The IT Nerd

Tyler Reguly, Associate Director, Security R&D, Fortra

Today, we have to start with the CVE that made me do a double take. A CVE that I feel should be rejected by MITRE – CVE-2025-55234. We know that relay attacks are possible against SMB and we know that there are hardening mechanisms available to assist with this. So, why is Microsoft releasing a CVE where they state, “Microsoft is releasing this CVE to provide customers with audit capabilities to help them to assess their environment and to identify any potential device or software incompatibility issues before deploying SMB Server hardening measures that protect against relay attacks.” (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-55234) 

As far as I’m concerned, Microsoft told us they have assigned a CVE not because of a vulnerability but to raise awareness to new auditing capabilities that they’ve added to assist with protective measures. If that is the case, that is a misuse of the CVE system. If that is not the case, then Microsoft needs to provide clarification very quickly.

This month there is a single CVE with a CVSS score in the critical range, CVE-2025-55232 (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-55232), a vulnerability in the Microsoft High Performance Compute (HPC) Pack that could allow unauthorized attackers to execute code over the network. That makes this a CVSS 9.8 vulnerability and one that people need to pay attention to. Microsoft has provided mitigation steps for those that cannot update immediately. This is important as the update for HPC Pack 2016 is to migrate to HPC Pack 2019 as there is no fix for HPC Pack 2016. Thankfully, Microsoft has labeled this as exploitation less likely with a severity of important, but it is still something that you’ll want to pay attention to if you have the High Performance Compute Pack deployed in your environment.

While Microsoft has identified 11 vulnerabilities as critical this month, only one of those is identified as exploitation more likely. A vulnerability in NTLM that could allow an authorized attacker to gain SYSTEM level privileges via a network-based attack. This is what you’ll want to pay attention to until you have patches deployed. Since this is a privilege escalation for an authenticated user, this is one of those, “the call is coming from inside the house” type situations and a great way for attackers to potentially move laterally in your network.

For CSOs paying attention this month, I would have a couple of questions that I’d ask my team to take back to my Microsoft reps.

First, are they confident that there was no exploitation or disclosure related to CVE-2025-55241(https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-55241), a vulnerability in Azure Entra that allowed for privilege elevation without the need for privileges… something I would typically think of as code execution rather than privilege escalation. This is a no customer action required vulnerability and has already been resolved by Microsoft, but knowing more about the scenario and having a guarantee that there was no past exploitation would be important to me.

Second, I would want to know more about CVE-2025-55234 and whether there truly is a vulnerability associated with it. If this is a vendor using a CVE simply to add a feature, that is something that CSOs everywhere need to push back against. There are enough legitimate CVEs being issued, that we shouldn’t have to worry about CVEs without new vulnerabilities. This just adds complexity to an already complex situation.

By John Wilson, Senior Fellow, Threat Research, Fortra

In the sprawling digital ecosystem of the modern web, trust hinges on invisible scaffolding: DNS configurations, registrar records, and cryptographic signaling that determines whether your inbox will deliver truth or treachery. With phishing, spoofing, and business email compromise continuing to exploit lapses in email authentication, one question looms large: Just how secure are the world’s most-visited domains? 

Armed with DNS records (MX, SPF, DMARC) and whois metadata from the top 10 million domains on the internet, this analysis offers one of the most expansive snapshots of global email hygiene to date. From configuration trends to systemic weak points, we peel back the layers of digital trust to reveal what’s been hiding in plain sight. 

The findings? At once expected and alarming. While many domains have embraced modern security standards, millions remain vulnerable — inviting attackers to impersonate, manipulate, and deceive. By analyzing registrar behavior, domain age, and adoption patterns, we uncover which corners of the internet are actively fortifying their defenses and which have left the door ajar. 

Sender Policy Framework (SPF): Adoption and Pitfalls in the Wild

SPF serves as the internet’s first line of defense against email spoofing, specifying which IP addresses are authorized to send mail on behalf of a domain. But while it’s foundational to email authentication, its real-world implementation varies wildly across the web’s most popular domains.

