In today’s cybersecurity news…
Multi‑stage AiTM phishing and BEC campaign abusing SharePoint
Researchers at Microsoft Defender have “uncovered a multi‑stage campaign targeting multiple organizations in the energy sector, resulting in the compromise of various user accounts. “This campaign targets SharePoint file‑sharing services and delivers phishing payloads, relying on inbox rule creation to maintain persistence and evade user awareness.” The researchers state that password resets alone are insufficient to mitigate this issue. Impacted organizations in the energy sector must “additionally revoke active session cookies and remove attacker-created inbox rules used to evade detection.”
SmarterMail auth bypass flaw now exploited despite patch
Following up on a story we covered on December 31, threat actors are now exploiting an authentication bypass vulnerability in SmarterTools’ SmarterMail email server and collaboration tool that allows resetting admin passwords. Specifically, the issue “resides in the force-reset-password API endpoint, which is intentionally exposed without authentication.” The issue was reported by watchTowr on January 8, and SmarterMail released a fix on January 15. The watchTowr researchers found evidence of exploitation just two days later. “This suggests that hackers reverse-engineered the patch and found a way to leverage the flaw.”
Spanish judge closes NSO Group spyware probe
The reason for the closure of a probe into the use of Pegasus spyware to snoop on top government officials has been reported as a lack of cooperation from Israel. The probe started in 2022 when the court launched a probe into the alleged spying on devices belonging to Spain’s Prime Minister and Defense Minister Margarita Robles allegedly using the zero-click spyware known as Pegasus, manufactured by Israel’s NSO Group. “Israel has not responded to five cooperation requests, breaking “the balance inherent in international cooperation and [violating] the principle of good faith that should govern relations between states,” the judge said.
Fake cell tower scam uncovered in Greece
Back in September we reported on scammers who use mobile cell towers packed into cars to blast phishing messages to phone users in a selected city. Police in Athens have now taken down such an operation, after stopping a car at a check point east of the city. The mobile computing system was hidden in the car’s trunk. The device “forced nearby mobile phones to connect to the suspects’ system and downgraded them from 4G to the less-secure 2G network, exploiting long-known vulnerabilities.” This allowed the thieves to harvest identifying data such as phone numbers and send scam text messages posing as banks or courier companies. Three fraud cases have now been uncovered in Greece, but authorities said, “the full scope of the operation remains unclear.”
Huge thanks to our sponsor, Dropzone AI
Here’s the proof. Dropzone AI is trusted by over 300 global enterprises and MSSPs. Named a Gartner Cool Vendor. Recognized in the Fortune Cyber 60. And backed by $37 million in Series B funding.
But they’re not stopping at a single agent. They’re building toward fully agentic SOC teams where human engineers are augmented with specialized AI agents for threat hunting, detection engineering, and forensics.
Your team deserves a backup that never sleeps. Book a demo at dropzone.ai.
NIST officials describe impact of staff cuts
At a meeting on Wednesday of the Information Security Privacy Advisory Board, NIST officials described how they are dealing with current mandates on AI, cybersecurity and post-quantum encryption. The Director of the Information Technology Laboratory (ITL) at NIST, Kevin Stine, said the agency has lost more than 700 people in the past year, “through personnel initiatives like resignations and voluntary deferments.” The agency is facing further constraints including a Congress-led cut of $13 million from NIST’s labs program. Such constraints, he said, are “forcing a very focused discussion on prioritization of our activities.”
An alternative to CVE appears
The Global CVE Allocation System, or GCVE, will be “maintained by the Computer Incident Response Center Luxembourg (CIRCL) as an alternative to the traditional Common Vulnerabilities and Exposures program, which narrowly avoided shutdown last April when CISA initially failed to renew its contract with MITRE, which operates the CVE system.” Although collapse was averted, it exposed the program’s dependence on a single funding source. The propose GCVE avoids reliance on a centralized system, allowing independent numbering authorities to allocate identifiers. The system will maintain backward compatibility with the existing CVE infrastructure through a technical accommodation.
Osiris ransomware emerges in vulnerable driver attack
Researchers at the Symantec and Carbon Black Threat Hunter are warning of a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025. This campaign used a malicious driver named called POORTRY “as part of a known technique called bring your own vulnerable driver (BYOVD) to disarm security software.” This is a brand-new ransomware strain, not related to one of the same name that was present around December 2016. It is thought that the actors who deployed this ransomware may have been previously associated with INC ransomware. It is being described as an “effective encryption payload” that makes use of a hybrid encryption scheme and a unique encryption key for each file.”
The problem of AI agents emerges at Davos
At the annual World Economic Forum meeting better known by the Swiss resort that hosts it, the topic of AI agents and how to secure them against becoming the ultimate insider threat, took center stage. during a panel discussion on cyber threats. The Chief Technology Officer of training company Pearson, Dave Treat, stated, “”We have enough difficulty getting the humans trained to be effective at preventing cyberattacks. Now I’ve got to do it for humans and agents in combination.” It seemed no one had a good response. Cloudflare co-founder and president Michelle Zatlyn said, “with agents, you need to think about them as an extension of your team, an extension of your employee base.” Hatem Dowidar, group CEO of Emirati company Etisalat, suggested more guardrails. “With human agents, many years ago we started saying ‘all calls are recorded for quality purposes?’ We need to create that also for AI agents,” he said. Mastercard CEO Michael Miebach said “organizations should take a page from the banking industry’s security and threat-intelligence practices and collect as many signals as possible from relevant data streams and other indicators to determine if activity is safe or malicious.”