Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 25-31 October
New wave of phishing attacks uses OAuth requests to compromise Microsoft accounts
According to reports from security researchers, including Unit 42, a new wave of cyberattacks has been detected that is using the OAuth authentication phishing technique to compromise Microsoft accounts (including corporate and business accounts).
This attack method works by tricking users into granting permissions to a malicious application through an OAuth authorization screen that appears legitimate, via emails that mimic investment or business platforms. By giving consent, threat actors obtain valid OAuth access tokens that allow them to take full control of the account (email, files, contacts) and, crucially, bypass multi-factor authentication (MFA) and password protection, facilitating lateral movement in corporate networks and the theft of sensitive data.
The main security recommendation is that users never click on links in unexpected emails requesting authorization and that organizations implement tools to monitor unusual use of OAuth tokens, in addition to strengthening training to address this type of attack.
LockBit 5.0 targets Windows, Linux, and ESXi systems in ongoing attacks
Check Point Research confirmed the resurgence of the LockBit ransomware group following its disruption in early 2024 (Operation Cronos), reestablishing its Ransomware-as-a-Service (RaaS) model and claiming dozens of new victims since September 2025.
The comeback is led by the new LockBit 5.0 variant (internally designated as “ChuongDong”) and LockBit Black, both designed with multi-platform support to attack Windows, Linux, and ESXi environments with greater evasion and faster encryption, demonstrating a rapid reactivation of its affiliate network. Attack campaigns have spread across Western Europe, the Americas, and Asia, targeting organizations across all sectors and demanding a ransom with a 30-day deadline.
Security recommendations include using advanced threat prevention solutions on the network and endpoints to detect and block ransomware execution before encryption begins.
New EDR-Redir technique allows antivirus and EDR to be disabled
Zero Salarium has revealed a new security evasion technique called EDR-Redir that allows an attacker to disable or interfere with EDR and antivirus solutions such as Windows Defender, Elastic Defend, and Sophos Intercept X.
The method, which does not require kernel privileges and can be combined with Bring Your Own Vulnerable Driver (BYOVD) attacks, is based on the exploitation of two Windows drivers: Bind Filter (bindflt.sys) and Cloud Filter (cldflt.sys). EDR-Redir uses the bind link to redirect the EDR executable folder to a location controlled by the attacker (achieved against Elastic Defend and Sophos), allowing the injection of DLLs or the prevention of EDR execution.
Alternatively, against Windows Defender, the attacker can abuse the Cloud Files API to incompletely register the Defender folder as a synchronization root, making the folder appear “corrupt” and preventing services from running even after a reboot. This could lead to the total neutralization of endpoint defenses. Zero Salarium has published EDR-Redir for demonstration purposes, recommending that EDR developers strengthen the protection of their key folders.
BlueNoroff expands infiltration tactics with GhostCall and GhostHire campaigns
The BlueNoroff group, linked to North Korea and also identified as APT38 or Sapphire Sleet, has implemented new intrusion techniques targeting executives and developers in the Web3 sector. The GhostCall campaign uses advanced social engineering via Telegram and fake sites that mimic the Zoom interface to compromise macOS systems, employing ZoomClutch malware to exfiltrate credentials and subsequently infect systems with malicious AppleScript.
At the same time, GhostHire simulates technical recruitment processes, distributing malicious code through GitHub repositories or ZIP files during fake assessments. Both operations integrate multi-component chains with infostealers and keyloggers capable of stealing wallet credentials, API keys, Keychain data, and messaging tokens.
DNS failure and configuration issue in Azure causes global disruption to Microsoft services
Microsoft is facing a global outage due to a failure in its DNS infrastructure and Azure Front Door (AFD) service configuration, affecting the availability of Microsoft Azure, Microsoft 365, Intune, and Exchange. The incident began around 4:00 p.m. UTC, causing authentication errors and degradation of critical services used by organizations in sectors such as healthcare and transportation, including the Dutch railway system.
Microsoft confirmed that an inadvertent change to the AFD configuration caused the loss of availability and applied a change lock along with restoring the last known functional state. As a temporary mitigation, the company recommended redirecting traffic through Azure Traffic Manager and using programmatic interfaces (PowerShell, CLI) in the event of a portal outage.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
