The IT Nerd

 Microsoft today announced that it is expanding its bug bounty program to now include any flaw impacting its services, regardless of whether the code was written by Microsoft or not:

In an AI and cloud-first world, threat actors don’t limit themselves to specific products or services. They don’t care who owns the code they try to exploit. The same approach should apply to the security community who continue to partner with us to provide critical insights that help protect our customers.  

Security vulnerabilities often emerge at the seams where components interact or where dependencies are involved. We value research that takes this broader perspective, encompassing not only Microsoft infrastructure but also third-party dependencies, including commercial software and open-source components. 

Starting today, if a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award. Regardless of whether the code is owned and managed by Microsoft, a third-party, or is open source, we will do whatever it takes to remediate the issue. Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit.  Where no bounty programs exists, we will recognize and award the diverse insights of the security research community wherever their expertise takes them. This includes domains and corporate infrastructure that are owned and managed by Microsoft.  

We call this approach In Scope by Default. It gives clarity to researchers and ensures that we incentivize responsible research wherever our customers may be impacted. Historically, our bounty program has had a defined scope for each eligible product or service. Our new approach expands the program to include all online services by default. It also means new services will be in scope as soon as they are released. 

 Martin Jartelius, AI Product Director at Outpost24 had this to say:

“For organizations that rely on bug bounty programs to keep themselves and their customers secure, this is an important step, as it focuses on the full attack surface of an organization. A very common mistake in security is the careless use of scope, or rather de-scoping, of what is included. As Mr. Gallagher notes, attackers do not care whether they gain access through ReactToShell or a novel vulnerability in Microsoft components. Microsoft will likely find itself paying out more bounties for a while, but the resulting security improvements will ultimately be a cost-efficient way to strengthen the organization’s overall security posture.”

This is a very good move by Microsoft as supply chain attacks are far more pervasive than they should be. Hopefully other vendors do something similar as this will make us all safer.

A newly identified phishing campaign is exploiting Microsoft Entra tenant invitation functionality to orchestrate TOAD (Telephone-Oriented Attack Delivery) attacks against unsuspecting users. Commenting on this is Ensar Seker, CISO at SOCRadar:

“This campaign is a prime example of how attackers increasingly repurpose legitimate cloud-native features for malicious purposes. By abusing Microsoft Entra’s guest invitation system, the threat actors bypass traditional email filters and exploit trust users place in official Microsoft-branded messages. Because the Entra invitations are often whitelisted and routed through Microsoft’s infrastructure, they have higher deliverability and lower suspicion thresholds.

TOAD phishing attacks differ from traditional credential harvesting because they rely on inducing the user to take offline action usually by calling a phone number. In this case, embedding the phone number within a trusted Microsoft invitation gives the scam an air of legitimacy. Once the victim initiates the call, attackers may request remote access, payment details, or PII under the guise of “fixing” an account issue or refunding a charge.

What makes this campaign particularly dangerous is the convergence of:

• Trusted delivery mechanisms (Microsoft Entra infrastructure)
• Minimal technical indicators (no malicious attachment or link to analyze)
• Social pressure (urgent account issues prompting a phone call)

Traditional email filtering, sandboxing, and EDR tools are less effective here because the initial “payload” is human interaction, not code execution.

Organizations should monitor and audit their Microsoft Entra guest invitation logs for anomalous behaviors such as spikes in external invitations, use of unusual messaging language, or repeated invitations to consumer domains. Security awareness training should explicitly cover TOAD threats and the misuse of trusted platforms to initiate phone-based social engineering.

This is part of a broader trend in adversary-in-the-middle techniques that blend cloud abuse, social engineering, and trust manipulation. It underlines the need for zero trust policies even within SaaS environments, continuous behavioral monitoring, and adaptive email filtering models that account for intent, not just indicators.”

This is a pretty interesting, and not in a good way, attack as it is difficult to defend against. This means that defences will have to be devised quickly or this could easily spiral out of control.

Researchers have uncovered a new campaign that weaponizes Microsoft’s name and branding to lure users into fraudulent tech support scams. What makes this scam different from others is the use of social engineering, fake system alerts and deceptive UI overlays to execute the scam.

More details can be found here: https://cofense.com/blog/weaponized-trust-microsoft-s-logo-as-a-gateway-to-tech-support-scams

Ensar Seker, CISO at SOCRadar, provided the following comments:

“This scam is an advanced form of client-side browser manipulation that exploits both psychological and technical blind spots. By weaponizing the browser through JavaScript-based UI freezing, attackers simulate a system-level lock, often hijacking the mouse cursor, displaying modal pop-ups, and suppressing keyboard interactions. This creates a false sense of urgency and loss of control, coercing victims into calling a fraudulent support number.

“Technically, this scam evades email security layers by using CAPTCHA challenges and redirect chains to delay payload execution until after user interaction, which frustrates sandbox-based detection. It also mirrors tactics used in scareware and fake AV campaigns from a decade ago, now modernized with brand impersonation and responsive browser exploits.

