Brief #101: OAuth Exploits Target Microsoft 365, Verizon DBIR Third-Party Risk, LLMs Fail at CTI

Happy Sunday!

Been a week of putting out fires over here. Speaking of which, Verizon's latest DBIR caught my attention with third-party involvement in breaches doubling to 30%. Makes you wonder how many of our trusted partners might be our biggest blind spots.

In this week's brief:

• Chinese mobile operators gaining man-in-the-middle access across 35 countries through unencrypted protocols
• A security engineer struggling with breach guilt despite leadership ignoring security initiatives (something many of us can relate to)
• New research showing LLMs consistently failing at threat intelligence tasks, missing up to 20% of campaign entities

Starting today, I am introducing a Question of the Week section at the end of this brief, to get to know each other better. Feel free to share your experience, tips and lessons learned.

Grab your coffee and dive in – there's plenty more to unpack this week.

Industry News

China's State-Owned Mobile Interconnect Providers Facilitate Global Surveillance

• At least 60 mobile operators across 35 countries route traffic through Chinese-owned networks, giving China man-in-the-middle access to authentication data, SMS messages, and location information due to unencrypted mobile signaling protocols like SS7 and Diameter.

• The China-based LIMINAL PANDA threat group has previously exploited mobile roaming interconnects to gain access to operator core networks, allowing them to track devices and intercept communications for espionage purposes.

• These vulnerabilities enable state actors to conduct real-time device tracking, intercept communications, silently deploy spyware, and manipulate network traffic affecting millions of users globally, including those in allied nations like Japan and South Korea.

ELUSIVE COMET Group Targets Executives Through Zoom Remote Control Feature

• Trail of Bits identified the threat actor ELUSIVE COMET attempting to conduct a social engineering attack by impersonating Bloomberg media and exploiting Zoom's remote control feature to gain unauthorized system access.

• The attackers use social engineering techniques that include fake media invitations, refusing email communication, and utilizing the Zoom remote control feature with modified display names to trick users into granting system access.

• Trail of Bits recommends a layered defense approach including: disabling Zoom's accessibility permissions through PPPC profiles, implementing active TCC database monitoring, and considering complete removal of Zoom for high-security environments handling cryptocurrency.

Russian Threat Actors Exploit OAuth 2.0 Workflows to Compromise Microsoft 365 Accounts

• Russian threat actors impersonate European officials or Ukrainian diplomats on WhatsApp and Signal to trick targets into sharing Microsoft authorization codes or clicking phishing links that steal account credentials.

• After initial contact, attackers send malicious URLs that redirect authenticated users to Visual Studio Code in-browser, displaying an OAuth authorization code valid for 60 days that grants complete access to all Microsoft 365 resources.

• Volexity researchers identified two distinct Russian-linked groups (UTA0352 and UTA0355) targeting organizations related to Ukraine and human rights, with one campaign leveraging stolen OAuth codes to register new devices to victims' Microsoft Entra ID.

Leadership Insights

Verizon's 2025 DBIR Shows Third-Party Involvement Doubling in Breaches

• Third-party involvement in breaches doubled from 15% to 30% this year, highlighting supply chain vulnerabilities across platforms like Snowflake, where approximately 80% of compromised accounts had prior credential exposure.

• Ransomware increased by 37% and was present in 44% of all breaches analyzed, with small businesses disproportionately affected (88% of SMB breaches involved ransomware vs. 39% for larger organizations), though median ransom payments decreased to $115,000.

• Exploitation of vulnerabilities continues growing as an initial access vector, reaching 20% (up 34% from last year), with edge devices and VPNs becoming primary targets—their presence in exploitation actions grew nearly eight-fold from 3% to 22%.

Wiz Releases Comprehensive DevOps Security Best Practices Guide

• The guide focuses on three key areas: secure coding practices (including input validation and avoiding hardcoded secrets), infrastructure security (implementing immutable infrastructure and network segmentation), and monitoring and response protocols.

• Zero-trust architecture is emphasized as a critical security model requiring strict identity verification for all users and devices, with recommendations to implement IAM solutions, multi-factor authentication, and regular policy updates.

• The document outlines comprehensive incident response strategies, advocating for real-time monitoring tools, established response plans, regular drills, and implementing feedback loops for continuous security improvement.

KnowBe4 Reports Surge in AI-Powered Polymorphic Phishing Campaigns

• KnowBe4's March 2025 threat report reveals a 17.3% increase in phishing emails over the past six months, with 82.6% utilizing AI to create sophisticated polymorphic attacks that bypass traditional security measures.

• Researchers observed a 22.6% increase in ransomware delivered via phishing since September 2024, with 57.9% of business email compromise attacks originating from compromised accounts.

• The report highlights growing threats including cybercriminals targeting engineering job applications to gain system access, and 47% of phishing emails evading Microsoft's native security and secure email gateways.

Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS

Career Development

Security Engineer Struggles With Breach Guilt Despite Leadership Obstacles

• A cybersecurity engineer is experiencing significant mental health impacts after their company suffered a severe breach, despite leadership reportedly "shutting down" security initiatives and the team facing resource constraints.

• Security professionals responding emphasize that the guilt is misplaced, as proper security requires defense-in-depth strategies and leadership support, with one responder comparing it to "having a captain who is going to full steam the ship through iceberg infested waters."

• Experienced practitioners recommend focusing on the lessons learned phase and maintaining documentation of security recommendations as evidence when facing potential blame from organizational leadership.

