Guardian Digital, Inc.

🛠️ Toolkit Time! 🛠️ Every sysadmin needs a reliable toolkit. Our newsletter is your virtual Swiss Army knife for combating email threats. Stay equipped and informed with the latest insights and strategies. Subscribe now and unpack the essentials! guardiandigital.com/newsletter-sig…

GitHub rotated critical secrets after attackers reportedly accessed thousands of internal repositories. The operational issue is persistence after initial compromise. In Microsoft 365, attackers often pivot from stolen credentials into token-based access that survives password resets. Many organizations only catch this during Entra ID token investigations. csoonline.com/article/417474… #microsoft365 #CyberDefense #CyberThreats

Attackers are increasingly combining phishing kits with MFA fatigue techniques to bypass standard login protections. The credential itself is no longer the hardest part. In Microsoft 365 tenants this often leads to token-based access that persists beyond the initial approval event. Many organizations discover the compromise only after mailbox activity starts looking abnormal. OAuth session visibility matters more than most teams expect. guardiandigital.com/resources/faq/… #microsoft365 #CyberDefense #CyberThreats

Attackers are increasingly targeting OAuth integrations instead of passwords in Microsoft 365 environments. This creates persistent mailbox access even after credentials are reset. In practice, consented apps often outlive the initial compromise. Many tenants still carry unused OAuth grants. Review app permissions regularly. guardiandigital.com/resources/blog… #microsoft365 #Cybersec #InfoSec

Threat actors are combining voice calls with real-time phishing pages that proxy Microsoft 365 authentication. This reduces the effectiveness of traditional phishing awareness signals. Operationally, it looks like normal user sign-ins followed by unfamiliar device registrations or OAuth grants. Most tenants still have more third-party OAuth exposure than expected. Review app consent permissions periodically. guardiandigital.com/resources/blog… #microsoft365 #Cybersec #TechSecurity

GitHub noted a rise in technically accurate but low-impact security findings. The operational issue is signal fatigue. Microsoft 365 admins already deal with the same problem in Entra ID, Defender, and mailbox alerts where noise can bury actual account compromise activity. Most teams eventually tune out repetitive “informational” detections. csoonline.com/article/417322… #microsoft365 #InfoSec #TechSecurity

The attack relies on image perturbations subtle enough that users may never notice them visually. The model sees instructions the user does not. Operationally, this looks similar to how attackers abuse QR codes, image-only phishing, and OCR blind spots in Microsoft 365 environments. Many security teams already know image-heavy campaigns generate inconsistent detection results across tooling. AI-assisted processing pipelines may widen that gap further. csoonline.com/article/417233… #microsoft365 #CyberAttack #Cybersec

@rifteyy @rifteyy Thanks for flagging the reversed remote URL detail, that’s a crucial catch. Has Harvard’s IT or security team acknowledged this yet, or is it still unaddressed?

HARVARD WEBSITE IS COMPROMISED! Blog sources are hosting ClickFix malware. hxxps://hir.harvard.edu/israel-and-international-football-a-breaking-point/ hxxps://hir.harvard.edu/a-better-way-forward-an-interview-with-paul-ryan/ Malicious script contains the string sj.ssc/ipa/orp.eralfduolccitats, which is the reversed remote URL -> virustotal.com/gui/domain/sta… @vxunderground @BleepinComputer @Harvard

@sanjeed_i @sanjeed_i You’re right about the risk. AI can now make phishing sites almost indistinguishable from legitimate ones. Did you notice any signs the link was automated or specifically personalized to you? That kind of detail could help others spot similar scams in the future.

tldr: Somebody tried to scam me. It's easier to scam with AI, stay safe!! They booked a meeting with me and shared context via a link. Which looks like Google Drive and asks you to Google Auth, UI was off and URL was clearly wrong. Dumb phishing attempt, but with AI the UI could have been an exact replica. That's possible easily now, so please stay safe. Don't be on untrusted networks, always verify any URLs/emails clearly.

@The_Cyber_News Interesting that the issue is in the Browser Fetch API. Does Google have guidance for mitigating risk until there’s a fix, especially for organizations handling sensitive downloads or data transfers?

