Risks of widespread email software flaws

This is yet another reason why you need a Secure AI solution if you're exploring anything AI related. Research has uncovered a vulnerability in Microsoft 365 Copilot that allowed hackers to access sensitive information without any user interaction. This “zero-click” flaw, dubbed EchoLeak, could have exposed confidential data from emails, spreadsheets, and chats with nothing more than a cleverly crafted email quietly read by the AI assistant. Executive Summary - Security researchers at Aim Security discovered that Microsoft 365 Copilot was susceptible to a novel form of attack: hackers could send an email containing hidden instructions, which Copilot would process automatically, leading to unauthorized access and sharing of internal data. No phishing links or malware were needed—just the AI’s own background scanning was enough to trigger the breach. - The vulnerability wasn’t just a minor bug; it revealed a fundamental design weakness in how AI agents handle trusted and untrusted data. This mirrors the early days of software security, when attackers first learned to hijack devices through overlooked flaws. Microsoft has since patched the issue and implemented additional safeguards, but the episode raises broader concerns about the security of all AI-powered agents. - The real risk isn’t limited to Copilot. Similar AI agents across the industry, from customer service bots to workflow assistants, could be vulnerable to the same kind of manipulation. The challenge lies in the unpredictable nature of AI and the vast attack surface that comes with integrating these agents into critical business processes. My Perspective As organizations race to harness the productivity gains of AI, this incident serves as a stark reminder: innovation must go hand-in-hand with robust security. The EchoLeak vulnerability highlights how AI’s ability to autonomously process instructions can become a double-edged sword—especially when the line between trusted and untrusted data is blurred. Until AI agents can reliably distinguish between legitimate commands and malicious prompts, every new integration is a potential risk. The Future Looking ahead, expect to see a surge in research and investment focused on fundamentally redesigning how AI agents interpret and act on information. For now, widespread adoption of autonomous AI agents in sensitive environments will remain cautious, as organizations grapple with these emerging threats. What You Should Think About If you’re deploying or experimenting with AI agents, now is the time to audit your systems, ask tough questions about how data and instructions are handled, and push vendors for transparency on security measures. Share your experiences or concerns: How are you balancing innovation with risk in your AI projects? What additional safeguards would you like to see? Let’s keep this conversation going and help shape a safer future for AI in the enterprise. Source: fortune

The FBI Internet Crime Complaint Center released a PSA this week identifying nearly $55B in exposed losses due to #BEC—up from $50B in 2023, $43B in 2022, and more than double the estimated $26B that the FBI announced in 2019. Despite years of ongoing awareness campaigns and companies investing heavily in email security technology, BEC attacks are continuing to rise year over year and it’s because they’re becoming increasingly advanced. There’s been a shift away from classic phishing attacks—characterized by misspellings, poor grammar, and irrelevant context—to attacks that closely mimic legitimate communications. Generative AI tools like ChatGPT have catalyzed the social engineering threat, giving criminals a tool to scale their BEC attacks in both volume and sophistication, ultimately improving their attacks’ success rates. Until organizations find a radically different approach to detect these advanced social engineering attacks, I expect that BEC losses will continue to tick upwards. Unfortunately, as cybercriminals see less success with one tactic, they will switch to another. Security leaders should continue to focus on protecting their organizations from this threat, while also working with vendors and partners that are stopping the threats of tomorrow. https://bit.ly/3XrsENm

[Update] #Urgent #Security #Updates for #Microsoft #Outlook and #Exchange Server; used in tandem ... this is a problem 👾 Two critical security #vulnerabilities have been recently identified and are actively being exploited in Microsoft Outlook and Exchange Server. 1. #Vulnerability in Microsoft Outlook: #MonikerLink Bug (CVE-2024-21413) A significant security flaw known as the #MonikerLink bug has been discovered in Microsoft Outlook. This vulnerability exploits a specific way Outlook processes hyperlinks, potentially leading to the leakage of local NTLM login credentials and the execution of arbitrary code on the victim's system. Microsoft has released a critical security update (CVE-2024-21413) with a CVSS score of 9.8. 2. Vulnerability in Microsoft Exchange Server: CVE-2024-21410 A critical security error, CVE-2024-21410, actively exploited in Microsoft Exchange Server, involves privilege escalation within the Exchange Server, allowing attackers to leak NTLM data from an Outlook client and use it for example against the Exchange server. Microsoft has released a critical security update. 3. Combined Risk of Outlook and Exchange Vulnerabilities: The unique risk posed by these vulnerabilities lies in their potential to be exploited in tandem by attackers. First exploiting the Outlook vulnerability to obtain NTLM authentication information, and then leveraging the Exchange vulnerability, attackers can cause significant harm. Research by #CheckPoint has demonstrated how this attack can be relatively #easily #executed in Outlook, highlighting the need for #rapid #patch #application. For more details, see their research blog: https://lnkd.in/eDFXtHTz Additional Security Recommendations: Block SMB Egress Traffic: Blocking SMB egress traffic (port 445/tcp) across all network perimeters, including traffic flows from internal/trusted networks to the internet, is crucial. This also applies to virtual servers and cloud environments such as Azure. For the latest security advisories and updates, visit NCSC Advisories (https://lnkd.in/egvi498X). #infosec

The Hidden Dangers of Email: Exposed Systems and Privacy Risk. Emails are the backbone of digital communication, facilitating everything from password resets to financial transactions. With trillions sent daily, they contain a wealth of Personally Identifiable Information (PII) that, when exposed, becomes a goldmine for cybercriminals. While some providers claim to offer "Privacy by Default," the reality is far more concerning. Threat Intelligence findings shared with Proton since 2023—one of the most well-known privacy-focused email providers—uncovered critical security exposed positions, including misconfigured subdomains, insecure IPv4 addresses, and fundamental PKI errors. Despite independent validation by top cybersecurity professionals, Proton's response was dismissive, even hostile. This exposure mirrors historical issues with Swiss encryption firms Omnisec AG and Crypto AG, whose security claims were later discredited. Such vulnerabilities provide fertile ground for phishing attacks, data breaches, and large-scale fraud. Cybercriminals exploit these weaknesses, leading to identity theft, financial loss, and national security threats. If even "secure" providers harbor exposed and exploitable positions, then the entire email ecosystem remains fundamentally flawed. Users must demand transparency and accountability, prioritizing true end-to-end security over marketing claims. Until providers address these systemic failures, email privacy remains an illusion, leaving billions at risk. Cybersec Innovation Partners