"We have to go one step further than having a list of trusted applications. By placing blocks on even your organization's most trusted applications and keeping permissions only at the business-critical level, you're not going to give any would-be attackers much breathing room." -Danny Jenkins
From the ThreatLocker blog
The Stryker attack and Conduent breach, Fog ransomware, and restricting M365 access
Attack highlight risks of compromised device management
What happened: A major data-wiping cyberattack hit the medical technology group Stryker on March 11, with 56,000 employees affected across 79 countries. Early reporting suggests the attack may have involved Microsoft Intune, though that is unconfirmed. Instead of deploying malware directly on endpoints, attackers appear to have targeted the systems that manage those devices, gaining administrative control, and issuing remote reset commands that wiped affected machines. From the device's perspective, this action appeared legitimate.
Why it matters:Modern operating systems rely on trusted device management components to process administrative commands. Because these components have powerful admin permissions, they are an attractive target to attackers seeking to cause widespread destruction.
The big picture: Destructive attacks can unfold very quickly when attackers gain access to trusted management systems. The final investigation will confirm what technique was used, but the lesson is clear: Default-deny controls and strict limitations on administrative tools help prevent trusted systems from being abused at scale.
What happened: Cybercrime group SafePay infiltrated third-party processor Conduent and stole the data of 25 million people between October 2024 and January 2025. While Conduent began notifying state regulators as early as January 2025, many affected individuals were not notified until October 2025 at the earliest. The company has not revealed how attackers gained access. Stolen data includes Social Security numbers, insurance information, and healthcare data.
Why it matters:Many of the affected individuals have never directly interacted with Conduent. Third-party providers often have privileged access to sensitive systems and databases, and they continue to be high-value targets for attackers. A single vendor compromise can quickly impact millions without the proper controls in place.
The big picture: Security responsibilities do not stop at your own environment. Restrict third-party system access to only what is required for their services, enforce Just-in-Time access for authentication credentials, and track authentication events and data access originating from vendor accounts or integrations.
40% of incidents begin with credentials harvested from infostealer logs
What's happening: First observed in 2024, Fog ransomware has quickly become a global threat targeting healthcare, education, manufacturing, and critical infrastructure. Its developers have built a modular payload that can be tailored to different victims, combining file encryption with data theft and lateral movement. Fog relies heavily on LOTL tactics, using PowerShell scripts for persistence and legitimate remote-management applications to maintain access.
Why it matters: Fog is one of several newer operations that favor legitimate administrative utilities in order to blend into normal activity. Fog frequently gains initial access using stolen VPN logins or unpatched edge devices, with more than 40% traced to credentials harvested from infostealer logs circulating on criminal marketplaces. Once inside, attackers often attempt to disable endpoint protection tools before launching encryption.
The big picture: Threat actors no longer need bespoke malware or cutting-edge exploits. They can inflict significant damage by moving fast and abusing legitimate tools. Defending against Fog ransomware means shifting from chasing indicators to tightening the rules governing what users and applications can do inside yournetwork.
What you need to know: As part of the new ThreatLocker Zero Trust Cloud Access capability, administrators can implement Conditional Access policies that restrict Microsoft 365 logins to only specific public IP addresses. Instead of trusting credentials alone, access is verified through the device, pathway, policy, and request.
Why it matters:Threat actors are increasingly targeting SaaS applications because they tend to have privileged access across environments. M365 accounts in particular are frequent targets for phishing, token theft, and session hijacking. Conditional Access policies ensure that even with valid credentials, attackers cannot log in unless they are connecting from a trusted IP address.
The big picture: Credentials and MFA are no longer enough. To neutralize phishing and token theft, cloud and SaaS access should be tied to a secure broker that verifies each login request. ThreatLocker breaks down how you can implement these controls.
Threats you need to know
AI accelerates vulnerability discovery, while attackers are adapting to defenses
Anthropic finds 22 new Firefox vulnerabilities in just two weeks
Claude Opus 4.6 AI model identified 14 high-severity vulnerabilities
What you need to know: Researchers at Anthropic analyzed Firefox's codebase and discovered 22 previously unknown vulnerabilities. Most were patched by Mozilla with Firefox 148 after the AI scanned nearly 6,000 C++ files and submitted more than 100 bug reports. Detections were verified by human researchers to rule out false positives. Anthropic also gave the Claude model access to the full list of vulnerabilities and tasked it with developing an exploit for them. Claude Opus 4.6 was only able to turn the defect into an exploit in two cases.
Why it matters: The findings show how quickly an LLM can discover vulnerabilities, which can benefit both defenders and attackers. For defenders, the 14 high-severity vulnerabilities unearthed by the LLM in January 2026 is a fifth of all high-severity vulnerabilities patched by Firefox in 2025. However, this same speed and efficiency can be used by attackers as well.
The big picture: The cost of using AI to identify vulnerabilities in this case proved to be cheaper and more effective than using it to create an exploit for them. But just the fact that Claude could automatically create a single working exploit signals how quickly the balance could shift.
ClickFix campaign abuses Windows Terminal app
Social engineering campaign activates attack chain and deploys Lumma Stealer malware
What you need to know: Microsoft has uncovered a ClickFix campaign that tricks users into opening Windows Terminal and pasting a malicious command from a fake CAPTCHA. This triggers a multi-stage attack chain that eventually installs the credential-harvesting malware Lumma Stealer. The campaign was discovered last month and guides users into a privileged command execution environment to appear more trustworthy.
Why it matters: Earlier ClickFix attacks relied on the Windows Run dialog, so many security tools shifted to monitor it closely. This campaign bypasses those specific detections and takes advantage of Windows Terminal's legitimacy instead.
The big picture: Threat actors do not depend on a single attack vector. They evolve once detection tools catch on. With security, prevention will always beat detection. Restricting what scripts, commands, and applications are allowed to execute along with monitoring for abnormal behavior provides the strongest defense.
Identity controls like MFA and password managers can mitigate phishing threats, but threat actors will still find ways to capture valid credentials and session tokens to breach your network.
Join our upcoming webinar to explore how the new ThreatLocker Zero Trust Network and Cloud Access solutions can render correct credentials useless if they’re in the wrong hands.
Tuesday | March 17 | 11 a.m. Eastern
Featuring ThreatLocker CEO Danny Jenkins and CTO Michael Jenkins