SPF Adoption at a Glance

Out of the 10 million domains analyzed: 

• 3,666,641 (36.7%) published a syntactically valid SPF record
• 140,843 (1.4%) published an SPF record with syntax errors or excessive DNS lookups
• 6,192,516 (61.9%) had no SPF record at all 

This means that 63.3% of the 10 million most popular domains on the internet remain vulnerable to unauthorized sending and/or delivery issues. 

Common Misconfigurations

Among the domains with SPF records:

• 110,732 (1.1%) exceeded the 10-DNS-lookup limit, rendering SPF evaluations unreliable. 
• 4,479 (0.045%) used the `+all` mechanism (i.e., allow all), effectively nullifying the purpose of SPF. Worse, these domains open the door for cybercriminals to hijack the trust inherent in these domains to send phishing links, malware-laden messages, and launch social engineering attacks. Two particularly notable examples were ubuntu.com and civilservice.gov.uk. Imagine how easy it would be to lure UK citizens interested in civil service jobs with an authenticated message from careers@civilservice.gov.uk. Or consider the message below, which I sent to myself using nothing more than telnet: <Image Redacted for Email>
• 2,632 misspelled the ip4: mechanism either by omitting the “4” or by inserting a “v”. 

DMARC: Visibility, Policy, and Gaps

DMARC builds upon SPF and DKIM to offer domain owners the ability to define how unauthenticated messages should be handled — and to receive reporting data on abuse attempts. It’s a vital control against phishing and brand impersonation, yet widespread adoption remains elusive. 
 

DMARC Adoption Snapshot

From the dataset of 10 million domains:

• 1,816,866 (18.2%) had a valid DMARC record
• 1,061,585 (10.6%) had a record with a `p=none` policy, offering visibility but no enforcement
• 755,281(7.6%) implemented enforcement policies (`p=quarantine` or `p=reject`)
• 20,384 (0.2%) had malformed or incomplete DMARC entries
• 8,162,614 (81.6%) lacked a DMARC record entirely 

Despite growing awareness, only 388,096 (3.9%) of the internet’s 10 million most popular domains enforce a reject policy including on subdomains, exposing the remaining domains to spoofing risks even when SPF and DKIM are configured.

Common DMARC Configuration Issues

For domains that published a DMARC record, the most common error was the omission of the mailto: before the rua and/or ruf reporting addresses. The second most common error was misplacement of the policy p= tag, which must occur immediately after the v=DMARC1; tag. 

While not an error, 47.7% of domains with a valid DMARC record did not include a rua tag, meaning those domain owners are not receiving aggregate feedback to enable them to correct any SPF or DKIM configuration issues. 

73% of domains with a valid DMARC record did not include a ruf tag, depriving the domain owner of forensic feedback reports. Forensic reports are helpful to diagnose SPF and DKIM misconfigurations and can also help the domain owner see attempts to hijack their domain in near real time. 

DMARC Provider Correlation to Policy

DMARC records specify the domain owner’s policy for how they would like receivers to treat unauthenticated mail that uses their domain in the “From:” header. There are three DMARC policies:  

• “None,” which indicates the domain owner would like no special treatment applied to messages which fail authentication.
• “Quarantine,” which indicates the domain owner would like unauthenticated mail from their domain placed in a quarantine such as a spam folder.
• “Reject,” which indicates the domain owner would like the receiving organization to block the message outright, typically by issuing a 550 error at the end of the DATA portion of the SMTP transaction. 

Receivers may honor the domain owner’s wishes or may override the sender’s DMARC policy for a variety of reasons specific to the receiving organization. 

For maximum security, domain owners should publish a DMARC reject policy. This is often a difficult task, as it requires the domain owner to ensure that all legitimate email from their domain is properly authenticated with SPF and/or DKIM. The complexities of identifying all third-party senders and then working with those senders to ensure they follow DMARC-compatible authentication practices have led many companies to work with third parties who specialize in DMARC implementation. 

