In today’s cybersecurity news…
Microsoft patches Office zero-day vulnerability
Microsoft pushed an emergency out-of-band patch for a high-severity Office zero-day that attackers are actively exploiting. The flaw lets local unauthenticated attackers bypass security features with low-complexity, user-interaction attacks by getting someone to open a malicious Office file. Office 2021 and Microsoft 365 received fixes immediately, but patches for Office 2016 and 2019 aren’t ready, with Microsoft offering temporary registry mitigations in the meantime. (BleepingComputer)
Indian users targeted by Blackmoon
Researchers at eSentire’s Threat Response Unit say a phishing campaign impersonating India’s Income Tax Department is delivering a multi-stage backdoor to local users. The attackers use fake tax notices to drop a modified Blackmoon banking trojan along with a Chinese-made remote monitoring tool called SyncFuture TSM, turning it into an espionage platform for persistence, surveillance, and data theft. The malware chain includes DLL sideloading, UAC bypass, antivirus evasion, and privilege escalation. (The Hacker News)
Konni targets blockchain developers
Check Point Research says the Democratic People’s Republic of Korea-linked Konni is targeting blockchain developers in Japan, Australia, and India with phishing lures disguised as project docs to compromise development environments and access wallet credentials and crypto. The campaign uses an AI-generated PowerShell backdoor with unusually clean structure, pointing to a shift toward longer-term persistence beyond Konni’s traditional South Korea-focused operations. (Dark Reading)
CISA releases new cryptography categories
CISA published an initial list of hardware and software product categories that already support or are transitioning to post-quantum cryptography, developed with NSA under a 2025 executive order. The list is meant to guide procurement as quantum computing threatens current public-key crypto. Categories include cloud services, browsers, messaging, endpoint security, and networking, with PQC used for key establishment and digital signatures. CISA says future purchases in these categories should be PQC-capable to prepare for quantum-era encryption risks. (Infosecurity Magazine)
Huge thanks to our sponsor, Conveyor
Spoiler: it didn’t reduce follow-up questions and created even more work for everyone involved.
With Conveyor’s new Trust Center AI Agent, customers get answers instantly and can even upload questionnaires for the Agent to complete.
This way, customers find what they need and keep moving, without your team needing to intervene. Learn more at conveyor.com
Cloudflare misconfiguration behind BGP route leak
Cloudflare says a recent 25-minute IPv6 BGP route leak that caused congestion, packet loss, and roughly 12 Gbps of dropped traffic was triggered by a router policy misconfiguration in Miami, FL. This appeared to accidentally redistribute internal IPv6 prefixes to external peers, violating valley-free routing rules. Engineers detected the issue, then reverted the config, paused automation, and restored normal routing. (BleepingComputer)
Access system flaws unlock doors at Euro firms
SEC Consult found more than 20 vulnerabilities in Dormakaba’s Exos-based physical access control systems used by major European enterprises. Flaws included hardcoded credentials and weak crypto, and command injection and path traversal, potentially letting attackers remotely unlock doors, harvest PINs, or pivot inside networks. Dormakaba patched the issues over the past 18 months and says exploitation would typically require internal network access, though researchers identified internet-exposed systems that could be opened directly. (SecurityWeek)
Malware guarantees phishing extensions on Chrome web store
Varonis researchers uncovered a new malware-as-a-service dubbed Stanley that sells malicious Chrome extensions designed to pass Google’s Web Store review. The extensions overlay full-screen phishing iframes while preserving the real URL bar and support silent installs on Chrome, Edge, and Brave. Stanley offers subscription tiers up to a “Luxe” plan that includes publishing support, plus C2 polling, geo-targeting, and notification lures. While technically basic, the service’s selling point is reliable distribution through trusted browser marketplaces, according to Varonis. (BleepingComputer)
New ‘vishing’ attacks break into SSO accounts
Cybercrime groups appear to be running a new wave of real-time voice-phishing attacks against single sign-on accounts, using spoofed SSO domains and live phone calls to sync MFA prompts and steal credentials. Mandiant and Okta report that actors identifying as ShinyHunters are breaking into SaaS environments, exfiltrating data and issuing extortion demands, with some victims including SoundCloud and Betterment. Researchers say there’s no vendor vulnerability involved, just social engineering with more convincing tooling. (CyberScoop)