After announcing last week that SOCRadar Links FortiBleed Campaign to INC and Lynx Ransomware Operations, today the SOCRadar Threat Research Unit (STRU) published its complete report that reveals exactly how INC and Lynx used a measurable, tracked spend on AI credits, an entire swarm of autonomous agents pointed at one target with a deliberate model-selection strategy (cheap model for high-volume scanning, a frontier model reserved for deep code review), and active jailbreak research to defeat model safety controls.
Today’s complete report also puts an identity and a profile behind the coordinating operator and lays out the full internal hierarchy by role.
Key points:
Attribution: STRU assesses with high confidence that FortiBleed is a joint operation run by affiliates of the Lynx and INC ransomware groups.
How they know: an OPSEC failure exposed the group’s own artifacts, including a single Windows workstation used to access both ransomware panels and negotiate ransoms. A second exposed INC directory shared victims with FortiBleed target lists, and Lynx is widely believed to be an evolved variant of INC.
The operator: an actor we track as TOXMAN (also TOXFOX, and Greenprawn100 on the Exploit[.]in forum), with Russian-language tooling and activity in the UTC +3 time zone.
Organized like a business: an internal tracking file mapped 20+ affiliates in defined roles, backed by 450+ operational servers.
Scale: roughly 11,250 FortiGate portals scanned across 150+ countries, leading to 409 administrative accesses and 12 organizations encrypted for ransom.
Heavy AI investment: about $4,554 spent on AI model credits, including 14 autonomous AI agents pointed at a single target, jailbreak use to bypass model safety controls, and a likely zero-day now in responsible disclosure.
Quiet by design: default admin credentials and a VPN-to-management pivot turn one firewall login into full domain compromise, and because the logins are real they rarely trip a perimeter alarm.
Who is targeted: opportunistic, small-to-mid-market firms, with managed service providers and manufacturers prized for lateral access into their customers.
Hammerspace today announced its senior executive team will participate in RAISE Summit 2026, taking place July 8–9 at the Carrousel du Louvre in Paris. At Booth 3B, Hammerspace will demonstrate how enterprises can win the AI infrastructure race before the first token by eliminating one of AI’s largest hidden constraints: data readiness.
As enterprise inference and RAG deployments accelerate, AI economics are not defined by GPU counts or storage performance alone. AI outcomes depend on how quickly environments become productive, how rapidly workloads gain access to the right data, and how efficiently infrastructure keeps GPUs generating useful output.
The Hammerspace Data Platform addresses these challenges by unifying the data estate on existing storage and automating data orchestration to make data available where GPUs need it without large-scale data migration or new storage procurement.
At RAISE Summit, attendees will learn how Hammerspace improves three metrics that determine AI success:
Time to Very First Token: Reducing the time required to make enterprise data AI-ready so projects can begin in days instead of months.
Time to First Token: Orchestrating and pre-positioning data so AI workloads can begin generating results faster.
Time per Token: Continuously supplying GPUs with the right data to improve utilization and lower the effective cost of AI operations.
Traditional AI deployment models often treat AI readiness as an infrastructure project, requiring organizations to acquire new storage, build new environments and migrate data before productive work can begin. Hammerspace’s Data Platform instead treats AI readiness as a data availability challenge, enabling organizations to use data in place across existing storage systems and cloud environments while creating a unified global namespace for AI workloads.
By continuously discovering, orchestrating and positioning data where AI workloads need it, Hammerspace reduces idle GPU cycles, minimizes unnecessary data movement and helps organizations improve productive GPU utilization while lowering cost per token.
Hammerspace’s Data Platform enables organizations to:
Activate enterprise data in place across existing storage systems and cloud environments
Eliminate storage procurement and migration delays that traditionally postpone AI initiatives
Unify distributed data through a global namespace without creating additional silos
Pre-position data before workloads require it, reducing time to first token
Continuously orchestrate active data throughout AI pipelines to maximize GPU productivity
Organizations using traditional storage-first AI data approaches may spend between 14 and 30 weeks acquiring infrastructure and migrating data before productive AI work begins. Hammerspace can reduce that timeline to as little as a few days to one week, representing acceleration of up to 70x.
Executive Speakers at RAISE Summit
David Flynn will present on the Main Stage on July 8, sharing how organizations can rethink AI infrastructure around the economics that matter most: speed to token generation, continuous GPU productivity and cost-efficient AI operations.
Molly Presley, Hammerspace SVP of Global Marketing, will present on July 9 on the Grace Hopper Stage in a session titled “The Data Problem: What AI Actually Runs On,” examining why data readiness, not infrastructure procurement, has become the defining challenge for enterprise AI.
Acording to a newly published Comparitech report, global ransomware attacks reached a new high in H1 of 2026 with an average of 23 attacks per day. During the first six months of 2026, researchers logged 4,217 ransomware attacks. This is an 11 percent increase on the second half of 2025 (3,809).
Additional key findings include:
484 confirmed ransomware attacks
319 were on businesses
83 were on government entities
49 were on healthcare companies
33 were on educational institutions
3,733 unconfirmed attacks*
3,356 were on businesses
102 were on government entities
198 were on healthcare companies
71 were on educational institutions
5,019,204 records compromised in the confirmed attacks
Median ransom demand: $150,000 (average: $1.36M)
Qilin was the most prolific ransomware group with 641 victims in total, followed by The Gentlemen (464) and Akira (317)
Qilin (54) and The Gentlemen (51) had the most confirmed attacks
The United States was the most targeted country with 1,832 attacks in total, followed by Canada (200), Germany (164), the United Kingdom (157), Italy (131), France (117), and Spain (100)
China saw one of the biggest upticks in attacks from H2 2025 to H1 2026 (up 540% from 5 to 30)
Commenting on these findings is Rebecca Moody, Head of Data Research at Comparitech:
“One thing that stands out in this report is how the growth of one ransomware group can start to change the threat landscape. The Gentlemen overtook Qilin in the number of attack claims last month, and, as the group operates a more “international” approach to its targets, attack figures dropped in the US (when compared to H2 of 2025), despite figures increasing in most other countries.
Around half of Qilin’s targets tend to be US-based, but less than 1 in 5 of The Gentlemen’s victims in June 2026 were based in the US. Perhaps seeing how saturated ransomware attacks are in the US, The Gentlemen has decided to focus more of its efforts further afield — and with relative success. 51 of its 2026 victims have confirmed their attacks to date, with notable names including Mackay Sugar in Australia, the Grand Hotel Taipei in Taiwan, and NATO contractor Indra (Spanish HQ but subsidiary affected).”
With organizations adopting AI-powered SOCs, much of the attention focuses on reducing false positives. False negatives where AI falsely clears an attack or its early phases is far less discussed, but far more problematic.
Yasir’s detailed analysis recognizes that AI SOCs miss real threats more often than SOC teams and their organizations expect, and lays out the costs of false negatives to the average organization.
AI detection tools lose ~between 45 and 50 percent of their tested accuracy when deployed in real environments because of differences in data, infrastructure and dynamic, evolving threats.
Up to 40 percent of alerts in a standard SOC go completely uninvestigated – and that slow detection is a strong potential driver for escalating estimates of the cost of a data breach.
An effective SOC is a well-governed one that logs what it missed, flags gaps, routes uncertain signals to human review, and escalates ambiguous as well as high-risk cases to supervising humans.
An operator tied to FortiBleed’s infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment for the first time.
Behind the credential leaks lies a coordinated operation run by the Lynx-INC ransomware group, and the actors are exploiting a previously undisclosed Nextcloud zero-day that our team is actively investigating.
The operators were found leveraging a Nextcloud zero-day to expand access. Investigation is ongoing – full technical details, affected versions, and IOCs will follow in our upcoming report.
