Cybercriminals are increasingly turning their sights from desktop to mobile, exploiting Meta’s advertising platform to distribute a sophisticated Android banking trojan disguised as a free TradingView Premium app. Bitdefender Labs warns that these threat actors have shifted tactics after months of targeting Windows users with fake trading and cryptocurrency ads, now focusing worldwide on smartphone […]
Google has revealed that the recent wave of attacks targeting Salesforce instances via Salesloft Drift is much broader in scope than previously thought, stating it impacts all integrations.
“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” Google Threat Intelligence Group (GTIG) and
A sophisticated new Mac malware campaign has emerged that exploits users’ trust in free online PDF conversion tools, demonstrating how cybercriminals continue to evolve their tactics to bypass modern security measures. Cybersecurity firm Mosyle has exclusively disclosed the discovery of JSCoreRunner, a previously unknown Mac malware strain that achieved zero detections on VirusTotal at the […]
A sophisticated campaign by the Silver Fox APT group that exploits a previously unknown vulnerable driver to bypass endpoint detection and response (EDR) and antivirus solutions on fully updated Windows 10 and 11 systems. Check Point Research (CPR) revealed on August 28, 2025, that the advanced persistent threat group has been leveraging the WatchDog Antimalware […]
A sophisticated phishing campaign has been identified, where threat actors impersonate IT helpdesk personnel through Teams’ external communication features, exploiting the platform’s default configuration to bypass traditional email security measures and gain unauthorized screen-sharing and remote-control capabilities.
The attacks leverage Teams’ external collaboration features, which are enabled by default in Microsoft 365 tenants, allowing attackers to initiate contact with organizational users without prior authentication.
Key Takeaways 1. Default Teams settings enable direct IT helpdesk impersonation attacks, bypassing email security. 2. Voice calls avoid security warnings, leading to screen sharing and remote access. 3. Monitor ChatCreated/MessageSent logs for external .onmicrosoft.com domains.
This fundamental design choice has created an unprecedented attack surface that combines social engineering with legitimate platform functionality to devastating effect.
Voice Call Phishing and Remote Control
According to Axon Team reports, Cybercriminals have developed multiple sophisticated attack vectors within the Microsoft Teams ecosystem, each exploiting different aspects of the platform’s communication capabilities.
The primary attack method involves one-on-one chat phishing, where attackers use compromised Teams accounts or create malicious Entra ID tenants with .onmicrosoft.com domains – Microsoft’s default fallback domains for business accounts without custom domain configurations.
The technical implementation begins with threat actors conducting reconnaissance through Teams’ user search functionality, which allows external users to verify target email addresses and confirm message delivery capabilities.
When successful, attackers can initiate direct communication, though Microsoft has implemented security warnings, including “external communication warning” pop-ups and “potential phishing warning messages” that appear based on algorithmic threat detection.
However, attackers have discovered methods to circumvent these security measures through voice call phishing (vishing).
Fake IT Helpdesk calling victim within Microsoft Teams
Unlike text-based communications, voice calls from external Teams users generate no warning pop-ups, creating a seamless attack vector.
Once trust is established through voice communication, attackers request screen sharing permissions, enabling them to observe victim activities and potentially guide them through malicious actions.
Content sharing configuration on Microsoft Teams
The most concerning development involves remote control capabilities. While Microsoft has implemented security controls that disable the “Give Control” and “Request Control” options by default for external participants, organizations that have modified these settings face significant exposure, according to the Axon Team.
Attackers can potentially gain full remote access to victim workstations through Teams’ integrated remote control features, eliminating the need for traditional Remote Monitoring and Management (RMM) tools like QuickAssist or AnyDesk.
Detection Methodologies
Security teams can identify these attacks through specific Microsoft 365 audit log entries that serve as digital forensic artifacts.
The primary indicators include ChatCreated events that establish new “OneOnOne” chats between attackers and victims, containing crucial metadata including Chat Thread IDs, sender display names, email addresses, and Organization IDs for both parties.
MessageSent logs complement ChatCreated entries by providing sender IP addresses and embedded URL information, though message content itself is not logged.
Additional forensic indicators include UserAccepted events when victims click “Accept” buttons in external sender pop-ups, and TeamsImpersonationDetected events triggered by Microsoft’s brand impersonation detection algorithms.
