WEEKLY TOP TEN: June 30, 2025, 16:00 GMT
- Microsoft 365 Abuse Enables Phishing from Trusted Sources
Threat actors are abusing the Microsoft 365 Direct Send feature to send phishing emails that appear as if they originate from within a victim’s organization. This method bypasses SPF/DKIM checks and increases trust in the phishing content, making users more likely to engage with malicious links or attachments. - Glasgow City Council Hit by Cyberattack
Glasgow City Council, one of the largest local authorities in the UK, has confirmed a cyberattack that disrupted several internal services. While full details remain undisclosed, officials stated that external cybersecurity experts have been engaged to assist in recovery and containment efforts. - ScreenConnect Abused via Authenticode Stuffing
Researchers have discovered that attackers are manipulating ScreenConnect executables using a technique called Authenticode stuffing, allowing them to inject malicious payloads without invalidating the digital signature. This clever evasion tactic enables malware to appear legitimate, bypassing security mechanisms that rely on code signing. - Dire Wolf Ransomware Targets Tech and Manufacturing Sectors
A new ransomware operation named Dire Wolf is targeting the technology and manufacturing sectors in highly targeted, data-encrypting attacks. The attackers use compromised credentials to infiltrate networks, exfiltrate sensitive data, and deploy ransomware in multi-stage operations. - Trojanized SonicWall VPN Client Steals Credentials
SonicWall has issued a warning about a trojanized version of its NetExtender VPN client being circulated online. This fake installer includes malware designed to steal VPN credentials and other sensitive information, potentially giving attackers unauthorized access to corporate environments. - Cybercrime Surging Across Africa
Bitdefender has reported a significant rise in cybercrime targeting African countries, with increasing use of advanced malware, phishing campaigns, and digital scams. Weak infrastructure and inconsistent enforcement make many regions vulnerable to both local and international threat actors. - InterBroker Arrested
The infamous cybercriminal who goes by IntelBroker has been arrested in France and is awaiting extradition to the US. He is facing several charges related to multiple large-scale breaches and his ownership of the cybercrime forum BreachForrum. - Over 1,000 SOHO Devices Compromised in Chinese Campaign
More than 1,000 small office/home office (SOHO) network devices have been hacked in a recent Chinese cyber-espionage campaign. The attackers used these compromised systems as command-and-control infrastructure to launch further intrusions, highlighting the persistent threat posed by unsecured edge devices. - New Exploits Target CitrixBleed-2 Vulnerability
Security researchers have found growing evidence that a new Citrix vulnerability—dubbed CitrixBleed-2—is being actively exploited in the wild. The flaw allows for information disclosure or potential unauthorized access and poses a significant risk to organizations using vulnerable Citrix ADC and Gateway appliances. - SafePay Ransomware Targets Payment Industry
SafePay is a newly identified ransomware strain specifically targeting financial institutions and payment processing systems. The malware includes capabilities for data exfiltration, lateral movement, and double extortion, signaling a focused threat to organizations handling sensitive payment data.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: