"Most major cybersecurity compliance frameworks are moving in the same direction. NIST, HIPAA, ISO 27001, and the Australian Essential Eight (just to name a few) are rooted in Zero Trust philosophy: controlling access, enforcing least privilege, blocking unauthorized software, and continuously monitoring the environment. That does not mean buying a Zero Trust product automatically makes you compliant. But in my experience, organizations that genuinely adopt a Zero Trust approach find compliance becomes significantly easier, regardless of the framework." - Danny Jenkins
From the ThreatLocker blog
RTO risks, SaaS security, and Zero Trust without friction
Office environments come with their own vulnerabilities
What's happening: Return to office mandates are increasing, and it has many wondering whether organizations are at greater risk of cyber threats in an office or remote/hybrid setting. Phishing attempts spike with remote work, and unsecure home networks and unknown personal devices create headaches for IT teams. However, ransomware can spread faster on internal systems, and the office environment can inadvertently increase insider threat risks.
Why it matters:Assuming the corporate network is inherently safer leaves organizations open to risk. Many worry that returning to the office will lead companies to loosen controls concerning device validation, identity verification, and behavioral monitoring.
The big picture: Attackers do not care where someone is working from. They only care about vulnerabilities they can exploit. With cloud platforms and SaaS tools handling so much data, access typically comes down to credentials rather than location. See which environment creates the biggest hidden risks.
What's happening: Software-as-a-service (SaaS) platforms are integral to many organizations, and attacks against them are increasing. Instead of only targeting infrastructure vulnerabilities, many threat actors target weak access controls and identity gaps, controls that sit on the customer side of responsibility. Insider threats, misconfigurations, and excessive permissions are all underestimated SaaS security risks.
Why it matters:A successful breach of a SaaS platform can impact thousands of customers, and many organizations misunderstand SaaS security. Providers secure the service itself through firewalls and hardened infrastructure, but each customer is responsible for securing how the service is configured and accessed in their own environment.
The big picture: In SaaS environments, credential theft and permission abuse account for most security incidents, and these are outside the SaaS providers' control. Real SaaS security must be enforced internally with default-deny allowlisting and least privilege access. The SaaS security gaps many organizations miss.
Modern tools make the process more intuitive and scalable
What's happening: More frameworks and governments are aligning with or recommending Zero Trust controls as the best defense against cyber threats, leading to an increase in Zero Trust adoption. In the past, organizations have resisted Zero Trust because of cumbersome early tools and the perception that Zero Trust adoption disrupts productivity. Truthfully, Zero Trust is about taking control and simplifying daily work.
Why it matters: Not running a Zero Trust framework increases risk. Modern threats have been designed to bypass traditional defenses that hope to catch malicious activity before too much damage is done.
The big picture: Adopting Zero Trust isn't complex with the right plan in place. Educate internal security and operations teams on the benefits of Zero Trust. Learn your environment and simulate policies before full rollout to ensure vital functions aren't restricted. A practical roadmap for Zero Trust adoption.
Webinar: MFA is not enough: How to stop phishing and session hijacking attacks
Tuesday, June 16
Session hijacking and token theft attacks are increasing because attackers no longer need passwords to compromise accounts. Learn how device-level access controls can stop phishing-based account takeover attacks even after credentials are stolen.
PhaaS continues to grow, trust in AI is being abused
Phishing-as-a-service platform gives access without credentials
Kali365 enables attackers to bypass MFA
What's happening: The FBI has warned of a phishing-as-a-service (PhaaS) platform called Kali365 that allows attackers to access Microsoft 365 tokens and bypass MFA without legitimate credentials. The platform runs as a subscription service and provides AI-generated phishing lures, victim tracking, and automated templates.
Why it matters: The attacks typically impersonate trusted cloud and document sharing services and provide a code for the target to paste into a legitimate Microsoft verification page. From here, threat actors gain OAuth access and refresh tokens, giving them access to Teams, Outlook, OneDrive, and more.
The big picture: Assuming compromise is not as far-fetched as it may have once seemed. The likelihood of one of your coworkers or employees falling for a phishing attack is increasing. Controls that restrict what users—legitimate or malicious—can access or execute are crucial to limiting damage after compromise.
AI chatbots recommend malicious sites
Active cryptojacking campaign using AI chatbots
What's happening: Microsoft is warning of a new cryptojacking campaign that is using AI chatbots to send unsuspecting users to malicious download sites. CrystalDiskInfo, HWMonitor, and PDFgear are some of the legitimate utilities being impersonated, and Microsoft speculated the goal is to compromise systems with the highest mining value rather than infecting the most machines possible.
Why it matters:Users are finding these websites in interactions with LLMs or in search results thanks to SEO poisoning. Most often, they are asking for software download recommendations and are directed to the malicious sites by the AI chatbot.
The big picture: Users are beginning to trust AI recommendations and LLMs the same way they trust search engines, and attackers are exploiting that shift. Continuous verification is a must when it comes to researching and using new tooling. Users should validate software sources internally instead of implicitly trusting search engines or AI-generated recommendations.
ThreatLocker events
Meet the Cyber Hero Team in person at these upcoming events
InfoTech Live | June 9–11 Las Vegas, Nevada
Kaseya DattoCon Europe | June 16–18 Prague, CZ
GITEX Europe | June 30–July 1 Berlin, DE
SANSFIRE | July 14–15 Washington D.C.
Black Hat USA | August 1–6 Las Vegas, Nevada
Technology in Government | August 4–5 Canberra, AU