Advanced threat hunting requires monitoring for specific M365 audit log patterns, including ChatCreated operations with participant_info:has_foreign_tenant_users = true and communication_type = “OneOnOne” parameters.
As threat actors continue refining these techniques, organizations must implement comprehensive monitoring of Teams audit logs, user education programs focused on IT helpdesk impersonation tactics, and restrictive external communication policies to mitigate this evolving threat landscape.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Cybersecurity researchers have discovered a cybercrime campaign that’s using malvertising tricks to direct victims to fraudulent sites to deliver a new information stealer called TamperedChef.
“The objective is to lure victims into downloading and installing a trojanized PDF editor, which includes an information-stealing malware dubbed TamperedChef,” Truesec researchers Mattias Wåhlén, Nicklas
The escalation of sophisticated cyberattacks targeting Salesforce environments has emerged as one of the most concerning trends in enterprise cybersecurity.
As organizations increasingly rely on customer relationship management (CRM) platforms to store their most sensitive business data, threat actors have recognized the immense value these systems represent.
Recent intelligence indicates that attackers are successfully compromising high-profile organizations by exploiting vulnerabilities in Salesforce configurations, third-party integrations, and human factors.
The attacks demonstrate a concerning evolution in tactics, techniques, and procedures (TTPs) specifically designed to bypass traditional security controls and extract valuable customer data, intellectual property, and financial information.
Understanding these emerging attack vectors and implementing comprehensive defensive measures has become critical for organizations seeking to protect their digital assets and maintain customer trust in an increasingly hostile cyber landscape.
Rise of Salesforce-Based Attacks
Stay plugged into threat intel feeds from CISA, FBI, and ISACs. Known indicators of compromise, such as attacker VoIP numbers, phishing domains, or extortion email addresses, can help you spot active campaigns in your environment.
Cloud-based CRM platforms now house customer databases containing millions of records, financial transactions, sales intelligence, and proprietary business processes, making them attractive targets for both financially motivated cybercriminals and state-sponsored actors.
The attack surface has expanded dramatically as organizations integrate Salesforce with numerous third-party applications, creating complex webs of interconnected systems that introduce multiple potential entry points for malicious actors.
Threat intelligence reveals that organized cybercriminal groups have developed specialized capabilities specifically targeting Salesforce environments, including custom tools for credential harvesting, API exploitation, and data exfiltration.
These groups often conduct extensive reconnaissance to identify high-value targets, focusing on organizations in financial services, healthcare, technology, and government sectors where Salesforce implementations contain particularly sensitive information.
The attacks typically begin with sophisticated social engineering campaigns designed to compromise administrative credentials, followed by careful lateral movement within the Salesforce environment to avoid detection while maximizing data collection.
The economic incentives driving these attacks have intensified significantly, with stolen customer databases commanding premium prices on dark web marketplaces.
GTIG confirmed the breach was part of the UNC6040/ShinyHunters activity, with custom tools used to accelerate Salesforce data extraction.
A complete customer database with financial information can sell for $50-200 per record, while intellectual property and business intelligence can generate even higher returns.
This lucrative market has attracted increasingly sophisticated threat actors who invest substantial resources in developing attack capabilities and maintaining persistent access to compromised systems.
Salesforce Attack Flow.
High-profile Breach: A Case Study in High-Value Target Exploitation
Contemporary attack patterns demonstrate the sophisticated methodologies threat actors employ when targeting enterprise Salesforce implementations.
In analyzing documented attack scenarios, security researchers have identified common characteristics that define successful breaches of high-value targets.
These attacks typically begin with extensive reconnaissance phases where threat actors gather intelligence about target organizations through open source intelligence (OSINT), social media analysis, and technical reconnaissance of exposed systems.
The attack progression follows a predictable pattern: initial compromise through credential theft or social engineering, followed by privilege escalation within the Salesforce environment, establishment of persistence mechanisms, and systematic data exfiltration.
Advanced persistent threat (APT) groups have demonstrated particular sophistication in maintaining long-term access to compromised Salesforce environments, sometimes remaining undetected for months while continuously exfiltrating sensitive data.
One documented attack vector involves threat actors compromising third-party applications connected to Salesforce through OAuth tokenabuse.
By obtaining legitimate OAuth tokens through phishing campaigns targeting application administrators, attackers can maintain persistent access that appears legitimate to security monitoring systems.