CISO Discusses Career Burnout and Alternative Paths After 35 Years In IT

• A veteran cybersecurity leader with 35 years in IT (15 as director/VP/CISO) reports severe burnout from constant battles to justify investments and staffing limitations, with just 3 years until planned retirement.

• Former colleagues note the workload is overwhelming – one replacement claimed the CISO was doing the work of three people and resigned after only six weeks in the position.

• Several professionals in similar positions shared alternative career paths, including transitioning to consulting, import/export trading businesses, or stepping down to lower-stress individual contributor roles while maintaining work-life boundaries.

Cybersecurity Talent Gap Reveals Disconnect Between Employers and Job Seekers

• Companies claim they can't find qualified cybersecurity professionals, while many skilled candidates struggle to find work – revealing a paradox in hiring practices where employers seek unicorn candidates with expertise in everything but aren't willing to pay competitive wages.

• Many organizations lack structured talent development plans, failing to invest in growing entry-level employees into specialized roles, which forces professionals to job hop for career advancement rather than building institutional knowledge.

• Reddit community insights suggest the most effective approach may be upskilling existing technical staff into cybersecurity roles rather than hiring externally, as they already understand company systems and have proven their trustworthiness in high-security environments.

AI & Security

The Alan Turing Institute releases comprehensive AI Explainability workbook for public sector practitioners

• The AI Explainability in Practice workbook is part of the larger AI Ethics and Governance in Practice Programme, designed to equip public sector bodies with tools and frameworks for responsible AI development and implementation.

• The resource introduces four key maxims of AI explainability: be transparent, be accountable, consider context, and reflect on impacts—while emphasizing both process-based and outcome-based explanation approaches.

• It provides practical guidance for organizations to implement six types of AI explanations (rationale, responsibility, data, fairness, safety, and impact) with special considerations for vulnerable populations including children.

Large Language Models Prove Unreliable for Cyber Threat Intelligence Tasks

• New research evaluates state-of-the-art LLMs (including GPT-4, Gemini, and Mistral) on real-world CTI reports, finding they consistently fail to extract critical information with sufficient reliability, overlooking up to 20% of campaign entities and 10% of vulnerabilities.

• Despite industry enthusiasm, LLMs demonstrated inconsistent results when prompted multiple times with identical inputs, with performance confidence intervals showing variance that would create uncertainty in critical security decisions about patching priorities.

• LLMs exhibit poor calibration (measured by ECE and Brier scores), meaning their confidence levels don't reflect actual correctness, and surprisingly, few-shot learning and fine-tuning often worsened performance rather than improving it.

Stanford's 2025 AI Index Report reveals substantial improvements in AI performance, accessibility, and adoption

• AI incidents are increasing sharply with 233 reported in 2024 (56.4% increase over 2023), while standardized responsible AI evaluations remain rare among major model developers despite new benchmarks like HELM Safety and AIR-Bench emerging.

• The inference cost for AI systems performing at GPT-3.5 level dropped more than 280-fold between November 2022 and October 2024, while hardware costs declined 30% annually and energy efficiency improved 40% each year.

• Organizations increasingly acknowledge responsible AI risks (including inaccuracy, regulatory compliance, and cybersecurity), but a gap persists between risk recognition and taking meaningful mitigation actions.

Market Updates

Terra Security Raises $8M for Agentic AI Penetration Testing Platform

• Terra Security secured $8M in seed funding led by SYN Ventures and FXP Ventures to develop their agentic AI penetration testing platform that combines human expertise with AI efficiency.

• The platform uses dozens of fine-tuned AI agents tailored to each client's environment, conducting continuous web application testing while adapting in real-time to unique business contexts and emerging vulnerabilities.

• Already serving Fortune 500 clients, Terra plans to expand capabilities to include red teaming solutions and comprehensive network security, addressing limitations of traditional pen testing that is typically slow, expensive, and unscalable.

Hopper Emerges From Stealth With $7.6 Million to Reinvent Open-Source Security

• Cybersecurity startup Hopper has launched with $7.6M in seed funding to replace traditional Software Composition Analysis (SCA) tools with a precision-focused platform that automatically discovers assets and detects hidden vulnerabilities.

• The platform pinpoints which functions are truly at risk without requiring agents or CI/CD changes, helping Fortune 500 companies and tech firms reduce alert noise and improve remediation times.

• Founded by Unit 81 veterans and Israel Defense Prize recipients, Hopper will use the funding to expand language support, enhance analysis capabilities, and scale its operations in the United States.

Push Security Secures $30 Million Series B Funding to Combat Identity Attacks

• Push Security has secured $30 million in Series B funding led by Redpoint Ventures, with participation from Datadog Ventures and B3 Capital to scale their browser-based identity security platform.

• The company's platform detects and intercepts identity attacks such as zero-day phishing, credential stuffing, and session hijacking before they escalate by turning employees' existing browsers into monitoring and defense tools.

• Push Security has experienced rapid growth with customer base increasing 380% year-over-year, now deployed on 1.5 million endpoints globally, and has doubled its headcount while adding key executives from CrowdStrike and Proofpoint.

Tools

TeejLab API Security Manager

An API security and governance platform that provides discovery, security testing, compliance monitoring and lifecycle management capabilities for enterprise API implementations.

Falcon ASPM

A cloud security solution that provides agentless application mapping and vulnerability prioritization based on business impact across cloud environments.

JFrog Software Supply Chain Platform

An integrated software supply chain platform that combines repository management, security scanning, and DevSecOps capabilities for managing and securing the entire software supply chain.

Question of the Week

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity, leadership and AI updates, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz