"Expect more targeted attacks, increased cybercrime commercialization, and malware that's harder to spot. As more businesses suffer, companies will realize the inevitability of attacks. This will push many to adopt a Zero Trust approach, where deny-by-default makes it much harder for cybercriminals to profit. -Danny Jenkins
From the ThreatLocker blog
Session hijacking, SSO abuse, and the blueprint for modern resilience
AitM attacks increasingly target Microsoft 365 environments
What happened: These campaigns use reverse proxy phishing kits to intercept credentials and steal authenticated session cookies. Even with MFA enabled, attackers can hijack active sessions and gain access to email, OneDrive, SharePoint, and more M365 services. This access can then be used to launch BEC attacks, move laterally, and establish persistent access.
What this means:Rather than a failure in MFA, this represents a shift in attacker tactics. When a session is already authenticated, MFA controls don't protect against cookie theft and replay.
The bottom line: This shift makes session and identity protection as critical as credential protection. Organizations relying solely on passwords and MFA without session monitoring and application-layer enforcement are increasingly exposed. Read the full breakdown.
Attackers exploit centralized identity trust to gain persistent access
What happened: The 0ktapus campaign targeted organizations using Okta's SSO, sending convincing smishing messages to employees. Victims were directed to fake login pages designed to capture credentials and MFA codes in real time. Once authenticated, attackers leveraged the stolen credentials and session info to access downstream SaaS applications connected to Okta. In multiple instances, this access enabled lateral movement, privilege escalation, and data exfiltration.
Why it matters: By compromising Okta credentials, attackers gained centralized access to every application tied to a single SSO identity. Centralized access = centralized risk. While AitM session hijacking attacks steal authenticated cookies, 0ktapus demonstrates how targeting the identity provider itself can expose an entire SaaS ecosystem. Instead of attacking endpoints or vulnerabilities, attackers are increasingly logging in through identity infrastructure.
The bottom line: MFA alone cannot eliminate identity risk. Conditional access policies, restrictive application permissions, and monitoring of identity-based activities are critical protections. See the technical analysis.
Combining technological ambition with strategic edge
What's happening: Dubai has reengineered itself into one of the world's safest and most digitally advanced cities, blending AI-powered infrastructure, biometric systems, and smart governance with serious cybersecurity investment. The Numbeo 2025 Mid-Year Safety Index ranked the UAE as the safest country globally and Dubai among the safest cities. Initiatives like the Dubai Cyber Innovation Park, the Dubai Economic Agenda, and expansion of AI and cloud ecosystems are positioning the city as a global cybersecurity hub.
Why it matters: In a cyber-volatile world, physical and digital safety are inseparable. Dubai's model demonstrates how strict data governance, and large-scale infrastructure investment can coexist with rapid innovation. Dubai is embedding resilience into its infrastructure, including predictive policing, AI-powered public services, and blockchain-enabled government operations.
The big picture: In 2025, cybercrime costs were projected to reach $10.5 trillion annually. Cities that integrate national security, enterprise resilience, and personal safety will define the next generation of global tech hubs. Explore the full feature.
When these three layers align, security stops being reactive
What you need to know: In this four-part series, we explored the foundational pillars of effective security operations: authoritative policy, capable SOC, and the right security stack. Individually, each pillar strengthens the security posture, and together, they define what a modern security program should look like. In this final installment, we examine how the three must align to create a cohesive, enforceable, and resilient operation.
Why it matters: Policy provides authority. People provide capability. Technology provides enforceability. Policy only works when it is visibly embraced by executive leadership. Effective policies are built in partnership with HR and legal and backed by leadership. Furthermore, analysts are needed to interpret ambiguity and respond to live threats. An effective SOC balances strong baseline skills with deeper specializations. Finally, the right security stack provides enforceability at scale and turns policy into consistent control.
The big picture: Your security stops being reactive when these three elements align. Policy defines what must be protected, the SOC provides expertise and response, and the security stack ensures enforcement is consistent and scalable. Read the four-part series.
Threats you need to know
Architectural weaknesses and trust-boundary abuse
Bitwarden, LastPass, and Dashlane are susceptible to password recovery attacks
Study uncovers password recovery attacks in major cloud password managers
What you need to know: A recent study found multiple cloud-based password managers vulnerable to attacks under a malicious-server threat model. The latest research uncovered 12 distinct attacks against Bitwarden, seven against LastPass, and six against Dashlane, and they ranged from violations of targeted user vaults to total compromise of all vaults within an organization. The attacks targeted architectural and cryptographic design patterns in zero-knowledge encryption implementations.
Why it matters: This study highlights how complex cryptographic implementations, backwards compatibility decisions, and recovery workflows can introduce unintended attack paths. In a zero-knowledge model, architecture and key management decisions matter.
The bottom line: Centralizing credentials also centralizes risk. Password managers remain a best practice, but they should be evaluated like any critical infrastructure component: Understand the architecture, apply least privilege, and layer additional controls as part of a broader Zero Trust strategy.
Researchers discover first known malicious Outlook add-in
Now-abandoned add-in served fake Microsoft login page
What you need to know: Threat actors hijacked AgreeTo, an abandoned Outlook add-in that was originally a legitimate meeting scheduler, by claiming the expired hosting domain and replacing its content with a phishing kit. When opened, users saw a fake Microsoft sign-in page that captured and exfiltrated credentials. Dubbed AgreeToSteal, this campaign reportedly stole more than 4,000 Microsoft account credentials before it was removed from the Microsoft store.
Why it matters: The add-in itself was legitimate at launch, but once abandoned, the gap between domain expiration and platform detection created an opportunity for abuse. It’s a reminder that third-party integrations can become attack vectors long after initial approval, especially when they dynamically load content from external infrastructure.
The bottom line:This incident is a reminder that supply chain and ecosystem threats extend into productivity platforms and add-ins. If vetting stops after initial approval, these trusted add-ins can become malicious entry points. Security teams should monitor for outdated or abandoned tools that may still be in use and restrict unnecessary permissions.
Adam Savage is closing Zero Trust World 2026, bringing the curiosity, hands-on thinking, and maker mindset that has inspired generations of builders, engineers, and problem-solvers.