This technique allows continuous data access without repeatedly triggering authentication alerts, making detection significantly more challenging for security teams.
The business impact of these breaches extends far beyond immediate data loss, encompassing regulatory fines, customer notification costs, competitive disadvantage from stolen intellectual property, and long-term brand reputation damage.
Organizations have reported total breach costs ranging from hundreds of thousands to tens of millions of dollars, depending on the scope of data compromised and regulatory requirements in their operating jurisdictions.
Confirmed victims include Google, Allianz Life (impacting the majority of its 1.4 million customers), LVMH brands Louis Vuitton, Dior, and Tiffany & Co., Adidas, Qantas, and Chanel’s U.S. client-care database. In each case, attackers used variations of the same method to gain long-lived access and extract CRM records.
Attack Vectors in Salesforce Environments
The attack surface in Salesforce environments encompasses multiple vectors that threat actors systematically exploit to gain unauthorized access and extract valuable data.
Phishing attacks remain the most common initial compromise method, with attackers crafting highly targeted campaigns that appear to originate from legitimate Salesforce communications.
These attacks often incorporate organization-specific branding and terminology gathered during reconnaissance phases, significantly increasing their effectiveness against even security-aware targets.
Modern Salesforce attacks employ increasingly sophisticated techniques that leverage both technical vulnerabilities and human factors to achieve their objectives.
SOQL injection attacks represent a significant technical threat, where attackers exploit insufficient input validation in custom applications or integrations to execute unauthorized database queries.
These attacks can bypass standard access controls and extract sensitive data that would normally be protected by Salesforce’s sharing model.
Privilege escalation techniques focus on exploiting misconfigurations in permission sets, profiles, and sharing rules to gain access to data beyond the attacker’s intended scope.
Threat actors systematically examine org configurations to identify opportunities for lateral movement and privilege expansion, often targeting administrative functionalities that provide system-wide access.
Custom code exploitation targets vulnerabilities in Apex code, Visualforce pages, and Lightning components developed by organizations or third-party vendors.
These attacks require significant technical sophistication but can provide comprehensive system access when successful. Attackers often focus on identifying code injection vulnerabilities, insecure API calls, and improper data handling practices.
Workflow and process automation abuse involves manipulating Salesforce’s automation features to execute unauthorized actions or extract data through legitimate system processes.
Attackers may create hidden workflows, scheduled jobs, or process builder flows that operate continuously in the background, making detection extremely difficult through standard monitoring approaches.
Data exfiltration techniques have evolved to avoid triggering standard security alerts while maximizing the volume of stolen information.
Attackers employ techniques such as gradual data extraction through legitimate APIs, abuse of standard reporting features, and integration with external systems to move data out of the Salesforce environment without detection.
Potential Business and Security Implications
Impact Category
Average Cost Range (USD)
Recovery Timeline
Likelihood in Salesforce Breach
Data Breach Fines (GDPR/CCPA)
$500K – $20M
6-24 months
High
Business Disruption Costs
$100K – $2M
1-6 months
Very High
Incident Response & Forensics
$50K – $500K
2-8 weeks
Very High
Customer Notification Costs
$10K – $100K
2-4 weeks
High
Legal & Regulatory Costs
$100K – $1M
3-12 months
Medium
Brand Reputation Damage
$1M – $10M
12-36 months
High
Customer Churn & Revenue Loss
$500K – $5M
6-24 months
High
System Remediation & Updates
$50K – $300K
4-12 weeks
Very High
Enhanced Security Implementation
$200K – $1M
3-9 months
Very High
Compliance Audit Costs
$25K – $150K
6-12 weeks
Medium
The business implications of successful Salesforce attacks extend far beyond immediate technical concerns, creating cascading effects that can impact organizational operations for years following a breach.
Regulatory compliance violations represent immediate financial and legal risks, particularly for organizations subject to GDPR, CCPA, HIPAA, or industry-specific regulations.
Data breach notifications, regulatory investigations, and potential fines can consume significant organizational resources and create ongoing compliance obligations.
Customer trust erosion following a Salesforce breach often results in measurable business impact through increased customer churn, reduced sales conversion rates, and damaged brand reputation.
Organizations frequently report difficulty acquiring new customers following public disclosure of security incidents, as prospects question the organization’s ability to protect sensitive information.
Competitive disadvantage emerges when attackers steal intellectual property, pricing strategies, customer insights, or strategic plans stored within Salesforce systems.
