are aligned with familiar financial processes, they are more likely to evade suspicion during initial evaluation when they have a thematic structure. Through consistent insertion of urgency-driven language in the email, recipients are compelled to contact the recipients using the embedded phone numbers in an effort to resolve time-sensitive account discrepancies.  This interaction presents multiple avenues for exploitation, including credential harvesting, fraudulent transaction authorization, and the deployment of remote access tools, which can further establish attacker footholds within the targeted system.  A defensive approach to billing that involves alerts originating from platforms such as Microsoft Azure Monitor or associated Microsoft services should be viewed with heightened scrutiny, especially if the alerts deviate from standard operational patterns by containing direct support contact instructions or urgent financial remediation requests. A security practitioner emphasizes the importance of independently verifying the legitimacy of such communications before taking action. As the alerts are enterprise-centric, there is a strong probability that the activity is not limited to isolated financial fraud, but may also serve as an initial point of entry for broader intrusion chains targeting corporate networks, in addition to isolated financial fraud.  Considering these findings, organizations should reevaluate the implicit trust placed in system-generated communications, specifically those that originate from widely adopted cloud platforms, such as Microsoft Azure Monitor. Teams responsible for security should focus on implementing contextual alert validation mechanisms, educating users about callback-based attacks, and implementing more restrictive rules for creating and distributing alerts within cloud environments.  The establishment of verification protocols requiring users to confirm the legitimacy of billing or security-related notifications through official channels rather than relying on embedded contact information is equally important. It is increasingly evident that adversaries will continue to exploit the convergence of trusted infrastructure and human response behaviors as well as the ability of an organization to critically assess its own operational signals in order to remain resilient.

Cybercriminals Misuse Microsoft Azure Monitor Alerts for Phishing Operations #CallbackPhishing #CloudSecurityThreats #CyberAttacks

Cybercriminals Access Enterprise PCs 76 Days a Year: Study _**The Downtime Era is Now: Cyber Incidents and AI Enabled Attacks are Driving $400 Billion in Downtime Losses Annually**_ RSAC 2026–Absolute Security, an enterprise cyber resilience leader, today published its _2026 Resilience Risk Index_ , revealing that endpoint security software fails to protect devices nearly 21 percent of the time. This finding means that globally-distributed PCs are vulnerable to AI-driven attacks and cyber incidents up to 76 days per year**—** a gap that is contributing to $400 billion in annual downtime losses.1 “Cyberattacks are inevitable, downtime is optional,” said Christy Wyatt, President and CEO of Absolute Security. “The cybersecurity industry has rushed to provide innovations that detect and prevent threats, unfortunately it’s lagging when it comes to ensuring that tools can remain operational when they are needed most. Enterprise security, risk, and business leaders that are working together to ensure their critical defenses remain resilient under any conditions will avoid falling victim to the downtime era.” **Absolute Security Resilience Risk Index 2026 Top Highlights ** To compile the report, the company’s Cyber Resilience experts analyzed anonymized telemetry across millions of endpoint devices. Included in the research are additional key findings revealing why downtime has become a global economic crisis: * Critical OS patching across PCs running Windows 10 and 11 is behind an average of 127 days, leaving devices vulnerable to downtime caused by zero day attacks, ransomware, compromise, and configuration failures. This is a sharp increase over what was revealed in the 2025 report, when overall patching lagged 56 days. * 10% of PCs continue to run on Windows 10. With Microsoft having ended support for the OS in October 2025, these devices are now highly-exposed to adapting and emerging vulnerabilities and attacks. * PCs continue to engage with high-risk GenAI sites like DeepSeek while also massively increasing the number of browser sessions observed from 150 million to 350 million, year-over-year. With endpoint security tools failing 20% of the time, this means that GenAI visits may be taking place without governance applied. * Across all industries, 20 percent of connected devices store sensitive data, with 30 percent lacking encryption, and 25 percent unaccounted for. Last year’s report revealed that 18 percent of connected devices stored sensitive data, with 35 percent lacking encryption, and 26 percent unaccounted for. * Endpoint devices are rapidly becoming the new AI platform, despite security software failing 20 percent of the time. In the 2025 report, it was shown that 68 percent of PCs had enough RAM needed to fully take advantage of AI (16-32 GB). This year, it was revealed that enterprises are ramping investment in AI ready devices, with 96% now equipped with 16-32 GB. Download your copy:_Absolute Security’s Cyber Resilience Risk Index 2026_ **RSAC 2026, MOSCONE SOUTH, #2039, Tuesday, March 24 – Thursday, March 26 ** Join Absolute Security Cyber Resilience experts during exhibition hours to discover how the AI-Powered Absolute Security Cyber Resilience Platform helps customers defend their organizations against threats, protect against risk, and to stop costly downtime caused by cyberattacks, ransomware, compromises, and software failures. Schedule a meeting or demo in advance. **RSAC 2026: The Resilient CISO, Wednesday, March 25, from 6 to 9 PM PDT ** At the Marriott Marquis in San Francisco, join Absolute Security for The Resilient CISO. This limited-seating event will feature cybersecurity leaders and technology visionary Ray Kurzweil discussing the future of AI, security, and cyber resilience. The evening will also highlight recognition of the 2026 SC Award Resilient CISO honorees. Register to attend the event, and access free and discounted RSAC passes. _All findings, statistics, data, and information presented in this press release are cited and referenced in the report; percentages are rounded up to nearest whole numbers; some figures are approximations._ **Business Wire** Business Wire is a trusted source for news organizations, journalists, investment professionals and regulatory authorities, delivering news directly into editorial systems and leading online news sources via its multi-patented NX Network. Business Wire has 18 newsrooms worldwide to meet the needs of communications professionals and news media. __

Cybercriminals Access Enterprise PCs 76 Days a Year: Study The Downtime Era is Now: Cyber Incidents and AI Enabled Attacks are Driving $400 Billion in Downtime Losses Annually RSAC 2026–Absolute...

#Cyberattacks #AI #news #ai #tech #news #AI #tech #trends #AI #technology

Origin | Interest | Match