Brief #116: Microsoft Exchange RCE, Google Salesforce Breach, AI SOC Market

Happy Sunday! 

The North Korean cryptocurrency heist story this week really shows how social engineering remains one of our biggest blind spots. Even sophisticated organizations are falling for fake freelance job offers that lead to multi-million dollar losses.

In this week's brief:

• Microsoft disclosed a high-severity Exchange vulnerability that lets attackers silently escalate privileges in hybrid cloud setups
• The AI SOC market is exploding with predictions that AI will handle 60% of SOC tasks by 2028 - but are we ready for that shift?
• A SOC manager is struggling to transition back to technical work, highlighting a common career dilemma many of us face

Let's dive in.

Industry News

Microsoft Discloses Exchange Server Vulnerability Enabling Silent Cloud Access in Hybrid Setups

• Microsoft has released an advisory for high-severity vulnerability CVE-2025-53786 (CVSS 8.0) affecting on-premise Exchange Server that could allow attackers with admin access to silently escalate privileges within connected cloud environments.

• The flaw exists because Exchange Server and Exchange Online share the same service principal in hybrid configurations, allowing attackers to request S2S actor tokens from Microsoft's Access Control Service without triggering security checks or leaving logs.

• As mitigation, organizations must install the April 2025 Hot Fix or newer, follow configuration instructions for dedicated hybrid app deployment, and Microsoft plans to enforce mandatory separation of Exchange on-premises and Exchange Online service principals by October 2025.

Google Suffers Data Breach in Ongoing Salesforce Data Theft Attacks

• Google confirmed its corporate Salesforce instance was breached in June, with attackers stealing customer data before access was cut off. The stolen information contained basic business contact details primarily for small and medium businesses.

• The attack is part of a larger campaign by ShinyHunters, an extortion group targeting multiple companies through voice phishing attacks against employees to gain access to Salesforce CRM instances and steal customer data.

• Other victims include major brands like Adidas, Qantas, Allianz Life, Cisco, and LVMH subsidiaries (Louis Vuitton, Dior, Tiffany & Co.). BleepingComputer learned one company paid approximately $400,000 to prevent their data from being leaked.

WinRAR Zero-Day Exploited By RomCom Hackers To Plant Malware

• A directory traversal vulnerability (CVE-2025-8088) in WinRAR was exploited as a zero-day in phishing attacks to install RomCom malware, allowing attackers to extract files to any location, including Windows autorun paths.

• The flaw was discovered by ESET researchers and has been fixed in WinRAR 7.13, but since WinRAR lacks an auto-update feature, users must manually download and install the update from win-rar.com to protect themselves.

• RomCom, a Russia-aligned threat actor previously linked to Cuba and Industrial Spy ransomware operations, is known for using zero-day vulnerabilities and custom malware in data-theft attacks and persistence.

Leadership Insights

North Korean Hackers Target Cloud Environments to Steal Cryptocurrency

• North Korean threat group UNC4899 uses sophisticated social engineering tactics to target cryptocurrency and blockchain organizations, including posing as freelance employers to convince victims to execute malicious Docker containers.

• After gaining initial access, attackers steal credentials, bypass MFA by disabling then re-enabling it, or exfiltrate session cookies to maintain persistent access to cloud environments and conduct internal reconnaissance.

• The attackers managed to steal millions in cryptocurrency from victims by directly withdrawing funds or manipulating JavaScript files in cloud storage to redirect transactions, demonstrating their advanced capabilities in both Google Cloud and AWS environments.

VulnCheck Reports 432 New Exploited Vulnerabilities in First Half of 2025

• 32.1% of vulnerabilities were exploited on or before CVE disclosure date (up from 23.6% in 2024), indicating increased zero-day exploitation and urgency for rapid remediation.

• Content Management Systems (especially WordPress plugins), Network Edge devices, and Server Software remain the top three categories for exploited vulnerabilities, with Microsoft leading in vendor vulnerability count.

• Attribution patterns shifted, with reported exploitation by Russian and Iranian threat-actors increasing, while China and North Korea-attributed exploits decreased compared to previous periods.

CISOs Can Effectively Scale Down Security Without Increasing Risk

• When facing budget constraints, CISOs should prioritize based on strategic risk assessment, business alignment, and eliminating redundant tools or "security theatre" that provides little actual protection.

• People and processes should take priority over tools during cutbacks, as strong processes supported by capable team members can often compensate for specific tool limitations using open-source or internal alternatives.

• Common mistakes include cutting detection and response capabilities, eliminating cross-functional security roles that serve as "connective tissue," and reducing transparency around trade-offs and risk acceptance decisions.

Career Development

SOC Manager Seeks Return to Technical Role Due to Career Dissatisfaction

• A cybersecurity professional who transitioned to a SOC Manager role about a year ago now regrets the career move, missing hands-on technical work like incident investigation, detection development, and threat hunting.

• The individual faces challenges during interviews when explaining their desire to step back from management, sensing hesitation from potential employers who question if they would be satisfied in a technical position.

• Similar experiences shared in comments suggest this is common among technical professionals, with some successfully making the transition back to technical roles without pay cuts, while others avoid management altogether due to its challenging position "taking crap from every direction."

Day-to-Day Reality of Cybersecurity Engineers: Insights From the Trenches

• Cybersecurity engineers typically spend only 25-50% of their time on actual hands-on technical work, with SIEM tools like Splunk and XDR platforms like CrowdStrike dominating screen time. The remaining time is consumed by meetings, documentation, and convincing stakeholders of security importance.