This information may be sold to competitors or used to undermine the organization’s market position, creating long-term business implications that extend far beyond the immediate cost of incident response.
Operational disruption during incident response and recovery phases can significantly impact business continuity, particularly for organizations heavily dependent on Salesforce for sales, marketing, and customer service operations.
System lockdowns, data restoration procedures, and enhanced security implementations often require temporary operational restrictions that affect productivity and revenue generation.
Legal liability from affected customers, partners, or stakeholders creates additional financial exposure through class-action lawsuits, regulatory enforcement actions, and contractual penalties.
Organizations may face years of litigation and associated legal costs, even when implementing comprehensive security measures following the incident.
The total cost of ownership for security incidents continues to escalate, with recent studies indicating average costs exceeding $4 million for significant data breaches involving cloud platforms.
These costs encompass immediate incident response expenses, regulatory fines, legal fees, customer notification costs, credit monitoring services, system upgrades, and ongoing security enhancements required to prevent future incidents.
Tim West, Head of Threat Intelligence at WithSecure, notes: “Scattered Spider deploy social engineering to gain access to SaaS environments. Their attacks may look technically simple, but that doesn’t make them any less dangerous. They’ve been linked to the MGM and M&S breaches.”
Major UK retailers including M&S, Co-op, were forced offline by a wave of ransomware and data theft attacks attributed to Scattered Spider (UNC3944).
In a separate incident, the Gehenna group breached Coca-Cola Europacific Partners (CCEP) Salesforce dashboards and exfiltrated over 23 million records. This included:
7.5 million account records.
9.5 million customer service cases.
6 million contact entries.
400,000 product records.
Best Practices for Strengthening Salesforce Security
Salesforce Security Control Matrix.
Implementing comprehensive Salesforce security requires a multi-layered approach that addresses both technical vulnerabilities and human factors while maintaining operational efficiency.
Multi-factor authentication (MFA) implementation across all user accounts represents the most critical foundational security control, significantly reducing the likelihood of successful credential-based attacks.
Organizations should mandate MFA for all users, implement conditional access policies based on risk factors, and regularly review authentication logs for suspicious activity.
Identity and access management (IAM) optimization involves implementing the principle of least privilege through carefully configured permission sets, profiles, and sharing rules.
Organizations should conduct regular access reviews, implement role-based access controls aligned with business functions, and establish automated processes for provisioning and deprovisioning user access based on organizational changes.
API security hardening requires implementing comprehensive controls around API access, including rate limiting, IP restrictions, token lifecycle management, and detailed logging of all API activities.
Organizations should regularly audit API integrations, implement OAuth best practices, and monitor for unusual API usage patterns that may indicate compromise.
Security monitoring and logging capabilities should encompass all Salesforce activities, including login events, data access patterns, configuration changes, and API usage.
Organizations need to implement real-time alerting for suspicious activities, maintain comprehensive audit trails, and integrate Salesforce logging with broader security information and event management (SIEM) systems.
Third-party application management involves implementing rigorous security assessment processes for all applications installed from the AppExchange or developed by external vendors.
Organizations should maintain inventories of all connected applications, regularly review application permissions, and implement processes for ongoing security monitoring of third-party integrations.
Data classification and protection strategies should categorize all data stored within Salesforce based on sensitivity levels and implement appropriate controls for each classification.
This includes field-level encryption for highly sensitive data, data loss prevention policies, and regular data retention reviews to minimize the volume of sensitive information at risk.
Incident response planning specifically for Salesforce environments should include procedures for isolating compromised accounts, preserving forensic evidence, coordinating with Salesforce support, managing customer communications, and implementing recovery procedures.
Organizations should regularly test incident response procedures through tabletop exercises and maintain updated contact information for all relevant stakeholders.
Security awareness training programs should include Salesforce-specific scenarios, emphasizing the unique risks associated with cloud CRM platforms and the high value of data stored within these systems.
Training should cover phishing recognition, social engineering tactics, proper password management, and procedures for reporting suspicious activities.
Regular security assessments and penetration testing should evaluate Salesforce configurations, custom code security, integration security, and overall security posture.
These assessments should include both automated vulnerability scanning and manual testing by qualified security professionals familiar with Salesforce-specific attack vectors.
The evolving threat landscape targeting Salesforce environments demands continuous vigilance and proactive security measures from organizations of all sizes.
