Sign in Subscribe

InfoSec News 17MAR2026

General

  • Microsoft is having issues with Office and Exchange Online.
    office.com was verified as down, at the time of writing this.
"We're investigating reports of some users experiencing issues when accessing their Exchange Online mailbox via one or more connection methods," Microsoft said when it acknowledged the issue at 06:42 AM UTC.
Right before publishing, the Office.com web portal was down and displayed the message "We are sorry, something went wrong. Please try refreshing the page in a few minutes."
...
"We've identified that a section of service infrastructure is not processing traffic efficiently. We're making configuration changes to remediate impact," the company said in an admin center service alert (MO1253428).
...
"An underlying issue involving the supporting network infrastructure resulted in a service availability degradation across the Exchange Online connection methods," it said in a new admin center update. "We're continuing to investigate to determine the full root cause and will provide more information within the Post-Incident Report.
However, the company is still investigating the MO1253428 issue that is causing Office.com or the Microsoft 365 Copilot web sign‑in access problems.
Improvements in organizational security and the growing ability of victims to recover from ransomware attacks may be leading some adversaries to view data theft as a more reliable method for securing payments. In intrusions investigated by Mandiant, we observed a decline in traditional ransomware deployment coinciding with a rise in data theft extortion. Further, some RaaS programs are providing data-theft-extortion-only options in addition to ransomware, which may reflect demand from their customer base.
...
In the majority of instances where exploits were used or suspected, the threat actors targeted vulnerabilities in common VPNs and firewalls such as Fortinet (CVE-2024-55591, CVE-2024-21762, and CVE-2019-6693), SonicWall (CVE-2024-40766), Palo Alto (CVE-2024-3400), and Citrix (CVE-2023-4966).
...
We observed multiple threat clusters leverage malvertising and/or search engine optimization (SEO) tactics to distribute malware payloads for initial access, including both ransomware operators themselves and initial access partners that ultimately led to follow-on ransomware intrusions.
...
Ransomware actors consistently relied on compromised credentials to establish a foothold in victim environments.
Once authenticated to network services, they also often used these credentials to provision or modify highly privileged accounts to maintain access.
...
In 2025, multiple ransomware actors relied on remote monitoring and management tools (RMMs) for multiple phases of the attack lifecycle. We observed a variety of these legitimate tools abused in incidents, including ANYDESK, SCREENCONNECT, and SPLASHTOP
...
Threat actors often used native Windows features to create services and register scheduled tasks to programmatically and recurrently execute malware, such as backdoors or tunnelers. For example, in a RHYSIDA incident, threat actors registered a scheduled task to run the LIONSHARE tunneler every 12 hours.
...
We observed multiple threat actors attempt to harvest credentials from various internal sources, including backup tools, browsers, password managers, and credentials stored in cleartext.
...
Threat actors accessed or attempted to access common password management tools, including KeePass, Bitwarden, and the Windows Credential Manager.
...
In approximately 85% of intrusions, threat actors leveraged RDP with either compromised or attacker-created accounts for lateral movement.
Across a range of incidents we observed threat actors leveraging SMB for lateral movement to access network shares, stage payloads, and execute remote commands.
...
Threat actors leveraged a variety of malicious and legitimate utilities to tunnel and proxy traffic within victim networks, including SYSTEMBC, VIPERTUNEL, PYSOXY, CLOUDFLARED, and OpenSSH.
...
In 2025, threat actors continued to rely on publicly available tools and utilities—including Rclone, MEGASync, Megatools, restic, and possibly Cyberduck—to exfiltrate data.
We observed Rclone in approximately 28% of intrusions where data theft was confirmed or suspected to exfiltrate data to attacker-controlled infrastructure.
...
Threat actors leveraged a myriad of legitimate cloud services and infrastructure to exfiltrate stolen data, including Azure, AWS, Backblaze, Cloudzy, Filemail, Google Drive, and MEGA, and OneDrive.
...
Threat actors often relied on automated mechanisms to deploy ransomware. In many cases, they relied on native Windows mechanisms to facilitate ransomware execution.
...
Most commonly, we observed threat actors disabling Windows Defender, often by modifying the Windows registry. In some other cases, the threat actors modified Defender configurations via the Set-MpPreference PowerShell cmdlet to add exclusions for their malware and ransomware payloads. Threat actors also were observed leveraging GPOs, scheduled tasks, and PowerShell scripts in order to tamper with a variety of security controls.
...
Threat actors used post-exploitation C2 frameworks in about 15% of 2025 ransomware incidents, a decrease from almost 20% in 2024. The decline in the use of post-exploitation frameworks is largely due to the continued reduction in use of Cobalt Strike BEACON.
Cobalt Strike BEACON was deployed in only 2% of 2025 ransomware incidents, continuing a multi-year downward trend; in 2021 roughly 60% of ransomware incidents involved BEACON
​Following a joint investigation with Samsung, Microsoft has attributed these issues to the Samsung Galaxy Connect app (used for screen mirroring, file sharing, and data transfer between Galaxy devices and Windows PCs) and temporarily removed it from the Microsoft Store.
"The affected Samsung Galaxy Connect application was temporarily removed from the Microsoft Store to prevent further installations," Microsoft said.
"Samsung has republished a stable previous version of the application to stop recurrence on additional devices. Recovery options for devices already impacted remain limited, and Samsung continues to evaluate remediation approaches with Microsoft's support."
Microsoft and Samsung have not yet provided a workaround and are still working on a fix for affected Windows 11 devices. Impacted users are advised to contact Samsung for device-specific assistance.
Key findings include:
AI-enhanced fraud is 4.5 times more profitable than traditional methods. “Agentic AI” systems can autonomously plan and execute complete fraud campaigns - from reconnaissance to ransom demands.
Sextortion is now being systematically integrated into scams such as romance and investment fraud often using scripts and AI-generated content.
Criminal networks are increasingly collaborating with specialized money laundering groups and sharing expertise and technology to scale up their operations globally.
In parts of Africa, terrorist groups have been found to use fraud schemes, especially crypto-based scams, as a source of funding.
Once a regional phenomenon, scam centres have now been identified worldwide, involving hundreds of thousands of individuals, many of whom are trafficked and forced to carry out online fraud.
"All that was required was to log in to Companies House using your own details and access your own company's dashboard. Then opt to "file for another company" and enter the company number for any one of the five million companies registered with Companies House," said Neidle.
"At that point you'd be asked for an authentication code, which of course you don't have. No problem. Press the 'back' key a few times to return to your dashboard. Except – it isn't your dashboard. It's the other company's dashboard."
On Friday 13 March, Companies House was made aware of a security issue which meant that a logged-in user of our WebFiling service could potentially access and change some elements of another company’s details without their consent after performing a specific set of actions.
...
We closed WebFiling at 1:30pm on Friday 13 March while we investigated and resolved the issue. The service has been independently tested and is back online as of 9am on Monday 16 March.
...
Our investigation indicates that this issue was introduced when we updated our WebFiling systems in October 2025.

Getting Techy

  • There's the usual breathless coverage of new work - posted at 'preprints.org'... "Content on Preprints.org is not peer-reviewed" - using Quantum computers to factor numbers. The counter-argument is, however, rather compelling.
On inspection, the paper’s big new idea is that, in the key step of Shor’s algorithm where you compute xr mod N in a superposition over all r’s, you instead precompute the xr mod N’s on a classical computer and then load them all into the quantum state.
Alright kids, why does this not work? Shall we call on someone in the back of the class—like, any undergrad quantum computing class in the world? Yes class, that’s right! There are exponentially many r’s. Computing them all takes exponential time, and loading them into the quantum computer also takes exponential time. We’re out of the n2-time frying pan but into the 2n-time fire. This can only look like it wins on tiny numbers; on large numbers it’s hopeless.
Eventually, the Bliss exploit was formulated, where two precise voltage glitches were made to land in succession. One skipped the loop where the ARM Cortex memory protection was setup. Then the Memcpy operation was targeted during the header read, allowing him to jump to the attacker-controlled data.
As a hardware attack against the boot ROM in silicon, Gaasedelen says the attack in unpatchable. Thus it is a complete compromise of the console allowing for loading unsigned code at every level, including the Hypervisor and OS. Moreover, Bliss allows access to the security processor so games, firmware, and so on can be decrypted.
The Windows Accessibility features are a collection of built-in capabilities in Microsoft Windows designed to make the operating system usable for people with disabilities or specific usability needs. These features provide alternative ways to interact with the system through keyboard input, voice, screen narration, visual adjustments, and assistive technologies.
...
Windows accessibility features execute in the user context, albeit with High Integrity due to the UIAccess flag. The obvious question then becomes, how can this be abused to obtain SYSTEM privileges?
The answer lies in the Secure Desktop. The primary distinction between the secure desktop and the user desktop is that only trusted processes running as SYSTEM are permitted to execute there. In other words, no processes running with the user’s privileges are present on the secure desktop.
  • [RU] Russian APT Laundry Bear (aka Void Blizzard, Flamboyant Donkey) is dropping a JavaScript backdoor running in Edge.
    One does wonder why Edge has command-line flags to seemingly disable all security controls
The browser is executed in headless mode, enabling a series of parameters such as –no-sandbox, –disable-web-security, –allow-file-access-from-files, –use-fake-ui-for-media-stream, –auto-select-screen-capture-source=true, and –disable-user-media-security. These settings allow local file access and automatically grant permissions for the camera, microphone, and screen capture without user interaction.

