The Hacker News | Expert Insights

Microsoft Teams' cross-tenant collaboration feature, which allows external accounts to message employees directly, is enabled by default in most enterprise deployments . Most organizations have never audited or restricted it. That default setting has become one of the more reliable social engineering entry points security teams are managing today. The base attack is straightforward. An attacker creates an external Teams account, identifies a target through LinkedIn or a company directory, and sends a message posing as IT helpdesk staff. The message cites an urgent account issue (an MFA problem, a security alert, a failed login) and asks the employee to open Quick Assist, a built-in Microsoft remote assistance tool, and approve a session. What has changed recently is the layer added on top of that initial contact: an AI-generated voice that sounds like someone the target already knows. How the Base Attack Chain Unfolds Once Quick Assist access is established, the attack fol...

AI is changing the security landscape. More and more threat groups incorporate LLMs into their reconnaissance and exploitation workflows. The notion that some vulnerabilities are too complex to implement is now obsolete. Using LLMs, hackers can automatically find and exploit complex vulnerabilities. We have all heard of Claude Mythos and its ability to identify vulnerabilities in large codebases and exploit them automatically. But LLMs can do more than find vulnerabilities in code. ShinyHunters has scanned thousands of Salesforce Sites. They used a modified version of "AuraInspector". They possibly used an LLM to code their framework, mods, reconnaissance tools, and other aspects of their workflow. But the next step is to use AI to supercharge the attack process itself. We at Reco decided to explore what it would look like. Reco's security research team built an AI-powered agent capable of performing end-to-end security assessments of Salesforce Experience Cloud sit...

Phishing and insider threats continue to pose significant, often overlapping risks in modern threat landscapes. Compromised credentials obtained through phishing campaigns or social engineering attacks can grant adversaries legitimate access, effectively converting external threats into insider risks. This convergence complicates detection, as malicious activity may closely mimic authorized user behavior. To address this challenge, security teams require a platform that can correlate events from multiple sources, including endpoints, users, and network activity. Security teams, therefore, need a Security Information and Event Management (SIEM) platform that can collect and correlate activity across endpoints, users, and network sources. A SIEM platform enables the aggregation and correlation of data from multiple sources, helping analysts uncover suspicious patterns that would otherwise go unnoticed. Phishing attacks Phishing attacks remain among the most effective techniques us...

New Bitdefender research reveals that 97.7% of respondents now use endpoint detection and response (EDR). That number might seem high compared to commonly accepted market penetration estimates, particularly for mid-market organizations. But it is further confirmation that the vast majority of businesses have already upgraded their endpoint protection. This is hardly surprising. The conversation in enterprise security is no longer just about blocking malware or stopping known threats. It is about "proving" that an organization can detect, investigate, and respond to modern attacks before they escalate into operational disruption, financial loss, or reputational damage. This shift was driven by a new reality: endpoint protection alone is no longer enough. The laggards, typically mid-market organizations with lean IT and security teams, are now realizing this. Threat actors are AI-enabled, more evasive, and increasingly successful at bypassing traditional defenses. At the...

Most identity verification failures do not originate from flawless synthetic IDs or visually undetectable deepfakes. Instead, they stem from structural exposures and information loss between the point of data capture and the final automated decision. As remote identity systems evolve, trust becomes an architectural property. If a backend cannot verify the hardware provenance of an image or video, the rest of the security pipeline operates on degraded input. By the time a synthetic face reaches a visual liveness model, the most critical context may already be gone. This post examines why fragmented identity APIs drop vital signals, how identity supply chains dilute accountability, and why these gaps allow digital injection attacks to succeed. The Hidden Risk in Identity Supply Chains Modern identity verification often relies on a complex supply chain that distributes camera capture, document parsing, liveness checks, and risk scoring across multiple vendors. Rather than opera...

AI-driven vulnerability discovery is no longer a research project. Claude Mythos proved that. In a single sweep, it uncovered thousands of vulnerabilities in software we use every day, generated working exploits, and exposed bugs that had survived decades of human review. Other AI models are rapidly catching up, and we've entered into an entirely new operating environment for cybersecurity. The industry is treating this as a turning point, and it is. But not for the reason most people might think. The Real Problem Was Never Finding Vulnerabilities Most of the conversation around AI security focuses on discovery: AI can now identify vulnerabilities faster than human teams ever could. That is certainly true, but it also misses the larger operational reality organizations have been struggling with for years. Security teams were already overwhelmed long before AI entered the picture. Vulnerability scanners, fuzzers, and static analysis tools have consistently generated more...

For most managed service providers (MSPs), ransomware recovery is not a problem that affects one client at a time. It is a multitenant, high-pressure scenario where recovery failures impact multiple clients at once. Testing ransomware recovery is not just a technical exercise but a business-critical requirement. The green check of a successful backup job does not guarantee successful ransomware recovery. Attackers today do more than encrypt files. They compromise identity systems, alter configurations, and create persistence mechanisms that survive system restoration. So, a "clean" backup can still reintroduce dormant malware or broken dependencies into your environment. Recovery success depends on whether systems are usable, trusted and operational after restore, not whether data simply exists. Modern ransomware protection and recovery strategies require correlation between security events and backup data. Without that, MSPs are forced into guesswork across multiple cl...

As anticipation builds for the FIFA World Cup 2026, cybercriminals are rapidly scaling fraud operations designed to exploit global fan excitement, urgency, and trust in tournament-related content. CTM360 researchers identified more than 7,000 FIFA World Cup 2026-themed domains, including over 4,500 newly registered domains observed within the last five months alone . More than 1,000 malicious or fraudulent websites have already been activated, alongside over 1,000 social media impersonation accounts operating across major platforms. The activity highlights how threat actors increasingly treat major global sporting events as large-scale monetization opportunities, combining fake ticket sales, fraudulent streaming platforms, betting scams, malware delivery, and social engineering into coordinated fraud ecosystems. Unlike isolated phishing attempts, these campaigns operate through repeatable fraud lifecycles that mirror organized cybercrime operations. CTM360's Fraud Navigator ...