As threat actors continue to develop more sophisticated attack capabilities, organizations must implement comprehensive security programs that address technical vulnerabilities, human factors, and business processes.
The combination of proper security controls, ongoing monitoring, and regular security assessments provides the foundation for protecting valuable data and maintaining customer trust in an increasingly challenging cybersecurity environment.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
In a sophisticated campaign uncovered during a recent Advanced Continual Threat Hunt (ACTH) by Trustwave’s SpiderLabs team, threat actors weaponized a legitimate remote management tool, ScreenConnect, to deploy the Xworm Remote Access Trojan (RAT) through a deceptive, multi-stage infection chain.
By abusing fake AI-themed content and manipulating digital signatures, the attackers bypassed Endpoint Detection and Response (EDR) alerts and relied on human-led threat hunting to reveal the hidden payloads.
The operation began with social engineering lures masquerading as AI video files. Victims were enticed to visit a fake AI website, “gptgrok[.]ai,” which redirected to “anhemvn6[.]com.”
There, users downloaded a file named “Creation_Made_By_GrokAI.mp4 Grok.com” that was in fact the “ScreenConnect.ClientSetup.msi” installer. Variations including “Creation_Made_By_GoogleAI.mp4 Google.com” and “Creation_Made_By_SoraAI.mp4 OpenAI.com” suggest a broad campaign leveraging AI buzzwords for credibility.
Code-Signing Certificate Abuse
Interestingly, collected samples showed that the threat actors manipulated Authenticode Microsoft code-signing certificates to embed malicious configurations within the digital signature of the legitimate ScreenConnect binary.
A valid signature for a modified ScreenConnect installer.
Once executed, the installer dropped and launched the ScreenConnect client in the user’s Temp directory. Preconfigured to run hidden, it connected silently to an attacker-controlled ScreenConnect server via a relay, using parameters embedded within the authenticode signature to evade tampering and maintain a valid digital signature.
Visual indicators such as icons and notifications were disabled, ensuring the session remained invisible to the end user.
During the remote access session, the attackers deployed a batch script, “X-META Firebase_crypted.bat,” triggering mshta.exe to launch another hidden batch file. This script downloaded and unpacked “5btc.zip” from “anhemvn4[.]com,” revealing a Python interpreter renamed to pw.exe and an encoded “basse64.txt” payload.
Instead of saving malicious code to disk, the threat actors used msedge.exe and chrome.exe process hollowing—injecting Base64–encoded Python commands fetched directly from a public GitHub repository. This fileless execution technique hindered static detection and allowed Xworm RAT components to be delivered stealthily.
basse64.txt being recognized as a known stealer on VirusTotal.
Persistence was established by creating a Run key in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run named “Windows Security,” pointing to a “backup.bat” script in “C:\xmetavip.”
On each login, this script re-launched pw.exe with new Base64 commands, fetching additional payloads such as “buquabua.txt” to maintain long-term access.
The campaign also included credential access and discovery stages. WMI queries gathered operating system and antivirus details, while the RAT attempted to harvest browser-stored login data from Chrome, Edge, and Firefox profiles.
SpiderLabs analysts noted that the GitHub repository hosting the obfuscated Python scripts contained eleven files—split between persistence implanters and complex RAT loaders created just a week before the attack.
One final payload script, “Exppiyt.txt,” embedded a command-and-control server IP (5[.]181[.]165[.]102:7705) that was not flagged as malicious on VirusTotal at the time of analysis.
This incident highlights a growing trend: attackers are co-opting trusted tools and AI branding to bypass automated defenses. Modern EDR and signature-based solutions struggled to detect this threat, underscoring the vital role of proactive, human-led threat hunting.
The SpiderLabs team’s investigation demonstrated that only through meticulous manual timeline analysis and behavioral hunting can these stealthy attacks be revealed.
As adversaries refine their tradecraft, leveraging code-signing manipulation, fileless execution, and legitimate management platforms, organizations must invest in skilled threat hunters who can think like attackers.
The SpiderLabs findings reinforce the strategic advantage of combining automated detection with expert analysis to uncover hidden threats before they can inflict damage.
Appendix – Indicators of compromise:
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Too few defense contractors are testing their technology in real-world situations against a peer adversary, NATO’s military chief said Thursday, praising companies that are making the effort to work with the Ukrainian military.