🚨 Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Millions of Users Source: cybersecuritynews.com/google-publish… Google has publicly released proof-of-concept (PoC) exploit code for a critical, still-unpatched vulnerability in the Chromium codebase, potentially exposing millions of users across Chrome, Microsoft Edge, and other Chromium-based browsers to stealthy botnet-style abuse. The flaw resides in the Browser Fetch API, a feature designed to allow large downloads, such as videos or files, to continue in the background via Service Workers. By leveraging this behavior, attackers can establish a covert communication channel between a victim’s browser and a command-and-control (C2) server. #cybersecuritynews

Phishing attacks in Microsoft 365 environments increasingly rely on convincing replicas of Microsoft sign-in flows rather than malware delivery. That shifts detection toward identity telemetry. In practice, attackers use credential capture pages tied to real-time MFA interception and session token theft. Many organizations discover this only after investigating unfamiliar device sign-ins. Entra ID sign-in logs usually tell the story faster than endpoint alerts. guardiandigital.com/resources/blog… #microsoft365 #CyberAttack #Cybersec

Spear phishing campaigns are still succeeding by targeting MFA fatigue and session token abuse. This bypasses traditional credential reset workflows entirely. In Microsoft 365 environments, attackers often pivot using valid session tokens and trusted sign-in locations. Many tenants still have conditional access exclusions that weaken enforcement. Entra ID sign-in logs usually tell the real story. guardiandigital.com/resources/blog… #microsoft365 #CyberDefense #CyberThreats

GitHub confirmed attackers gained access through a poisoned VS Code extension installed on an employee device. This bypasses traditional credential theft entirely. In Microsoft 365 environments, trusted integrations and OAuth consent paths create similar exposure. Most tenants still have at least one over-permissioned app registration. Review OAuth grants alongside Entra sign-in activity. csoonline.com/article/417474… #microsoft365 #Cybersec #InfoSec

@The_Cyber_News Impressive work on seizing 33 servers during Operation Saffron. Will authorities notify affected legitimate users, if any, whose privacy might have been impacted during the takedown?

🛡️ Authorities Have Taken Down "First VPN" Used in Ransomware Attacks Source: cybersecuritynews.com/first-vpn-take… In a major international law enforcement success, authorities from seven countries dismantled First VPN, a criminal virtual private network linked to global cybercrime, during a coordinated operation on May 19 and 20, 2026. Dubbed Operation Saffron, the joint action was led by French and Dutch authorities and supported by Europol and Eurojust, resulting in the seizure of 33 servers, the shutdown of multiple domains, and the identification of thousands of cybercriminal users. #cybersecuritynews

Attackers increasingly use OAuth consent phishing instead of stealing passwords directly. This creates persistent Microsoft 365 access through delegated app permissions. In practice, many incidents start with users approving low-trust apps tied to Exchange Online or OneDrive access. Most organizations only notice after reviewing Entra ID enterprise app activity. Review unused OAuth grants regularly. guardiandigital.com/resources/blog… #microsoft365 #Cybersec #InfoSec

Traditional phishing still succeeds in Microsoft 365 environments because attackers target weak authentication paths rather than advanced exploits. The infrastructure is often simple, but effective. Credential harvesting campaigns continue to abuse legacy authentication, fake Microsoft login portals, and token replay techniques. Most tenants still have at least one unnecessary authentication exception in place. Conditional Access exclusions deserve closer review than most teams give them. guardiandigital.com/resources/blog… #microsoft365 #CyberThreats #InfoSec

@ToonHive Prioritizing AI-generated answers could raise concerns about both accuracy and privacy. How will Google ensure these AI responses handle sensitive queries securely and consistently cite reliable sources?

Google announces it will now prioritize AI-generated answers in search results over human-written website articles. A move that could make it significantly harder for independent websites to gain organic traffic starting next Tuesday.

@hackapreneur @hackapreneur That’s a huge risk, especially with internal tools and API keys exposed. How do you think teams should prioritize response between source code leaks vs. credentials, given both threaten security in different ways?

Imagine u waking up and your startup entire backend is sitting in some hacker forum Source code API keys Internal tools Years of work This is exactly what I mean when I say nothing online is truly secure anymore One breach and suddenly thousands of private repos are allegedly for sale to highest bidder Crazy times in Github

@tridevgurung @tridevgurung Good callout about Khalti. Did the email use any convincing branding or request your personal info? Phishing attacks are getting smarter, always tricky for users to spot the difference.

My first time receiving a phishing email for khalti. Be careful out there.

GitHub highlighted attacks that depend on users opening crafted files or trusting unverified content. That bypasses very little technically. In Microsoft 365, attackers still rely heavily on shared documents, Teams links, and fake SharePoint notifications to gain initial access. Many tenants still allow external sharing paths with minimal review. csoonline.com/article/417322… #microsoft365 #CyberThreats #CyberDefense

@Pirat_Nation That’s definitely concerning, especially the part about connections persisting after browser restarts. I’d be curious how users can verify or clear these hidden sessions to protect their privacy.

Google has published exploit code for a security problem in Chromium, the engine used by browsers like Google Chrome, Microsoft Edge, Brave, and Opera. The problem is linked to the Fetch API feature, which helps websites handle background internet requests. Security researchers say hackers could misuse it to keep hidden connections active in a user’s browser, allowing attackers to send large amounts of traffic to websites or build browser-based botnets. What makes the situation especially concerning is that some browser sessions may continue maintaining these connections even after the browser or device has been restarted. Reports also indicate the vulnerability had been known internally for more than two years before proof-of-concept exploit code became public.