“For defenders, it reinforces the importance of browser hardening, zero-trust browsing environments, and robust user awareness, especially training users to recognize fake urgency cues and never call unknown support numbers prompted by web pop-ups.”

Threat actors seem to be evolving faster than defenders can keep up. And this campaign illustrates that. That should make it clear that defenders need to evolve just as fast or bad things will happen to those they are protecting.

As of today, Microsoft’s has ended Windows 10 support. And according to Roger Grimes, CISO Advisor at cybersecurity company KnowBe4, that could leave users vulnerable to cyberattacks.

“Windows 10 was released over 10 years ago, so it doesn’t surprise me that Microsoft is finally sunsetting it. Competitors like Apple and Linux often only support the latest versions for a few years, so ten years of support is extraordinary. With that said, there are tens of millions of Windows 10 users (there are also hundreds of thousands to millions of even earlier Windows users out there), and Microsoft can’t simply abandon them.

But what does support look like when Microsoft no longer provides support? If history is any indicator, in the past Microsoft was forced to release a few critical patches that were being widely exploited in the world, but the practical reality is that any Windows 10 user needs to move to a newer version or use something else. If they can’t and there are very valid reasons why a customer MUST continue to use Windows 10 and must accept the risk. That’s life. But those Windows 10 users should isolate Windows 10 computers off the network and Internet if they can, or significantly isolate them using other domain isolation techniques (e.g., firewalls, IPSEC, etc.) and enable aggressive security monitoring. A Windows 10 computer is a high-risk computer and needs to be treated like it.”

Now updating to Windows 11 is the clear answer to this dealing with Windows 10’s demise. But that’s not always easy as it is entirely possible that you have to replace hardware, or some piece of software that you rely upon might break and not have an easy path to update. Assuming that an update path exists.

But there’s another option if you must run Windows 10. You can extend its lifespan with the Extended Security Updates (ESU) program by paying Microsoft. More details can be found here. Interestingly EU customers don’t have to pay for this. At least for the first year. That’s the benefit of living in a jurisdiction that takes cybersecurity more seriously than we do. Having said that, this is a viable option if you must run Windows 10 beyond today.

Microsoft has flagged a new phishing campaign that appears to leverage large language models (LLMs) to craft obfuscated SVG payloads, making them appear like legitimate business analytics dashboards. The attack chain uses compromised business email accounts, self-addressed emails, and SVG files containing business-related terminology and modular, over-engineered code that mimics legitimate content. This enables phishing lures to evade static analysis and detection tools. While the campaign was limited in scope and blocked, Microsoft warns that AI-assisted obfuscation and synthetic phishing techniques are growing trends, with attackers increasingly adopting LLMs to automate and enhance their tactics.

You can read more via this Microsoft blog post: https://www.microsoft.com/en-us/security/blog/2025/09/24/ai-vs-ai-detecting-an-ai-obfuscated-phishing-campaign/

Anders Askasen, VP of Product Marketing, Radiant Logic had this comment:

“AI-driven phishing shows us that the frontline isn’t the payload, it’s the person behind the login. Attackers aren’t just tricking defensive filters anymore, they are using LLMs to mimic the texture of legitimate business data. That’s why identity observability is critical. If you can unify identity data into one source of truth, you can see when an account behaves out of character, when credentials are being replayed, or when entitlements don’t match expected patterns. The only way to counter AI-scaled deception is with unified identity intelligence that lets defenders observe, correlate, and act in real time.”

Andrew Obadiaru, CISO, Cobalt follows with this comment:

“Phishing has always been about social engineering, but AI is fundamentally changing the game by making attacks harder to detect both technically and psychologically. The use of LLMs to generate verbose, business-like code isn’t just obfuscation—it’s camouflage that blends seamlessly into enterprise workflows. Security teams can’t rely on static filters or signature-based defenses to catch this. The focus must shift to behavioral detection, red-teaming against AI-assisted tactics, and shortening remediation cycles before attackers can exploit the gap.”

This highlights the fact that we all need to work harder than ever to stay ahead of the bad guys. Because they continue to evolve their tactics to allow them to succeed in making your life as miserable as possible.

Microsoft patched an Azure Entra elevation of privilege flaw (CVE-2025-55241) that appeared minor and required no customer action. But security researcher Dirk-jan Mollema revealed a deeper issue: undocumented “Actor tokens” combined with an Azure AD Graph API flaw could have enabled attackers to impersonate any user, including Global Admins, across any Entra ID tenant, with no logs or traces. While Microsoft moved quickly after responsible disclosure, the episode highlights the fragility of cloud identity security, the hidden risks in undocumented systems, and the need for proactive monitoring beyond vendor assurances. Details below:

One Token to rule them all – obtaining Global Admin in every Entra ID tenant via Actor tokens: https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/

Anders Askasan, Director of Product, Radiant Logic had this to say:

     “This incident shows how undocumented identity features can quietly bypass Zero Trust. Actor tokens created a shadow backdoor with no policies, no logs, no visibility, undermining the very foundation of trust in the cloud. The takeaway is clear: vendor patching after the fact simply isn’t enough. To reduce systemic risk, enterprises need independent observability across their entire identity fabric, continuously correlating accounts, entitlements, and policies. Organizations need a trusted, vendor-agnostic view of their identity data and controls, so they can validate in real time and act before an adversarial incursion escalates into a breach that’s almost impossible to unwind.”