• The role involves significant political challenges not mentioned in job descriptions, including resistance from development teams, budget fights, and being the "Department of No." Many professionals report spending more time fighting internal company resistance than actual attackers.

• Alert fatigue is a major challenge (one engineer reported 10,000 daily alerts with only 5 being significant), but professionals find satisfaction in moments of success – like stopping a ransomware attack or improving security processes that demonstrate their value to the organization.

Cybersecurity Professionals Share Mixed Experiences With AI Integration

• AI is transforming cybersecurity workflows with professionals reporting it significantly reduces time spent on documentation, parsing logs, and incident analysis - turning hours of manual work into seconds.

• Some professionals highlight AI's benefits in GRC operations, particularly for compliance document comparison, policy creation, and security issue identification, while others express concerns about overdependence leading to diminished critical thinking.

• The technology has created workplace disruption with reports of layoffs to fund AI investments, though most view it as complementary to human expertise rather than a replacement, particularly for complex technical tasks requiring manual verification.

AI & Security

AI SOC Market Landscape 2025 Shows Strong Vendor Growth and Diverse Approaches

• The market for AI-powered Security Operations Centers is rapidly evolving with 13+ vendors now offering solutions that aim to solve the critical challenge of alert fatigue. SOC teams currently face approximately 960 security alerts daily, with large enterprises receiving over 3,000 alerts from an average of 28 different security tools.

• AI SOC platforms employ different architectural approaches: overlay models that work with existing SIEM systems, integrated platforms that ingest and store security data directly, and workflow emulation platforms that capture and replicate human analyst behaviors. Each approach offers distinct advantages in implementation speed, data visibility, and knowledge preservation.

• Security leaders project that AI platforms will handle approximately 60% of all SOC tasks by 2028, focusing primarily on alert triage, investigation automation, and threat detection. Organizations should follow a structured adoption process including a defined AI strategy, feature evaluation, vendor selection, and an initial trust period before moving to full automation.

Microsoft's Project Ire Autonomously Analyzes Software to Detect Malware

• Project Ire, a prototype autonomous AI agent developed by Microsoft Research, Defender Research, and Discovery & Quantum teams, can reverse engineer software files without prior context to determine if they're malicious.

• In tests with Windows drivers, Project Ire achieved 90% accuracy in identifying malicious files with only 2% false positives, though in more challenging conditions it detected only about 25% of actual malware.

• Microsoft plans to leverage Project Ire inside its Defender organization as Binary Analyzer for threat detection and software classification, with the ultimate goal of detecting novel malware directly in memory at scale.

GPT-5 Jailbreak Achieved Using Echo Chamber And Storytelling Techniques

• Researchers successfully jailbroke GPT-5 by combining Echo Chamber algorithm with narrative-driven steering, gradually building a poisoned conversational context that avoids triggering refusal mechanisms.

• The technique uses a multi-turn approach where a seemingly benign story incorporating specific keywords evolves through elaboration requests, eventually leading the model to produce harmful content while maintaining narrative continuity.

• This vulnerability demonstrates that keyword or intent-based filters are insufficient defenses, with researchers recommending organizations implement conversation-level monitoring and detection of context drift rather than just scanning for single-turn intent.

Market Updates

Wallarm Raises $55M to Protect API-Driven Business Logic

• San Francisco-based Wallarm secured $55 million in Series C funding to evolve from simply securing APIs to protecting the revenue streams and business logic driven by those APIs.

• The company plans to enhance visibility through AI and double down on brand marketing, with significant plans to grow its presence outside the U.S. and shift from its current 60/40 U.S.-international revenue to a 50/50 balance.

• Wallarm CEO Ivan Novikov noted that the API security market is shifting from protecting isolated endpoints to safeguarding entire business logic flows, with a focus on quantifying risks based on revenue exposure.

SentinelOne to Acquire Prompt Security to Advance GenAI Security

• Prompt Security has entered a definitive agreement to be acquired by SentinelOne, aiming to create a comprehensive, enterprise-ready AI Security platform that integrates with broader cybersecurity infrastructure.

• Founded less than two years ago, Prompt Security has quickly scaled to secure dozens of enterprises including multiple Fortune 500 companies, protecting millions of AI interactions monthly against prompt injections, data leakage, and misuse.

• The acquisition will maintain Prompt Security as an independent platform while providing greater resources, stronger distribution channels, and accelerated innovation for both existing and future customers.

Ostra Security Extends Series A to $9.5 Million for Managed Security Platform

• Minnesota-based cybersecurity provider Ostra Security has secured an extension to their Series A funding round, reaching a total of $9.5 million co-led by General Catalyst and Rally Ventures.

• The funding will accelerate hiring, enhance technical capabilities, and integrate Blackwell Security's MDR platform into Ostra's service offerings.

• Ostra provides managed security solutions combining advanced XDR capabilities with 24/7 monitoring and human-led remediation through its Ostra Encompass and Ostra Extend product lines.

Tools

Dropzone AI

Dropzone AI is an autonomous AI agent for SOCs that performs end-to-end investigations of security alerts, integrating with existing cybersecurity tools and data sources.

Dependency Combobulator

Open-Source framework for detecting and preventing dependency confusion leakage with a holistic approach and wide technology support.

Amazon Detective

A service that analyzes and visualizes security data to investigate potential security issues.

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

P.S. I am working with select B2B companies on the exact challenges covered above. Calendar link here if you'd like to chat.

Talk to you in the next one.

Best,

Nikoloz