Our analysis of the top 10 million internet domains found that only 22.9% of domains who send their DMARC reporting data to themselves have a DMARC reject policy. 72.8% of domains whose DMARC records point to Fortra, publish DMARC reject policies. The chart below shows the policy breakdown for the major DMARC solution providers. The data suggests that working with a third-party vendor who specializes in DMARC implementations can increase the likelihood of achieving DMARC reject status. 

<Image Redacted for Email>

Conclusions

This analysis of the DNS and email authentication configurations of the top 10 million internet domains reveals both encouraging trends and significant shortcomings in the global state of email security. While the adoption of foundational protocols like SPF and DMARC has increased in recent years, the data shows a concerning level of misconfiguration, underutilization, and overall neglect — leaving the majority of domains vulnerable to spoofing, phishing, and business email compromise. 

While tools and standards exist to dramatically reduce spoofing and phishing risk, their protection is only as good as their implementation. The internet’s most visited domains include both shining examples of secure configuration and gaping vulnerabilities waiting to be exploited. Strengthening global email hygiene requires not only broader adoption of standards like SPF and DMARC, but also a concerted effort to ensure they are implemented correctly — and supported by the right infrastructure, partnerships, and oversight. 

By John Wilson, Senior Fellow, Threat Research, Fotra

Times are changing and no one changes faster than enterprising threat actors. Anxious to be the early bird that gets the worm, malicious insiders are already leveraging AI and cloud-level inroads to cause serious – and subtle – damage. 

Here’s how companies can stay safe.  

1. AI-Augmented Insider Threats 

Insiders now have powerful tools at their fingertips. Generative AI can be used to repackage stolen data, evade detection, or even help craft malicious code. As LLMs become embedded in everyday business applications, they introduce new avenues for abuse. 

To allay these threats, organizations should:  

• Implement User Behavior Analytics (UBA). Invest in technology that will look for malicious indicators and catch them in real time. AI-crafted threats are expert at evading detection, and UBA catches what clues there are to find.  

• Fight Fire with Fire: The only thing powerful enough to catch AI is often AI. Invest in security solutions that lean on AI, like XDR, that are powerful enough to stop these threats at scale. 

• Use AI in Red Team Exercises. The best way to train against AI-augmented insider threats is to practice. Have your red team regularly utilize AI-driven techniques and have blue teams cut their teeth on these simulations with advanced technologies (like the ones mentioned above) that are specially designed to catch them. 

2. Third-Party Insiders 

The modern workplace is more distributed than ever. Contractors, MSPs, and vendors have become an insider threat risk as XaaS models and offshored support expand internal access. 

In a world inundated with cloud services and AI, lowering third-party risk comes down to: 

• Setting Minimum Threshold Requirements: Look for minimum certification standards like SOC2 or ISO:27001. If your third party can’t meet even one requirement, it says something about their security culture – or lack thereof. 

• Conduct Independent Audits: Start with the typical vendor questionnaire and follow up with an independent security audit to regularly ensure external parties are toeing the line. Most security laws today place sole third-party breach responsibility on the host organization anyway, so doing this is only covering your bases. Regular reassessments will ensure that security doesn’t drift over time.  

3. Burnout as a Risk Factor 

Behavioral indicators matter. Burnout, dissatisfaction, or disengagement are proven precursors to malicious or negligent insider behavior, and in a volatile talent market, those signs are harder to ignore. 

Outsourcing large projects (like pen testing and red teaming) to MSSPs is one way to give your team some breathing room. When it comes time to renew (or replace) solutions, invest in automation and AI. Anything that force-multiplies the capabilities of your SOC and makes them feel more successful puts coins back in emotional bank accounts.  

And do all this under a “culture of cybersecurity,” because when the company shows its commitment to secure practices – and that it’s open to discussing them – team members are more likely to speak out rather than act out. 

4. Cloud-Native Access as a Weak Point 

Remote and hybrid work models have fueled a surge in BYOD and shadow IT. Employees often use personal cloud apps or unmanaged devices, which can unintentionally turn them into insider threats. 

This cloud-based drift can be avoided as work-from-home models continue to expand.  

• Scan for Cloud Assets | Use a data discovery tool to find all unknown digital assets in the cloud, then make sure they all have strong access policies around them. Implement data classification in the cloud to ensure that you have ongoing visibility and automated protection, as cloud-based assets are sure to scale quickly.  

• Explicitly Communicate a Digital Services Policy | Assume no security initiative is automatically understood if you haven’t explicitly stated it. Many people are still reusing personal passwords for work logins. Gather department heads, talk to HR, get CISO buy-in – any or all of it – and explicitly state the policy on downloading SaaS and other digital services. Make IT permission mandatory and configure security controls and permissions to reflect that if necessary.  

• Decide If BYOD is Right for You | While allowing employees to bring their own devices has obvious monetary benefits, consider the wide-swinging door of risk and whether it is worth it to your enterprise. Even if you can police behavior at work, users will always do what they like out of hours. An investment in company machines could be an investment in cybersecurity.  

5. Avoiding Overseas Remote Work Scams 

Another risk of remote work today – and perhaps the most obvious – is that when hiring, many organizations do not require an in-person meet-up. This problem goes both ways, as qualified candidates get “hired” and fill out sensitive HR paperwork, only to realize the whole company was a sham. But companies themselves can also get hit by scheming “employees.”  

These schemes could introduce not only corporate compromise, but international espionage. In one recent example, “North Korean workers use[d] stolen or fake identities created with the help of AI tools to get hired by more than 100 companies in the U.S,” as stated in Bleeping Computer. While the two masterminds behind this particular operation were caught, this type of thing can pop up anywhere, at any time. Obviously, the use of AI makes it that much harder to catch. 

How can organizations stay on the safe side of the line? Make sure you properly vet your remote workforce. One suggestion: Tell any prospective candidate up front that the final step in the interview process will be to visit corporate headquarters to meet the decision makers, even if no such visit will actually happen. This will quickly deter fake – or deepfake – candidates. 

Staying One Step Ahead 

Most insiders don’t have malicious intent, but with “the human factor” still present in 60% of data breaches, it can’t hurt to be sure. There is still a lot unknown about AI, at least to the average employee, and those same ambiguities in the cloud can lead to a perfect storm of unintentional mistakes.  

Understanding human behavior and the risks it presents empowers organizations to take deliberate action against insider threats. By investing in AI-driven security, increasing visibility, automating key processes, and leveraging trusted partners, security teams can stay ahead of malicious insiders.  

By Tyler Reguly, Associate Director, Security R&D

The hot topic that everyone will be discussing this month is the appearance of AI in the Patch Tuesday drop – specifically CVE-2025-53767 and CVE-2025-53773. Up first, we have an elevation of privilege in Azure OpenAI. This vulnerability was already resolved by Microsoft and there’s no action for users to take, but this type of issue may make you think twice about the usage of AI in your organization. The other is more interesting, a vulnerability in GitHub Copilot and Visual Studio that involves a patch only for Visual Studio 2022. It’ll be interesting to see what details are released on this, but it is command injection which should be taken seriously.

Typically, there’s a lot of talk around any vulnerabilities seeing active exploitation, but we don’t have any of those this month. We do have one publicly disclosed Kerberos vulnerability (CVE-2025-53779) that Microsoft lists as exploitation less likely. The interesting thing here is that only Server 2025 is impacted as the vulnerability exists in a new feature that didn’t exist in previous versions of Windows Server. Sometimes there is value is not being on the latest and greatest but instead staying on a fully supported previous release that has been (somewhat) battle tested. New features are always going to be of interest to researchers and attackers.  

This month, we need to talk about the pair of CVSS 9.8 vulnerabilities that are, thankfully, according to Microsoft, less likely to see exploitation. CVE-2025-50165 is a vulnerability in the Windows Graphic Component that requires no user interaction, all that is needed is for Windows to decode a JPEG image. Interestingly, only the latest version of Windows 11 as well as Windows Server 2025 are impacted by this vulnerability, again showing us that the latest and greatest isn’t always the greatest option.

The other vulnerability is in GDI+ and impacts all versions of Windows. Once again, however, CVE-2025-53766, like CVE-2025-50165, can be exploited without user interaction. Specifically, Microsoft points to web services that allow user uploads and parse the documents.

Both of these should be considered high priority items this month. While they are rated as exploitation less likely, they are critical issues should vulnerabilities be developed. These are the types of items where you want to stay ahead of the curve and be prepared in case attackers are successful in crafting an exploit.

There are two things that I think should be on every CSOs mind this month when they look at the Patch Tuesday drop. The first is AI. With multiple AI-related vulnerabilities – GitHub Copilot and Azure OpenAI – this month is a great reminder that AI technologies are still new and we’re still figuring them out. It is important that organizations understand where and how they are utilizing AI. Beyond that, they need to know what services they are using and how those services react to vulnerabilities and security issues. A lot of the time, when looking at AI-base services, we’re interested in data residency, retention, and ownership… do we stop to ask what they are doing to secure their systems and what their security policy is? This is a good reminder that if you aren’t doing that, it is time to start.

The other thing for CSOs to think about is how they are measuring their risk and responding to it. There are vulnerabilities that, based on severity, are called Critical based on CVSS scores but Important by Microsoft. There are vulnerabilities that are not seeing active exploitation but, if they did, would be severely detrimental to organizations at a large scale. Are you considering future risk or current risk? Whose severity do you trust? If you don’t have an internal methodology for determining and measuring risk, today is a great day to start developing one.

By Daud Jawad, Security Engineer, Threat & Intelligence Management, Fortra 

A wave of phishing attacks is targeting executives and privileged users with well-crafted PDFs containing malformed QR codes – designed to bypass both traditional email defenses and exploit mobile vulnerabilities. These campaigns are believed to be tied to Tycoon2fa, a highly active and popular Phishing-as-a-Service (PhaaS) group. What sets this campaign apart is its high degree of targeting and customization, with attachments disguised as internal handbooks, complete with corporate branding, table of contents, and personalized names. This professional packaging, coupled with the sophistication of the QR phish allows low-skilled actors to launch advanced attacks on high-value individuals like C-level executives, managers, and directors.

Key Points and Modus Operandi
1. Targeted Delivery 

The email appears to originate from an internal system and includes a PDF attachment mimicking a new employee handbook.

 2. Personalized Context 

The PDF is tailored to the target, incorporating the official logo, corporate color scheme, recipient’s name, and company branding. It also includes a table of contents, step-by-step directions, and a QR code. 

3. The Malformed QR Code 

The embedded QR code is intentionally malformed, functioning when scanned by a phone but appearing as an image and evading detection by Microsoft’s security filters. This allows it to bypass tenant-level scanning and link extraction. 

4. Credential Harvesting 

Mobile Users are instructed to scan the QR code that, when scanned, directs to a spoofed Microsoft login page with the username pre-populated. Behind the scenes, the page acts as a reverse proxy: it forwards authentication requests to Microsoft to verify credentials. The traffic is then routed through a [.]ru domain where stolen credentials are harvested. If the correct password is entered, the user is redirected to the real Microsoft portal, unaware of the breach.

5. Phone Vulnerability 

The intent of the campaign is for the user to utilize a personal device or a poorly hardened corporate phone, for which the scanning from a personal device bypasses corporate web-filtering controls and secure web gateways. An added benefit to the phone usage is that the URLs are shortened on the phone browser by default, making them less noticeable and further reducing user suspicion.

Indicators and Attribution 
Threat Actor Group and Phishing-as-a-Service 

Phishing-as-a-Service (PhaaS) is a cybercrime model in which experienced hackers offer phishing tools, templates, and services to less-technical individuals for a fee, typically via subscription. This approach lowers the barrier to entry, enabling attackers with minimal technical expertise to deploy advanced phishing campaigns. Like legitimate software-as-a-service (SaaS) offerings, PhaaS providers supply:

• Pre-built phishing kits 
• Hosting and support 
• Credential storage 
• Malicious email and landing-page templates 
• Step-by-step attack tutorials 
• Credential-theft management tools

Our infrastructure analysis suggests this campaign leverages a PhaaS provider “Tycoon2fa” active since 2013. Subscription access for services range from $120 to $320 and include: 

• Prebuilt phishing kits and templates 
• Credential storage and management tools 
• Step-by-step attack automation guides

Safe-Attachment Vulnerability 

During our investigation, a safe-attachment policy misfire was detected. A crafted string in the attachment triggered the policy, allowing the malicious PDF to pass through. Although this issue has been patched, we recommend auditing safe-attachment rules, scoping whitelists appropriately, and verifying that each policy remains necessary.

Dynamic Domain Generation 

Within the attacker’s infrastructure, we discovered a PHP-based subdirectory that generates custom domain and subdomain iterations. Users can specify prefixes, suffixes, and root domain segments, enabling the rapid creation of hundreds of unique URLs. This makes detections, tracking, and blocking far more challenging for security teams.

Mitigation 
Early threat detection is key to preventing data breaches, financial loss, and operational disruption: 

• Proactive defense: Deploy real-time alerts for suspicious URLs, leveraging multiple threat-intelligence vendors and static IOCs on email gateways and web traffic monitoring systems. 
• Pattern detection: Identify recurring artifacts such as random IDs in subjects, uniform attachment byte sequences, or sender-domain patterns by using regex or lexical rules on your secure email gateway. 

• • Fortra Secure Email Gateway (SEG) provides lexical expression capability which can be set to look for the IOCs found in text format or regex for a dynamic pattern-based detection.
• QR code analysis: Use OCR-enabled email security solutions to extract and validate links embedded in QR codes before delivery. 
• Blocking strategies: 

• 1. Low level: Manually block known malicious domains/subdomains.
  2. Medium level: Temporarily block sending IPs until more robust pattern detection is in place.
• Behavioral detection: Integrate heuristic analysis and dynamic vendor feeds to block evolving phishing patterns rather than relying on static indicators alone.

Summary 
QR code–based phishing is on the rise, delivered via email body, attachments, or seemingly benign URLs. Attackers exploit email-whitelisting gaps, malformed QR codes that evade tenant scanning, and mobile-only click prompts to bypass network defenses. A layered mitigation approach-including QR code extraction, multi-vendor URL scanning, advanced pattern detection, and stringent mobile-device management provides the best defense.

Fortra today announced the release of new AI-driven features, enhanced threat hunting capabilities, and deeper intelligence integrations within its Cloud Email Protection (CEP) service—part of the company’s Integrated Cloud Email Security (ICES) solution. These new features improve the detection of sophisticated social engineering attacks that frequently evade traditional defenses. In May alone, these updates disrupted more than 87,000 additional email threats.

Fortra CEP combines artificial intelligence, global threat intelligence, and automated remediation to protect against advanced email threats. The latest release introduces several key AI enhancements:

• AI Body Content Analysis: Uses a large language model (LLM) optimized for high-throughput message analysis to classify the intent of email body content.
• AI Campaign Detection: Identifies low-content threats—such as invoice or payment scams—by recognizing shared characteristics across messages sent to multiple recipients.
• AI Suspicious URL Detection: Analyzes the structural features of URLs in email messages, including embedded redirect links that lead to malicious sites.
• AI Overall Risk Scoring: Analyzes outputs from all AI models in aggregate to detect targeted attacks that may not be convicted by any single detection method.