Christopher Elisan, Head of Offensive Security Research, Cobalt adds this:

      “This case underscores why blind trust in vendor assurances can be dangerous. While responsible disclosure and rapid patching worked here, the sheer scale of what could have gone wrong reminds us that security isn’t static. Organizations should invest in adversarial testing to uncover blind spots before attackers do. Blind spots often live in undocumented functionalities, which can only be found by continuous, independent testing and validation. Continuous, independent validation is the only way to cut through a false sense of safety.”

This shows the importance of having a strong, diversified defence strategy which reduces your exposure to something like this. That’s on top of patching all the things ASAP.

Today, Microsoft’s Digital Crimes Unit said it disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 credentials, by seizing 338 websites associated with the popular service and cutting off criminals’ access to victims.

Microsoft posted a blog post on the seizure here: https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/

Erich Kron, security awareness advocate at KnowBe4, commented:

“Clearly, email phishing continues to be a major threat that organizations face on a daily basis. Phishing services make it far easier for unskilled attackers to be able to play in the cybercrime game, while not necessarily being cyber savvy themselves.

“Credential theft through phishing can be especially dangerous because people tend to reuse passwords across different accounts and services, meaning, if a bad actor can trick someone out of their password, they may not only have access to that account, but others as well.

“The social engineering threats drive home the reason that organizations need to have a well-established human risk management (HRM) program in place that will educate users on ways to spot fake login pages and help them understand why credential reuse is so dangerous. In addition, MFA should be deployed wherever possible to make things even tougher for attackers in the event they do steal someone’s credentials.”

This blog post is very much worth your time to read as it shows how threat actors are evolving to be increasingly more effective and dangerous.

Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws, Storm-2603, is deploying Warlock ransomware on targeted systems.

As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware. Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems. This blog shares details of observed exploitation of CVE-2025-49706 and CVE-2025-49704 and the follow-on tactics, techniques, and procedures (TTPs) by threat actors. We will update this blog with more information as our investigation continues.

Ensar Seker, CISO at SOCRadar had this comment:

“The exploitation of unpatched SharePoint servers by Storm-2603 represents a serious escalation in threat actor behavior. What began as an espionage campaign has now evolved into a destructive ransomware operation using Warlock malware. This is significant not only because of the rapid weaponization of recent vulnerabilities, but because the group has adopted enterprise-level tactics; stealing credentials, disabling defenses, and deploying ransomware across entire networks using Active Directory tools.”

“Warlock ransomware in this context is particularly dangerous. Once Storm-2603 gains access to a vulnerable SharePoint server, they quickly move laterally, extract domain credentials, and push ransomware across systems often encrypting data en masse before defenders can respond. This is not a hit-and-run campaign. It reflects a strategic shift where attackers burrow deep, create persistence mechanisms, and time their ransomware deployment for maximum disruption.”

“The takeaway for enterprises is clear: if you run on-premises SharePoint, you must patch immediately. Beyond that, organizations should rotate keys and credentials, hunt for web shells or suspicious DLLs, and harden against lateral movement. Defenses like EDR in block mode, AMSI integration, and proper backup strategies are critical now, not optional. This campaign isn’t just a wake-up call for patch management, but for a broader rethink of how we defend internal collaboration platforms.”

James McQuiggan, Security Awareness Advocate at KnowBe4 adds this:

“Cybercriminals don’t need to be sophisticated, they just need organizations to be slow. Attackers don’t target the most vulnerable point, they go for what’s exposed, unpatched, and easiest to monetize. Essentially, a front door left wide open.”

“Enterprise environments are especially vulnerable because change takes time. There are processes, reviews, testing, and approvals that are needed to roll out mitigations and patches. However, if an organization’s SharePoint server is exposed on the internet with a known zero-day vulnerability and no compensating controls, it’s making their job easier.”

“If it’s internet-facing, treat it like a crown jewel. Anything exposed should be hardened, monitored, and patched rapidly, or segmented entirely. Limit attack surfaces by design. Many of these exposures exist simply because someone left default configurations or expanded access for convenience.”

“Cybersecurity isn’t about being perfect, it’s about not being predictable. The more visible and unpatched your environment, the easier it is for an organization to find and exploit. Organizations don’t need to outsmart every attacker, they just need to stop making it easy for them.”

If you have an on premise SharePoint server, now would be a really good time to update it. As in drop everything you are doing and apply updates right now. Because if it wasn’t clear that this was a today problem, it should be now.