Microsoft | Breaking Cybersecurity News | The Hacker News

Most cyberattacks today don't start with loud alarms or broken firewalls. They start quietly—inside tools and websites your business already trusts. It's called " Living Off Trusted Sites " (LOTS)—and it's the new favorite strategy of modern attackers. Instead of breaking in, they blend in. Hackers are using well-known platforms like Google, Microsoft, Dropbox, and Slack as launchpads. They hide malicious code inside routine traffic, making it incredibly difficult for traditional defenses to detect them. And here's the scary part: many security teams don't even realize it's happening—until it's too late. Why You're Not Seeing These Attacks LOTS tactics don't look suspicious at first glance. There's no malware signature to flag, and no unusual IP address to trace. It's legitimate traffic—until it's not. Attackers are exploiting: Common business tools like Teams, Zoom, and GitHub Shortened or vanity URLs to redirect users Trusted cloud services to host malicious payloads ...

Threat actors with suspected ties to Russia have been observed taking advantage of a Google account feature called application specific passwords (or app passwords) as part of a novel social engineering tactic designed to gain access to victims' emails. Details of the highly targeted campaign were disclosed by Google Threat Intelligence Group (GTIG) and the Citizen Lab, stating the activity seeks to impersonate the U.S. Department of State.  "From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs), GTIG researchers Gabby Roncone and Wesley Shields said . "Once the target shares the ASP passcode, the attackers establish persistent access to the victim's mailbox." The activity has been attributed by Google to a threat cluster it tracks as UNC6293, which it says is likely affiliate...

Meta Platforms on Wednesday announced that it's adding support for passkeys, the next-generation password standard, on Facebook. "Passkeys are a new way to verify your identity and login to your account that's easier and more secure than traditional passwords," the tech giant said in a post. Support for passkeys is expected to be available "soon" on Android and iOS mobile devices. The feature is also coming to its Messenger platform in the coming months. The company said passkeys can also be used to auto-fill payment information when making purchases using Meta Pay. Meta previously rolled out passkeys support for WhatsApp on Android in October 2023, and on iOS a few months later in April 2024. There is no word yet on when it plans to bring passkeys to Instagram. Passkeys, backed by the FIDO Alliance, is a passwordless authentication solution that allows users to securely sign in to online services by using biometrics or the device lock PIN code. ...

Microsoft has released patches to fix 67 security flaws , including one zero-day bug in Web Distributed Authoring and Versioning (WebDAV) that it said has come under active exploitation in the wild. Of the 67 vulnerabilities, 11 are rated Critical and 56 are rated Important in severity. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation flaws. The patches are in addition to 13 shortcomings addressed by the company in its Chromium-based Edge browser since the release of last month's Patch Tuesday update . The vulnerability that has been weaponized in real-world attacks concerns a remote code execution in WebDAV ( CVE-2025-33053 , CVSS score: 8.8) that can be triggered by deceiving users into clicking on a specially crafted URL. The tech giant credited Check Point researchers Alexandra Gofman and David Driker for discovering and reporting the bug. It's worth mentioning that CVE-2025-33053 is the first zero-day vulnerab...

India's Central Bureau of Investigation (CBI) has revealed that it has arrested six individuals and dismantled two illegal call centers that were found to be engaging in a sophisticated transnational tech support scam targeting Japanese citizens. The law enforcement agency said it conducted coordinated searches at 19 locations across Delhi, Haryana, and Uttar Pradesh on May 28, 2025, as part of an initiative called Operation Chakra V, which aims to combat cyber-enabled financial crimes. The cybercrime syndicates, per the CBI, defrauded foreign nationals, mainly Japanese citizens, by masquerading as technical support personnel from various multinational corporations, including Microsoft.  "The syndicate operated call centers designed to appear as legitimate customer service centers, through which victims were deceived into believing that their electronic devices were compromised," the agency said . "Under this pretext, victims were coerced into transferring funds ...

Microsoft and CrowdStrike have announced that they are teaming up to align their individual threat actor taxonomies by publishing a new joint threat actor mapping. "By mapping where our knowledge of these actors align, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence," Vasu Jakkal, corporate vice president at Microsoft Security, said . The initiative is seen as a way to untangle the menagerie of nicknames that private cybersecurity vendors assign to various hacking groups that are broadly categorized as a nation-state, financially motivated, influence operations, private sector offensive actors, and emerging clusters. For example, the Russian state-sponsored threat actor tracked by Microsoft as Midnight Blizzard (formerly Nobelium) is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, and The Dukes. Likewise, Forest Blizzard (previously Strontium) goes by other monikers such...

Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia.  "In what appears to be a multi-stage phishing operation, the attackers aimed to deploy NetBird, a legitimate wireguard-based remote access tool on the victim's computer," Trellix researcher Srini Seethapathy said in an analysis. The activity, first detected by the cybersecurity company in mid-May 2025, has not been attributed to a known threat actor or group. The starting point of the attack is a phishing email that impersonates a recruiter from Rothschild & Co. and claims to offer a "strategic opportunity" with the company. The email is designed to entice the recipients into opening a purported PDF attachment that, in reality, is a phishin...

The China-linked threat actor behind the recent in-the-wild exploitation of a critical security flaw in SAP NetWeaver has been attributed to a broader set of attacks targeting organizations in Brazil, India, and Southeast Asia since 2023. "The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations," Trend Micro security researcher Joseph C Chen said in an analysis published this week. "The actor also takes advantage of various known vulnerabilities to exploit public-facing servers." Some of the other prominent targets of the adversarial collective include Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. The cybersecurity company is tracking the intrusion set under the moniker Earth Lamia , stating the activity shares some degree of overlap with threat clusters documented by Elastic Security Labs as REF0657 , Sophos as STAC6451 , and Palo Alto Networks Unit 42 a...

ConnectWise, the developer of remote access and support software ScreenConnect, has disclosed that it was the victim of a cyber attack that it said was likely perpetrated by a nation-state threat actor. "ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation-state actor, which affected a very small number of ScreenConnect customers," the company said in a brief advisory on May 28, 2025. The company said it has engaged the services of Google Mandiant to conduct a forensic probe into the incident and that it has notified all affected customers. The incident was first reported by CRN. However, it did not reveal the exact number of customers who were impacted by the hack, when it happened, or the identity of the threat actor behind it. It's worth noting that the company, in late April 2025, patched CVE-2025-3935 (CVSS score: 8.1), a high-severity vulnerability in ScreenConnect versions 25.2.3 and ea...

Cybersecurity researchers have discovered a security flaw in Microsoft's OneDrive File Picker that, if successfully exploited, could allow websites to access a user's entire cloud storage content, as opposed to just the files selected for upload via the tool. "This stems from overly broad OAuth scopes and misleading consent screens that fail to clearly explain the extent of access being granted," the Oasis Research Team said in a report shared with The Hacker News. "This flaw could have severe consequences, including customer data leakage and violation of compliance regulations." It's assessed that several apps are affected, such as ChatGPT, Slack, Trello, and ClickUp, given their integration with Microsoft's cloud service. The problem, Oasis said, is the result of excessive permissions requested by the OneDrive File Picker, which seeks read access to the entire drive, even in cases only a single file is uploaded due to the absence of fine-grai...

A privilege escalation flaw has been demonstrated in Windows Server 2025 that makes it possible for attackers to compromise any user in Active Directory (AD). "The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement," Akamai security researcher Yuval Gordon said in a report shared with The Hacker News. "This issue likely affects most organizations that rely on AD. In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack." What makes the attack pathway notable is that it leverages a new feature called Delegated Managed Service Accounts ( dMSA ) that allows migration from an existing legacy service account. It was introduced in Windows Server 2025 as a mitigation to Kerberoasting attacks. The attack technique has been codenamed BadSuccessor by the w...

A sprawling operation undertaken by global law enforcement agencies and a consortium of private sector firms has disrupted the online infrastructure associated with a commodity information stealer known as Lumma (aka LummaC or LummaC2), seizing 2,300 domains that acted as the command-and-control (C2) backbone to commandeer infected Windows systems. "Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft," the U.S. Department of Justice (DoJ) said in a statement. The confiscated infrastructure has been used to target millions across the world through affiliates and other cyber criminals. Lumma Stealer, active since late 2022, is estimated to have been used in at least 1.7 million instances to steal information, such as browser data, autofill information, login credentials, and cryptocurrency seed phrases. Th...