This release also strengthens integration between CEP and Fortra Suspicious Email Analysis (SEA), which evaluates user-reported email threats. Previously, CEP integrated indicators sourced by SEA to automatically purge and block email threats. Now, CEP can perform this automated mitigation using email subject and sender combinations, which addresses response-based threats that lack high-fidelity indicators.

In addition, this update introduces several enhancements to the CEP interface, improving search, investigation, and policy workflow tools. These upgrades empower security teams to conduct faster, more effective threat hunting and response.

Tyler Reguly, Associate Director, Security R&D, Fortra

Welcome to the Everything but the Kitchen Sink of Patch Tuesdays… it feels like Microsoft decided to take all their odds and ends and fix them this month. Thankfully cumulative updates make the job of dealing with these types of patch drops a little easier, but whenever I see this, my immediate thought is, “What will get missed?”

I think there are two CVEs that everyone will be talking about today.

The first is CVE-2025-47981, which will be at the top of everyone’s list. This heap-based buffer overflow in Windows SPNEGO Extended Negotiation can allow for remote, unauthenticated code execution. This is a worst-case scenario and, to top it all off, Microsoft says that exploitation is more likely with this vulnerability.

Interestingly, Microsoft indicates that this affects Windows 10 1607 and above due to a GPO being enabled by default. Specifically, “Network security: Allow PKU2U authentication requests to this computer to use online identities.” More details on this setting are available from learn.microsoft.com. Based on Microsoft’s presentation of the information, disabling this GPO will mitigate this vulnerability.

It’s no secret that a lot of organizations run outdated software in places like ATMs, kiosks, and end-user terminals. According to statscounter, Windows 7 still has more than a 2% market share. Could these unpatched devices be vulnerable to this network-based attack if someone enabled the GPO?

The other CVE that I suspect will be discussed is CVE-2025-49719, an information disclosure in Microsoft SQL Server. Microsoft notes that this vulnerability has been publicly disclosed and can leak uninitialized memory. One interesting aspect of this vulnerability is that Microsoft mentions in the FAQ that organizations with applications that use the OLE DB driver should, “Update the drivers to the versions listed on this page, which provide protection against this vulnerability.” However, there are no OLE DB driver versions listed on the page and no updates provided in the update section. This prompts the question, “Is the OLE DB Driver impacted or is this an FAQ copy and paste error?” If the driver is impacted, where are the updates?

While I’m not a CSO, I do like to think about a CSOs job on Patch Tuesday or in relation to any patching and security risks. There are two things that stood out to me today.

Given the mismatched information in guidance for CVE-2025-49719, there’s a chance that Microsoft might update the FAQ and/or add additional updates. This could be done out of band and, if it is, will your team know about the change? The first thing I would want to know after seeing this would be whether or not my team is monitoring for updates or subscribed to update notifications. Sometimes, we fall into a habit of only checking for new data when it is expected (i.e. the second Tuesday of the month), but are we catching data that drops outside that window?

The other thing that stood out to me today was the breadth of software impacted this month. Do you know everywhere that the software is in use? A lot of organizations use the fire hose method, where they push out the patches as wide as they can, but they don’t always know that they are patching everything. This is where vulnerability management can help, but it is also limited. You can’t patch systems and software that you don’t know about, and you also can’t manage their vulnerabilities. This is where a CMDB or Configuration Management Database is critical to the survival of an organization. As a CSO, ask yourself if you have a CMDB deployed and then ask your team if it is being maintained on a regular basis. A CMDB is only as good as the last entry and if that last entry was a year ago, you are likely missing key information that could inform your patching decisions.

Fortra researchers have uncovered an evolution in social engineering that creates entirely fabricated email conversations mimicking internal communications and workflows – believed to be the work of AI. These attacks are targeting employees with fraudulent invoices and are capable of bypassing signature detection, URL filtering, and sandboxing completely.

Key highlights:

• Unlike email thread hijacking, attackers are presumed to be using AI to generate 100% fabricated threads generated from information gathered on the open web.
• These attacks exploit the gap between technical filters and human judgment, circumventing controls and leaving no technical footprint for security tools to analyze.

