"Instead of placing malware directly on a protected device, the attacker runs it on their own machine or an unsecured virtual machine. The malware connects to a network share—such as a UNC path or hidden admin share—and encrypts files without leaving any malicious code on the host. To defend against this, companies must restrict untrusted devices from connecting to internal systems and monitor network activity for unusual patterns, such as sudden spikes in file changes.
Anything you can do with a keyboard, this USB device can do
What you need to know: The USB Rubber Ducky has evolved into a stealthy attack tool that masquerades as a keyboard, giving a would-be attacker the same access as a legitimate user. Because it doesn't execute scripts in the traditional sense, an attacker wouldn't need elevated privileges, and because the device identifies itself as a standard HID, the operating system grants it the same trust and access as a real keyboard.
Why it matters:Traditional, behavioral security tools are trained to detect malware, not what appears to be a legitimate user typing. Modern versions have made detection even harder with newer iterations able to slow typing to human speed to further evade behavioral detection.
The big picture: The only practical defense strategy against USB hacking devices is to limit what the commands can do. By restricting application behavior and containing access, organizations can reduce the blast radius even if malicious commands are successfully executed.
What you need to know: Privilege escalation attacks occur when an attacker exploits vulnerabilities, misconfigurations, or stolen credentials to gain higher levels of access within a system—and they're on the rise. Attackers have learned that by stealing credentials and tokens, they can log in as a legitimate user and inherit their access and privileges to evade detection. These attacks can happen horizontally (moving between similar user accounts) or vertically (gaining admin-level control), often after an initial foothold is established.
Why it matters:Once an attacker gains elevated access, they can move freely, accessing sensitive data, installing malware, or disrupting operations. Privilege escalation attacks are particularly dangerous because they often build on legitimate access, making them harder to detect and increasing attackers' dwell time.
The big picture: Human error is a weakpoint for even the most security-aware organizations. Security awareness remains crucial, but as AI makes phishing and social engineering more convincing, the focus needs to shift to limiting the risks around human error. Enforce device-based access, practice the principle of least privilege, and continuously monitor account activity, so that even if an attacker gets in, they can't take over.
Attackers may be targeting users more than software, but the risks are connected
What you need to know: Regular vulnerability scans are one of the best ways to be proactive about your security posture. They identify security gaps before attackers can exploit them. Common issues these scans identify include open ports, weak encryption protocols, misconfigurations, unpatched software, and outdated firmware.
Why it matters: While you're running regular vulnerability scans, so are attackers. As cyberattacks get faster, more targeted, and more costly, unaddressed vulnerabilities remain an easy entry point. At the same time, attackers are combining these weaknesses with tactics that make their activity appear legitimate, increasing their chances of a successful breach.
The big picture: Vulnerability scanning is only the first step. Pair that proactive scanning with quick remediation and strong controls to prevent exploitation and ensure that if a vulnerability exists, it can't be used to cause harm.
New solutions from ThreatLocker render correct credentials useless if they're in the wrong hands. Discover how you can eliminate the blast radius of stolen identities and ensure that valid logins will not automatically translate to unauthorized network access.
Attackers abuse Microsoft Teams to gain remote access
Using IT support as the attack vector
What's happening: Researchers at BlueVoyant uncovered a sophisticated scheme where attackers bombard employees with spam emails, then impersonate IT support via Microsoft Teams to offer help. They then trick users into launching Quick Assist, giving attackers remote access. Once inside, they deploy a newly discovered backdoor—A0Backdoor. This campaign resembles tactics used by Blitz Brigantine (Storm-1811), a financially motivated group that typically targets financial and healthcare organizations.
Why it matters: This attack relies entirely on social engineering and trusted tools. Attackers are intentionally causing a problem for users, then posing as the solution. If the attacker succeeds, they are granted access and their activity appears legitimate.
The big picture: As is the case in privilege escalation attacks, exploiting human behavior remains a primary entry point, and promoting awareness of common phishing schemes is only one part of the defense. Organizations should assume employees will be phished and limit what attackers can do even with valid credentials or access.
Fake VPN clients used for credential theft
Users are the entry point
What's happening: Microsoft has tracked Storm-2561 using SEO poisoning to distribute fake VPN clients. Users searching for legitimate VPN software are redirected to malicious sites where they download trojanized versions that harvest their credentials. The group has been active since at least May 2025.
Why it matters: Storm-2561 is another example of attackers abusing well-known tools to gain trust. This attack in particular exploits users when they are actively trying to access secure systems. Because the websites and software appear legitimate, users are less likely to question them.
The big picture: Attackers continue to find ways around defenses. Instead of exploiting software vulnerabilities, they're targeting users directly. While detection has improved and MFA adoption has increased, AI-assisted social engineering has become an equally effective path in. To counter this, organizations must control how applications are accessed and installed, enforce trusted sources, and limit what even approved software can do once inside the environment.
Looking for more insights like these?
Cyber Hero Frontline explores the ideas and strategies shaping modern cybersecurity.
