This week’s Department of Know is hosted by Rich Stroffolino with guests Bil Harmer, CISO, Supabase, and Chris Ray, Field CTO, GigaOm
Missed the live show? Check it out on YouTube
The Department of Know is live every Monday at 4:00 p.m. ET. Join us each week by registering for the open discussion at CISOSeries.com
How SaaS apps enable massive breaches
A new report from Grip Security finds “shadow AI” embedded in SaaS apps is driving a surge in breaches, with a 490% increase in attacks and 80% involving sensitive data. Researchers say stolen OAuth tokens can let attackers exploit AI agents to access connected systems and trigger cascading compromises across organizations. The report points to the 2025 Salesloft Drift breach, which impacted more than 700 companies, as a model for how a single SaaS compromise can spread widely. Grip Security warns 2026 could see even larger incidents without better visibility and control over AI-enabled apps. (SecurityWeek)
DUAL Story
– Cybercrime up 245% since Iran conflict
Akamai reports that cybercrime activity has surged 245% since the start of the Iran war, with botnet scanning, credential harvesting, and reconnaissance targeting banks and critical businesses. Banking and fintech account for about 40% of the malicious traffic, followed by e-commerce and gaming. Although the campaign is tied to geopolitical tensions, only about 14% of source IPs originate from Iran, with many attacks routed through proxy infrastructure in Russia and China used by hacktivist groups. (The Register)
– CISA official: no uptick in cyber threats amid Iran war
Cybersecurity and Infrastructure Security Agency Acting Director Nick Andersen said the U.S. has not seen an increase in Iranian cyber activity despite recent military strikes, describing the threat landscape as “steady” while warning other actors remain active. Andersen added the agency is prioritizing faster vulnerability response timelines and monitoring AI-driven attacks, while continuing to work with Stryker following a cyberattack linked to the Iran-associated group Handala. (The Record)
Energy Department to release first cyber strategy
According to the acting director of the Office of Cybersecurity, Energy Security, and Emergency Response, Alex Fitzsimmons, the US Department of Energy will release a strategic plan “soon” for how it intends to protect the energy grid from cyberattacks. This will supplement the recently released national cybersecurity strategy, which focuses on sector resilience. Fitzsimmons said this will rely heavily on public-private partnerships. The strategy will also outline areas of investment for defensive AI deployments in the space, with Firzsimmons noting that we’re already seeing an increase in adversaries using it offensively.
Font-rendering hides malicious commands from AI in plain sight
Researchers at LayerX released a proof-of-concept attack that uses custom font remapping and CSS to follow LLM-based tools while keeping a payload in clear sight. This takes advantage of the fact that an LLM looks at structured text rather than the full page render. AI tools scanning the PoC’s HTML see only meaningless, unreadable content, but when rendered, show malicious instructions for a user. LayerX found the approach worked on most major models from ChatGPT, Claude, Copilot, Gemini, and Grok. LayerX presented the finding to vendors in December, but most found the issue “out of scope” as a social engineering attack, with only Microsoft accepting and addressing the finding.
Huge thanks to our sponsor, ThreatLocker
Critical Microsoft SharePoint flaw now exploited in attacks
According to CISA, this CVE-numbered flaw, which was patched in January, is now being exploited. (CVE-2026-20963) It affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Successful exploitation “enables threat actors without privileges to achieve remote code execution on unpatched servers in low-complexity attacks that exploit a deserialization of untrusted data weakness.” SharePoint Server 2007, SharePoint Server 2010, and SharePoint Server 2013 are also vulnerable to attacks but being end-of-support they no longer receive security updates. Consequently, admins are advised to upgrade a supported version to block attacks.
Law enforcement seizes botnet infrastructure
Agencies and tech companies from the U.S., Germany, and Canada collaborated on an operation designed to seize infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets. All of these were to deliver DDoS attacks. The four botnets were built out of about three million compromised devices around the world, many of which are Internet of Things (IoT) devices like cameras, routers and video recorders. Hundreds of thousands of these are located in the U.S. and some were behind firewalls. The botnet operators monetized these by selling access to other criminal organizations. The Justice Department did not say if any arrests were made in conjunction with the infrastructure takedown.
Microsoft Azure Monitor alerts used for callback phishing attacks
Azure Monitor is Microsoft’s cloud-based monitoring service that collects and analyzes data from Azure resources, applications, and infrastructure, allowing users to track performance, notify about billing changes, detect issues, and trigger alerts based on various conditions. Numerous customers of the service have recently reported receiving Azure Monitor alerts that include warnings of suspicious charges or invoice activity on their accounts, and which request the customers to call an enclosed phone number. The verbiage of the warning is in line with that released by legitimate software services, right down to an apology for the inconvenience. “Unlike other phishing campaigns, these messages are not spoofed but are sent directly by the Microsoft Azure Monitor platform using the legitimate azure-noreply@microsoft.com email address.”