The report can be accessed here: When Yesterday’s Emails Never Happened: The Conversation Hijacking Attack | Fortra 

By: Tyler Reguly, Associate Director, Security R&D, Fortra

Boring. That’s the first word that came to mind when I saw the June patch drop. It’s a relatively small one with just 66 CVEs and nothing jumps when you look at the release notes. With only one vulnerability listed as Exploit Detected and only one CVSS Base Score above 9.0, it feels like a quiet month… but sometimes quiet months can be quite scary.

When you dig in deeper, you find that Microsoft has labelled 10 of these vulnerabilities as Critical using their severity system. A couple of those are remote but require large numbers of messages or winning a race condition and Microsoft has indicated we’re less likely to see an exploit for these.

The scary part of our quiet Patch Tuesday is a set of 4 vulnerabilities impacting Office. These vulnerabilities (CVE-2025-47167, CVE-2025-47164, CVE-2025-47162, and CVE-2025-47953) are one of the most concerning aspects of this month’s patch drop. The patches for Microsoft 365 for Office are not currently available and the preview pane is an attack vector. It is always important to take note of Microsoft’s Preview Pane FAQ entry as that is likely to indicate that the vulnerability can be exploited without user interaction, simply by receiving an email. Additionally, 3 of the 4 were listed as Exploitation More Likely in Microsoft’s exploitability assessment.

The other items worth discussing this month are the single vulnerability that has been seen in active exploitation, CVE-2025-33053, and the single CVSS Critical, CVE-2025-47966.

With our actively exploited vulnerability, users need to click on a link or visit a malicious website in order to visit the malicious WebDAV server. Given the active exploitation of this vulnerability, this is the update that should be prioritized this month. It is important to note that there may be multiple updates to install on older versions of Windows.

As for that Critical CVSS vulnerability, the CVE was released as part of Microsoft’s efforts towards transparency with cloud vulnerabilities. In this case, there’s nothing for Microsoft users to do except be aware that it exists.

With any luck, the lower CVE counts the past few months have relieved security teams of a bit of the patch fatigue they are likely accustomed to feeling. This could be a good month for a CSO to ride along with their IT team to see what they deal with when Microsoft patches are released. Sometimes, it is easier to forget what individual contributors are dealing with month over month and seeing it first hand, especially at a time when the pressure is reduced a little, can be a great way to identify process or tooling improvements that could really benefit your security team.

Fortra today announced the divestiture of JAMS, a centralized job automation and scheduling solution, to PSG, a leading growth equity firm specializing in technology-enabled service partnerships, in combination with 2ndWave Software. 

The divestiture comes as the next strategic move in Fortra’s cybersecurity evolution, following the reveal of the new Fortra brand in late 2022, and most recently, the acquisition of Lookout Cloud Security in May 2025. 

Fortra’s current offerings include advanced offensive and defensive cybersecurity solutions including data security and cloud data protection, brand and phishing protection, red teaming, penetration testing, vulnerability management, managed services, and more.  

After several years of strategic cybersecurity acquisitions, Fortra is driving forward with a mission to break the attack chain, leveraging an advanced arsenal of strategically-placed security solutions designed to disrupt attacks at every stage. The cyber attack chain is the process adversaries employ to compromise sensitive systems. 

For the past seven years JAMS has helped Fortra scale its growth, adding significant value to the company and positioning itself as a candidate for independent ownership. This advanced automation software will now be housed in an independent company owned by PSG, 2ndWave Software, and employees. The acquisition also includes Skybot, a complementary workload automation platform under the Fortra umbrella.  

Fortra continues to hone its single-minded focus, delivering best-in-class cybersecurity solutions purpose-built to tackle the challenges of an increasingly dynamic threat environment. By divesting JAMs, the company not only capitalizes on the growth of a valued investment, but enhances its own competitiveness as a driven, security-first market leader.