Geo-Politics

  • Akamai are claiming a large increase in attacks, however they appear to be including many forms of reconnaissance in these numbers (indeed "Credential Harvesting" is the only non-reconnaissance item listed).
    Their traffic graphs show almost no correlation with the war in Iran (commenced 28 February 2026).
Since February 28, 2026, Akamai has observed a staggering 245% increase in malicious traffic targeting businesses and institutions operating in North America, Europe, and parts of Asia. The table summarizes some of the more recurrent forms of threat activities that have increased in volume since the conflict began.
Automated reconnaissance traffic - Significant increase (+65%)
Credential harvesting attempts - Elevated activity (+45%)
Infrastructure scanning - Widespread probing of exposed services (+52%)
Botnet-driven discovery traffic - Large-scale automated scanning (+70%)
Pre–distributed denial of service (DDoS) reconnaissance - Increased probing before volumetric attacks (+38%)
The Russian city of Perm has restored its parking payment system after a cyberattack last week knocked the service offline and temporarily made parking free for several days.
...
It is at least the third such incident to affect parking systems in Russian cities in recent years. In January last year, drivers in Krasnodar were unable to pay for parking after a telecommunications operator was hit by a DDoS attack that disrupted related services.
Parking payments in the city of Tver were also disrupted in October 2024 after a destructive cyberattack targeted the local city administration’s network.
...
The attack is the latest in a series of cyber incidents affecting services in Russia. Earlier in January, a cyberattack on a major bread producer in Russia’s Vladimir region disrupted food deliveries.
An attack on a Russian provider of alarm and security systems for homes, businesses, and vehicles the same month caused widespread service outages and a wave of customer complaints, and another incident also affected booking and check-in systems used by Russian airlines and airports.
These activities — which include deploying ransomware and malware, phishing, financial fraud, “sextortion” and other extortion schemes, impersonation, and more — are often coordinated campaigns carried out by Transnational Criminal Organizations (TCOs) aimed at the most vulnerable among us.
...
The Secretary of State, the Secretary of the Treasury, the Secretary of War, the Attorney General, and the Secretary of Homeland Security, in consultation with the Office of the National Cyber Director, and in coordination with the Assistant to the President and Homeland Security Advisor (APHSA), shall:
...
within 120 days of the date of this order, using the results of the review directed in subsection (a)(i) of this section, submit to the President, through the APHSA, an action plan that identifies the TCOs responsible for scam centers and cybercrime and proposes solutions to prevent, disrupt, investigate, and dismantle these TCOs.
I want to be specific about why this executive order is different, because the language is not accidental.
The order doesn’t just call these groups “hackers” or “organized crime.” It calls them transnational criminal organizations (TCOs). That word carries legal and operational weight that most coverage has glossed over. Transnational is the jurisdictional framing that authorizes an entirely different class of response. It is the same threshold that moves a case from local law enforcement to federal jurisdiction and beyond.
Pair that with what follows – “law enforcement, diplomacy, and potential offensive actions” – and you are reading something that goes well beyond a policy memo. Notice the sequence: diplomacy before offensive action is proportionality doctrine. But the administration did not rule out offensive action. The document also calls for deploying the “full suite of U.S. government defensive and offensive cyber operations” and uses the word “shape” as its first pillar of action. In military doctrine, shaping an adversary’s behavior does not mean gentle persuasion. It means force is part of the calculus.