Key findings:
FortiBleed has targeted 430,000+ FortiGate firewalls worldwide via a custom credential-sniffing tool
STRU identified 200+ additional operational servers beyond the original campaign
An operator with access to FortiBleed infrastructure was found logged into both INC Ransom and Lynx negotiation panels
Victim data from FortiBleed overlaps with victims already tracked by INC Ransom
An internal tracking document reveals an organized, ~20-person operation with a clear division of labor
What we now know
Ransomware operation: STRU assesses with high confidence that FortiBleed is operated by the Lynx-INC ransomware group. Extensive intelligence has been obtained on the group, including its members.
Nextcloud zero-day: The actors are exploiting a previously undisclosed Nextcloud zero-day. Our analysis is ongoing.
Backdoored accounts: Persistent backdoor accounts were found on compromised devices (username: adminin).
Large-scale sniffing: Traffic sniffing was identified on ~19,000 Fortinet devices. Following SOCRadar’s notifications to affected parties, this number has dropped to ~11,000.
Infrastructure seizure: 500 servers were seized – including the server Lynx-INC used for ransom negotiations.
Decryption: Efforts to recover decryption keys are ongoing.
Recent timeline
29 Jun 2026 – 9,426 newly identified FortiGate devices found in Lynx-INC’s internal tracking documents, with ransomware deployed against several targets.
27 Jun 2026 – FortiBleed formally linked to the Lynx-INC ransomware group.
26 Jun 2026 – IoC update: 42 operation servers and 13 files added.
25 Jun 2026 – Citrix target list discovered: 29,000 IP addresses and 37 domains, indicating targeting is expanding beyond FortiGate.
25 Jun 2026 – IoC update: 19 operation servers and 4 files added.
A detailed report – covering the Lynx-INC operation, the Nextcloud zero-day, and full indicators of compromise will be published later this week or early next week.
Posted in Commentary with tags Azure on July 1, 2026 by itnerd
A massive password spray campaign targeting Azure CLI is the latest reminder that identity remains the easiest way into an environment, not the hardest. What’s notable isn’t the technique, it’s how many organizations will only learn their exposure after the fact, because their compliance program checks whether an MFA policy exists once a year instead of verifying it holds up in real time.
Justin Beals, CEO & Founder of Strike Graph, an AI-native GRC and compliance automation platformhad this to say:
“A password spray campaign at this scale against Azure CLI is a reminder that identity is still the front door most attackers walk through, not the one they have to break down. Credential stuffing and spray attacks work because organizations are still measuring identity security by whether a policy exists, not by whether it’s actually holding under live pressure.
This is the attestation versus verification gap again. A company can have an MFA policy documented, reviewed, and signed off in an audit, and still get walked through the door if enforcement has gaps, exceptions, or stale service accounts sitting outside the policy’s scope. Traditional compliance checks that policy exists once a year. It doesn’t tell you whether your identity controls are holding up against an active campaign today.
Continuous monitoring of authentication events, not an annual attestation, is what actually catches this while it’s happening. If the first time you find out about a password spray campaign is when a security outlet writes about it, your compliance program is documenting risk after the fact instead of managing it in real time.”
Anthropic is putting Claude Fable 5 back online worldwide. On June 30, the U.S. Commerce Department lifted the export controls it had imposed on Fable and its more tightly controlled sibling Mythos 5 about two and a half weeks earlier.
Fable 5 returns to users on Wednesday, July 1, across Claude.ai, the Claude Platform, Claude Code, and Claude Cowork.
Export controls restrict who can receive or use a technology. The June 12 order told Anthropic to cut off both models for any foreign national, inside or outside the United States, including its own non-citizen staff.
Commenting on this is Mayur Upadhyaya, CEO at APIContex:
“The restoration of Claude Fable 5 is welcome news. However, many organizations discovered they had unintentionally created a single point of failure in their AI strategy.
Where workflows had automatically adopted the latest Anthropic model, removing Fable didn’t always result in graceful degradation. In some cases, automations failed silently because there was no fallback, no cold restart, and no operational awareness that the dependency had changed.This isn’t a criticism of Anthropic. The pace of innovation from the foundation model providers is extraordinary. But it does highlight that enterprises are beginning to treat AI models as operational infrastructure rather than productivity tools.Every infrastructure dependency eventually changes. Models are updated, withdrawn, restricted, or superseded. The question for organizations is no longer whether they’ll use frontier AI. It’s whether their workflows continue to operate when those underlying dependencies inevitably change.As AI becomes part of critical business processes, resilience needs to evolve beyond model performance. We need to verify that the transactions built on top of these models continue to perform and conform, even when the infrastructure beneath them changes.”
I’m going to go out on a limb and suggest that the US didn’t really have much of a choice but to release Claude Fable 5. But that doesn’t me that anything that AI generates doesn’t need to be validated. In fact, I would argue that it doubles the need for validation.
Harness, the AI Software Delivery Platform company, today launched Autonomous Worker Agents for software delivery: the platform for enterprises to build and safely run AI agents that handle the work between writing code and shipping it to production.
Software delivery has moved through phases. First, people did the work by hand. Then they wrote scripts for individual jobs like deployment. Most recently, they connected those jobs into automated pipelines that follow fixed instructions, which is what Harness has run for large enterprises for years. Worker Agents are the next phase. Every step in the pipeline can now run as a reasoning agent rather than a fixed script, with the context, governance, sandboxing, and audit trails that enterprises need to trust agents in production.
Dozens of Harness Managed Agents are available today, and any team can customize them or build their own. A new Harness Agent Marketplace makes it easy to find, use, and share them.
The controls that keep agents safe in production
Autonomous Worker Agents run on infrastructure that the customer controls. Code and data never leave the customer’s network, and agents are governed by the same controls enterprises already use for human deployments.
These controls make Autonomous Worker Agents safe to run in production:
Sandboxing: Agents run in isolated containers with restricted file and network access. An agent that produces a malicious command has nowhere to send data.
Scoped credentials: Each agent has its own identity and the specific set of permissions assigned to it, the same way an employee does. An agent can only take the actions those permissions allow, no matter who triggers it or what its prompt says.
Policy enforcement: The same policies that gate human deployments gate agents. A policy can keep agents off non-approved models or out of production pipelines.
Audit trails: Every agent action is recorded under a distinct AI identity, with full provenance: what triggered the agent, what it did, and the outcome.
Cost tracking: Token spend is surfaced per agent, per pipeline, with budget caps that stop an agent when it hits its limit.
Chaining: Agents compose into multi-step workflows, passing output from one to the next.
Easy to build, governed by your policies
Building an Autonomous Worker Agent uses the same agent-file format that has become standard across the industry. Save it to a single file, commit it to your repository, and the agent is live, governed, and available across your organization. Teams that would rather not write the file can use Harness AI to generate the agent for them. Either way, the agent runs as a governed pipeline step with the same controls, audit trail, and policy enforcement as everything else.
Once it runs, the agent has your organization’s full context. It reasons using the Harness Software Delivery Knowledge Graph, a connected map of your services, pipelines, deployments, infrastructure, incidents, and security findings. An agent assessing a vulnerability knows which services are affected and who owns them. A deployment agent knows which services depend on the one being deployed. The result is a response built for your specific environment, not a generic fix that only looks right.
Agents also meet you where you work. Through the Harness MCP Server, a developer in Cursor, Claude Code, or another tool can assign a task to a Worker Agent and have it run in Harness, with the result returned to wherever it was triggered. Wherever an agent runs, it runs under your organization’s policies, governed the same way as every other step in your pipeline.
Harness-built agents, ready to use today
Harness has pre-built Autonomous Worker Agents that handle the repetitive, time-consuming work that slows teams down across the delivery lifecycle.Here are a few of the agents available today, with more added regularly:
Autofix reads build logs, identifies the root cause of a build failure, commits a fix to the PR branch, and re-triggers builds until it passes.
Code Review reviews PR diffs for code quality, security issues, and test coverage.
Code Coverage identifies untested lines and generates tests to close coverage gaps.
Feature Flag Cleanup detects stale flags and validates safe removal.
Manifest Remediator analyzes failed Kubernetes deployments and fixes manifest issues.
IaCM Remediation fixes configuration drift, security findings, and cloud cost issues by editing infrastructure configurations.