“Those few that have tried it have either learned a lot, or they’ve decided to go home because they can’t compete in that environment. But that is going to be the environment that we face,” said Gen. Alexus Grynkewich, who leads U.S. European Command and serves as NATO Supreme Allied Commander Europe.
Grynkewich, who was speaking virtually to an industry group in Washington, D.C., urged any companies seeking to sell new products to NATO allies to attend September’s Defense Tech Valley conference in Ukraine.
“They’re bringing in dozens and dozens of companies from across Europe who have co-production or co-licensing agreements and partnerships with the Ukrainians. It’s an incredible opportunity to see what the modern battlefield looks like today, what it might look like tomorrow, and what we might need in the future,” he said.
Find partners with expertise
NATO allies across Europe are raising defense budgets to meet a new, higher spending pledge. Much of what they buy will go to Ukraine, and much of what they spend will flow to the United States through a recent initiative dubbed the NATO Prioritised Ukraine Requirements List, or PURL. The month-old effort has already attracted more than $2 billion in pledges, with more expected.
Grynkewich described how European Command plays a central role in coordinating Ukraine’s requests for future capabilities with European and U.S. inventories.
“The Ukrainians will let us know what their requirements are. We then bring that into a combined U.S. European Command-and-NATO working group that elevates those requirements. And then I, as [Supreme Allied Commander], will elevate the requirement and send it back to them at the working group,” he said. “Some things are only going to come from the U.S. factory,” such as PAC-3 missiles.
[[Related Posts]]
Grynkewich’s comments suggest that PURL’s pipeline can apply beyond missiles to anything Ukraine needs, including advanced drones. The framework is broad by design, allowing SACEUR and NATO to validate “other critical equipment” that the United States and allies may have or build, such as drones.
At present, Ukraine’s biggest demand is for Patriot interceptors and other key air-defense systems to fend off barrages of missiles and drones. Grynkewich’s comments suggest that the testimony and feedback of Ukraine’s fighters will influence broad decision-making about the future building and stockpiling of weapons, not just for the United States but also for the future of European arms development, the world’s fastest-growing defense market.
Grynkewich said new and established defense companies looking to benefit from future budgets would do well to “figure that out, find the right partners who have that expertise, and get up there and do some real-world testing. The lessons that you can learn from the battlefield of today and other regions of the world are going to be absolutely essential to any future fight in any region of the world, including the Indo-Pacific.”
Five years after the Pentagon created an office to coordinate its counter-drone efforts, it’s trying again.
The new Joint Interagency Task Force 401 will spearhead its acquisition and integration of air defense systems to take down small unmanned aerial systems, Defense Secretary Pete Hegseth announced Thursday in a video first posted to X.
The group will “rapidly deliver Joint C-sUAS capabilities to America's warfighters, defeat adversary threats, and promote sovereignty over national airspace,” Hegseth wrote in a memo dated Wednesday.
“The JCO had great intentions but struggled to compel the different services and organizations to participate,” an Army official, who was not authorized to speak on the record, told Defense One. “Whereas the JIATF will have a lot more ability to coordinate and compel.”
Hegseth’s “priorities for transformation and acquisition reform include improving C-sUAS mobility and affordability and integrating capabilities into warfighter formations,” he wrote in the memo.
Hegseth’s memo lays out several guidelines for standing up the new task force:
It will have a director with acquisition authority, who will submit unfunded requirements for the 2026 fiscal year within the next 30 days.
It will immediately begin recruiting a technical lead and four personnel from the military services “with operations, acquisition, electronic warfare (EW), intelligence, or other C-sUAS competencies to include one officer in the grade of O-5 or higher who will have access to his or her Military Service' s decision-making officials.”
The under secretary of defense for research and engineering has 30 days to make recommendations on establishing a designated c-sUAS test and training range.
The Army has five days to submit requirements to the Pentagon building’s management for office space required to house the JIATF.
The Army has 30 days to submit its full implementation plan to the defense secretary, and will update the secretary on progress monthly.
In addition to this new DOD-wide effort to procure and employ counter-drone capabilities, the services have been working on their own acquisitions, which will continue, according to the memo.
The JIATF, the Army official said, can coordinate some of those efforts across the services.
“If we’ve got a good solution to a problem that everybody has, let’s scale that solution, vice everybody trying to solve the problem independently,” the official said.
