Russian Hackers Exploit Microsoft Device Code Authentication to Target M365 Accounts
Security researchers uncover sophisticated Russian threat actors using Microsoft's legitimate Device Code Authentication to compromise M365 accounts of government organizations and NGOs. The attack leverages social engineering and authentic Microsoft domains to bypass traditional security measures.
Critical Windows Security Update Patches 55 Flaws, Including Two Active Exploits
Microsoft's February 2025 Patch Tuesday addresses 55 security vulnerabilities in Windows systems, with two zero-day flaws already exploited by hackers. The update fixes multiple critical issues including remote code execution and privilege elevation vulnerabilities.
Cybercriminals Target Organizations with Sophisticated ADFS Phishing Scheme
Security researchers have uncovered a sophisticated phishing campaign targeting organizations using Microsoft ADFS, with attackers creating convincing fake login portals to steal credentials and bypass MFA. The scam has affected over 150 organizations across education, healthcare, government and technology sectors, primarily in the US, Canada, Australia and Europe.
Critical UEFI Secure Boot Vulnerability Threatens Windows Systems Worldwide
A major security flaw in UEFI Secure Boot (CVE-2024-7344) exposes Windows systems to potential bootkit attacks that can survive system reboots and OS reinstalls. Microsoft and Linux vendors have released patches to address this vulnerability that bypasses critical startup security checks.
The Evolution of Passkeys: Promising Yet Imperfect Authentication Solution in 2025
Passkeys are emerging as a faster, more secure alternative to traditional passwords, offering unique benefits like phishing resistance and biometric protection. While implementation challenges and recovery concerns persist, industry collaboration is driving improvements in this authentication technology.
PayPal Users Targeted by Sophisticated Phishing Scam Using Legitimate URLs
A newly discovered phishing campaign exploits PayPal's legitimate infrastructure to hijack user accounts by leveraging real URLs and Microsoft 365 test domains. The sophisticated attack can bypass standard security checks and PayPal's own phishing detection systems.
Critical Windows Domain Controller Exploit Revealed: LDAPNightmare PoC Triggers System Crashes
A new proof-of-concept exploit called LDAPNightmare demonstrates how attackers can crash Windows domain controllers through LDAP vulnerability CVE-2024-49113. The exploit forces system reboots by crashing LSASS, with potential for remote code execution if systems remain unpatched.
The Passkey Paradox: Why Password-Free Security Still Has a Long Way to Go
Despite promising enhanced security, passkey technology faces significant adoption hurdles due to fragmented implementations across platforms and confusing user experiences. While major tech companies push their own solutions, the current state of passkeys falls short of delivering truly seamless password-free authentication for mainstream users.
FTC Investigates Microsoft's Federal Cybersecurity Contract Practices for Potential Antitrust Violations
The Federal Trade Commission has launched an investigation into Microsoft's cybersecurity dealings with federal agencies, examining potential antitrust violations in contract procurement. The probe focuses on how Microsoft's free security offerings following the SolarWinds attack led to costly subscription lock-ins for government departments.
Educational Institutions Warned Against Microsoft 365 Copilot Over Privacy Risks
SURF's recent assessment reveals significant privacy concerns with Microsoft 365 Copilot, including data handling transparency issues and accuracy problems. The organization strongly advises educational institutions to avoid using the AI tool until adequate protective measures are implemented.