The Harness Agent Marketplace
The Harness Agent Marketplace is a shared catalog where Worker Agents are published and reused across an organization and the broader Harness community. Teams can adopt an existing agent rather than build their own, and contribute the agents they build back to the catalog.
It has three tiers:
Harness Managed: Built, maintained, and SLA-backed by Harness.
Harness Certified: Built by partners, reviewed and certified by the Harness engineering and security teams.
Community: Published by the broader Harness community. Organizations can use out-of-the-box policies to control which community agents run in production.
Every agent in the Marketplace can be forked. A team can clone an existing agent and adjust the prompt, tools, or triggers to fit their environment. The agent one team builds to solve a problem becomes the starting point for the next team that hits the same roadblock.
Bring your own model
Autonomous Worker Agents work with any LLM provider. Connect Anthropic, AWS Bedrock, or Google Vertex AI through existing Harness connectors, and switch models per agent, per environment, or per pipeline without rewriting the agent.
Availability
Autonomous Worker Agents and the Harness Agent Marketplace are now generally available to all Harness customers. For more information, visit https://harness.io/platform/worker-agents.
Think your small business is too small to be targeted by ransomware?
That’s precisely the assumption cybercriminals hope you’ll make.
Bitdefender Antispam researchers have uncovered a phishing campaign targeting small businesses across Europe, Asia, the Middle East, and the United States with fake investigation emails impersonating law enforcement officials.
The messages claim to contain evidence of suspicious company activity, but there’s a catch: The attached ‘evidence’ is actually ransomware.
Key takeaways
Researchers at Bitdefender Antispam Lab have identified a malicious campaign impersonating Interpol
The emails claim to contain evidence of suspicious company activity and pressure recipients into opening a password-protected archive.
Recipients are directed to a Proton Drive-hosted file that ultimately delivers ransomware.
The ransomware appears to be a custom-built payload rather than a known ransomware family.
The operation targeted organizations across Europe, Asia, the Middle East, and the United States.
Small businesses are particularly at risk because many lack dedicated IT and cybersecurity resources.
How the attack works
The emails arrive with an urgent tone, claiming to be from Interpol’s cybercrime investigation unit, which is conducting a compliance or security review.
Recipients are told that investigators have obtained information and video material related to their organization and are encouraged to review the evidence as soon as possible.
The message is carefully crafted to create anxiety. Nobody wants to receive an email suggesting their company may be involved in suspicious or fraudulent activity or under investigation.
To review the alleged evidence, recipients are directed to a Proton Drive link containing a password-protected archive. The password is conveniently included in the email itself.
Once opened, the archive appears to contain a video file documenting the supposed activities under investigation.
Instead, the victim is greeted with malware.
The attackers use a familiar trick: disguising an executable as a video file in the hope that recipients won’t notice the difference before opening it.
The malware isn’t sophisticated. The social engineering is.
According to researchers Viorel Vrabie and Andrei Mogage, the fake video contains a ransomware payload hidden within multiple archive layers.
Once executed, the malware seeks to encrypt files across available drives and presents victims with a ransom message:
“Your computer has been compromised, and you will not be able to recover your encrypted files without the decryption key.
Do not delete any files or change their locations. Do not scan your computer, as this may complicate the recovery process.
We are available only through Tox.”
One interesting detail is what the ransom note doesn’t say:
Unlike older ransomware attacks that immediately demanded a fixed payment amount, this note doesn’t specify a ransom at all. Instead, victims are instructed to contact the attackers through a Tox chat channel.
This approach has become increasingly common among ransomware operators. Rather than demanding the same amount from every victim, attackers often prefer to negotiate after establishing contact. The final ransom may depend on the size of the organization, the perceived value of its data, and its ability to pay.
The researchers also found that the malware itself is relatively simple. The code contains hardcoded values, including the password used during encryption and decryption, and lacks many of the features typically associated with large ransomware operations.
Bitdefender researchers observed the campaign targeting organizations across multiple industries, including food and agriculture, legal services, pharmaceuticals, media, technology, and finance.
The campaign was also geographically diverse, with targets identified across Europe, Asia, the Middle East, and the United States.
Is this attack linked to a major ransomware gang?
In fact, the malware seems much simpler than the tools typically used in major ransomware operations. Beyond the relatively basic code observed by our researchers, another notable difference is how victims are instructed to make contact.
Most modern ransomware-as-a-service (RaaS) groups direct victims to a dedicated negotiation portal hosted on the dark web, where they can exchange messages, receive payment instructions, and negotiate the ransom.
In this campaign, however, the attackers simply provide a Tox chat ID. There is no dedicated negotiation portal or victim site, which is another indication that this is likely a custom-built operation rather than the work of an established ransomware group.
This suggests the malware may have been custom-built or assembled using publicly available code and tools.
The campaign highlights an important trend: cybercriminals no longer need the resources or expertise of a large ransomware gang to launch disruptive attacks. Even relatively simple malware can become a serious threat when paired with convincing social engineering.
In this case, the fake investigation email does much of the heavy lifting. The attackers rely on fear, urgency, and authority to persuade victims to launch the malware themselves.
Why small businesses remain attractive targets
Small businesses are often viewed as easier targets than large enterprises.
Many operate without dedicated IT teams or cybersecurity staff. Security responsibilities are often shared among employees who already wear multiple hats, and limited budgets can make it difficult to invest in advanced security measures or ongoing training.
When an alarming email arrives claiming to involve investigators, compliance issues, or evidence of misconduct, there may be no formal process for verifying the claims before someone clicks.
Attackers understand this reality and design campaigns specifically to exploit it.
What should you do if you opened the file?
If you downloaded and opened a file like the one used in this campaign, don’t panic, but don’t ignore it either. Acting quickly can make a big difference.
Disconnect the affected device from the network. If ransomware or other malware is running, taking the computer offline may help prevent it from communicating with attacker-controlled servers or spreading to shared drives and other devices.
Run a full security scan. Use a trusted security solution, such as Bitdefender Ultimate Small Business Security, to perform a complete scan of the affected device. Even if nothing appears unusual, remember that some threats are designed to remain hidden until they’ve completed their job.
Notify your IT administrator or managed service provider, where possible. If you’re part of a business, don’t try to deal with the incident alone. The sooner your IT team is aware, the faster they can isolate affected systems and prevent additional damage.
Inform your team about the attack. Awareness can also make a huge difference in protecting your business, devices, data, and reputation.
Change important passwords from a clean device. If there’s any chance the malware also harvested credentials, update passwords for your business email, cloud storage, financial accounts, and collaboration platforms. Use strong, unique passwords and enable multi-factor authentication wherever it’s available.
Look for signs of suspicious activity. Watch for unexpected login alerts, password reset emails, unfamiliar transactions, or files that suddenly become inaccessible. Continue monitoring your accounts over the following days, as some attacks don’t reveal their full impact immediately.
Report the incident. Report the phishing email through your email provider’s “Report phishing” feature and notify the organization being impersonated when appropriate. If your business has been infected or you suspect ransomware was executed, consider reporting the incident to your national cybersecurity agency. Sharing information about active campaigns helps authorities warn other organizations and better understand emerging threats.
Campaigns like this prove that ransomware attacks don’t always begin with sophisticated hacking techniques. Often, they start with a message designed to create panic.
To reduce the risk of your small business falling victim to a similar ransomware attack:
Verify all unsolicited correspondence before acting: If you receive a message claiming to come from law enforcement, regulators, or another authority, don’t rely on the contact details provided in the email. Reach out through official channels to confirm whether the communication is legitimate.
Note: One of the biggest red flags in this campaign is the delivery method itself. While the attackers impersonate Interpol, legitimate law enforcement agencies don’t send unsolicited emails containing Proton Drive links to password-protected files and ask organizations to review alleged evidence of wrongdoing. If you receive a message like this, resist the urge to investigate on your own. Instead, verify the communication through official channels before opening any attachments or downloading files.
Treat password-protected archives with caution, especially when the password is included in the email.
Show file extensions on Windows devices: This makes it easier to spot executables masquerading as videos or documents.
Enable multi-factor authentication wherever possible. MFA won’t stop ransomware that’s already running, but it can prevent attackers from accessing your business accounts if they also try to steal passwords.
Keep systems and software up to date. Regular security updates help close vulnerabilities that attackers may exploit before or after a phishing attack.
Train employees to recognize scams: Criminals increasingly rely on fear and urgency rather than technical exploits.
Maintain secure backups: Reliable backups remain one of the best defenses against ransomware.
Use layered security designed for small businesses: Even well-trained employees can have an off day, and attackers count on those moments. Solutions such as Bitdefender Ultimate Small Business Security add another layer of defense by helping block phishing emails, detecting malicious downloads, identifying suspicious behavior, and stopping ransomware in its tracks.
This article is published for informational and educational purposes only. The information presented is based on technical research conducted by Bitdefender Labs and publicly available sources. Bitdefender does not make any legal determination regarding the activities described herein. The mention of any company, brand, domain, or individual does not constitute an accusation of illegal activity. Readers should exercise their own judgment and consult appropriate authorities or legal counsel if they believe they have been affected by any of the activities described. Domain names and URLs listed in this article are provided solely to help consumers and security professionals identify potentially harmful infrastructure. Bitdefender disclaims any liability for actions taken based on the information in this article.
Every day, cybercriminals send around 3.4 billion phishing emails. 90 percent of successful cyber attacks originate from one of these emails. 96 percent of IT security and decision makers expect to see email security challenges throughout 2026, so you’d be forgiven for thinking that most organizations would be meeting the basics. However, Comparitech’s findings found that more than eight percent of organizations’ domains are fully unprotected.
This Wednesday, Comparitech researchers will be publishing a new study looking into this very subject by analyszing the live DNS records for 5,849 domains across 13 sectors, scoring each based on a series of frameworks.
Key findings include:
487 of the total domains scanned (5,849) had zero protection (8.3%)
Government domains had the lowest average score – 2.73
Tech company domains had the highest average score – 4.83
China had the lowest average score – 2.3
Additionally, Rebecca Moody, Head of Data Research at Comparitech, provided the following comment on the subject:
“If you asked people which industries they’d like to assume are meeting basic cybersecurity standards, government agencies and healthcare providers would likely be among some of the most popular answers. Our study highlights that, when it comes to standard email security, this couldn’t be further from the truth.
The fact that over 1 in 4 government agencies and 1 in 5 healthcare providers have zero email protection is incredibly concerning, particularly when the factors we’ve assessed (SPF, DMARC, DKIM, or MTA-STS) are what many would call “standard” protocols. Equally, these sectors are often subject to more regulation, demonstrating that even when they should be meeting these requirements by law, they often aren’t.
One of the biggest risks of having gaps in email security is spoofing. Without the necessary protocols in place, hackers can spoof an organization’s domain, which adds to the legitimacy of their campaign. They could use this to send phishing emails, malware, or carry out a wire fraud scam, for example. Ultimately, the email security protocols we’ve assessed shouldn’t be seen as a recommendation or “good to have,” they should be viewed as being essential for all organizations.”
FortiBleed Unmasked: A Joint Operation by Lynx and INC Ransomware Groups
Posted in Commentary with tags SOCRadar on July 6, 2026 by itnerdAfter announcing last week that SOCRadar Links FortiBleed Campaign to INC and Lynx Ransomware Operations, today the SOCRadar Threat Research Unit (STRU) published its complete report that reveals exactly how INC and Lynx used a measurable, tracked spend on AI credits, an entire swarm of autonomous agents pointed at one target with a deliberate model-selection strategy (cheap model for high-volume scanning, a frontier model reserved for deep code review), and active jailbreak research to defeat model safety controls.
Today’s complete report also puts an identity and a profile behind the coordinating operator and lays out the full internal hierarchy by role.
Key points:
For full details, please see the new report: FortiBleed Unmasked: A Joint Operation by Lynx and INC Ransomware Group. A pdf of the report can be found here.
Leave a comment »