Privacy

  • Using Smartglasses to receive real-time coaching in-court - not a good move.
An insolvency judge in England tossed out testimony after discovering a witness was being coached on what to say in real time through a pair of smartglasses. When the voice of the coach started coming through the cellphone after it was disconnected from the glasses, the witness blamed the whole thing on ChatGPT.
...
In the end, the Judge tossed out all of Jakštys’ testimony. “He was untruthful in relation to his use about the smart glasses and in being coached through the smart glasses,” the judgement said. “In my judgment, from what occurred in court, it is clear that call was made, connected to his smart glasses and continued during his evidence until his mobile phone was removed from him. When asked about this, his explanation was that he thought it was ChatGPT which caused the voice to be heard from his mobile phone once his smart glasses had been removed. That lacks any credibility.”
Spain's data protection authority today has imposed a total fine of €950,000 on Yoti Ltd, the British digital identity and age verification company, after finding three distinct violations of the General Data Protection Regulation in the operation of its Digital ID application.
...
The three penalties break down as follows: €500,000 for the unlawful processing of biometric data under Article 9 of the GDPR; €200,000 for obtaining invalid consent for research and development processing in violation of Article 7; and €250,000 for excessive data retention contrary to the storage limitation principle in Article 5.1(e).
...
Yoti describes the age verification services it offers to business clients as comprising eight distinct methods. According to the company's own data protection impact assessment (DPIA), these include facial age estimation, verification via Digital ID app, document identification, credit card verification, mobile number verification, database checking, electronic identity (eID) services used in Switzerland, Denmark and Finland, and a US mobile driving licence option.
...
Yoti describes the age verification services it offers to business clients as comprising eight distinct methods. According to the company's own data protection impact assessment (DPIA), these include facial age estimation, verification via Digital ID app, document identification, credit card verification, mobile number verification, database checking, electronic identity (eID) services used in Switzerland, Denmark and Finland, and a US mobile driving licence option.
...
For transfers from the United Kingdom to India, where Yoti operates a Security Centre providing manual verification support, the company relies on EU standard contractual clauses with a UK addendum. According to the DPIA, this centre can access document images and selfies remotely on UK servers through what the company describes as "thin terminals," with no Yoti staff outside the Security Centre able to view this data. The AEPD noted that this international dimension further constrains users' practical control over their own data.
A Luxembourg court reversed a €746 million ($858 million) fine the country’s data protection regulator imposed on Amazon in 2021, referring the case back to the National Commission for Data Protection (CNPD).
...
The court said it overturned the fine on Thursday because the CNPD failed to determine whether Amazon intentionally violated the GDPR and because it did not do enough to consider whether the fine was too high and other measures could have been taken.
...
“Indeed, the Administrative Court has endorsed the CNPD’s approach almost in its entirety and, in particular, confirmed that Amazon’s reliance on legitimate interests as the legal basis for the processing operations in question was not justified,” the statement said. “The Administrative Court also upheld the CNPD’s analysis that, at the time of its decision, the information procedures did not comply with the relevant provisions of the GDPR.”
...
The regulator left open the possibility that after a review it will issue a new fine, saying that it will “continue to handle the case in a way to ensure the efficient application of the GDPR.”

AI

  • Using ChatBots to overcome loneliness? Not as effective as journalling, or talking to a random stranger.
Researchers from the University of British Columbia found that first-semester college students who texted a randomly selected fellow first-semester college student every day for two weeks experienced around a nine percent reduction in feelings of loneliness. The same two weeks of daily messaging with a Discord chatbot reduced loneliness by around two percent, which turned out to be the same amount as daily one-sentence journaling.
...
participants who were paired with a human partner reported significantly lower loneliness after the study, and those paired with the chatbot did not. “This is just such a low tech, simple intervention, and can make people feel significantly less lonely,” Ruo-Ning Li, PhD candidate at UCB and one of the authors of the paper, told 404 Media.
...
Another paper from the same lab, published this week in Psychological Science, looks at the experiences of more than 2,000 people over twelve months, checking in with them once a quarter. The study found that higher reported chatbot use was linked with higher loneliness later on — and vice versa.
...
A four-week March 2025 study from the MIT Media Lab and OpenAI explored how different types of LLM interaction and conversation impacted users’ mental wellbeing. The paper found that while some instances of chatbot use “initially appeared beneficial in mitigating loneliness,” higher daily LLM usage was associated with “higher loneliness, dependence, and problematic use, and lower socialization.”

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe