"If a user is willing to enter their credentials, they are also likely willing to provide their one-time code. All an attacker needs to do is get a single user in an organization to click one of their phishing links, sending the user to a website that looks exactly like the service they normally log into. The attacker can then forward those credentials to the actual service in real time but remain in the middle. Once a user signs in, the attacker has access to the service as that user for as long as the token lasts." -Danny Jenkins
This is where enforcement at the device and resource level becomes critical.
New from ThreatLocker
Render phishing useless
The ThreatLocker Zero Trust Platform now delivers the industry’s most comprehensive suite of Zero Trust solutions, protecting endpoints, networks, and the cloud.
At ZTW26, we announced the addition of Zero Trust network and cloud access solutions that enforce device-based verification to restrict unauthorized access to cloud services and networks. Access is denied by default unless the connection originates from an approved device brokered through the ThreatLocker platform.
Key capabilities of the solution include:
Providing employees with secure access to cloud systems and networks through validated computers and cell phones.
Supporting straightforward deployment, with implementations possible in as little as thirty minutes.
Giving security administrators granular control over new endpoint access to company resources.
What happened: In 2025, Windows introduced Markdown support into Windows Notepad, adding formatting features such as styled text, lists, and clickable hyperlinks. Vulnerability CVE-2026-20841 allowed attackers to craft malicious links that leveraged URI handlers to execute unintended commands. The risk is more severe if the attacker already has write permissions on a machine. In February, Microsoft addressed this vulnerability in its regular Patch Tuesday updates.
Why it matters:This issue emerged from expanded functionality rather than privilege escalation or inproper input validation. As applications evolve, each new feature introduces new processing logic and a new potential attack surface.
The bottom line: The more functionality a tool gains, the higher scrutiny it commands. More processing logic means more opportunity for abuse. A default-deny approach to even trusted built-in tools can limit lateral movement and restrict unauthorized execution if a longstanding utility is compromised.
What you need to know: Notepad represents implicit trust at the endpoint while VPN appliances represent trust at the edge. Recent SSL-VPN compromises involving Fortinet and SonicWall have led directly to ransomware deployment and domain takeover. Once attackers gained VPN access, they often moved laterally within hours. These devices are able to authenticate users, route traffic, and frequently operate with broad internal visibility. In the aforementioned incidents, access was achieved through software vulnerabilities, legacy credential persistence, cloud backup leaks, and VPN misconfigurations.
Why it matters:The common thread is the abuse of trusted remote-access infrastructure to bypass security. VPN appliances have network-wide reach, and when compromised, attackers are able to function as authenticated internal users.
The bottom line: Perimeter trust is an operational risk. Instead, authentication anomalies should be monitored as if they are admin logins, and trust should never be assumed even post-login.
What's happening: If a default app and a perimeter device can both become entry points for attackers, the issue is with assumed trust more than software vulnerabilities. Ransomware keeps getting faster, AI keeps getting smarter, and Zero Trust cannot be ignored. But where implementation often stalls is not on the technical side. The biggest obstacle to Zero Trust is often workflow disruption, not tooling. Denying by default is the most secure way to prevent ransomware from executing, but organizations are equally concerned with disrupting user experience and processes. Baselining normal business activities, deploying a phased rollout, and starting with simple but high-impact principles go a long way to enhancing your security posture without introducing complexity.
Why it matters: Zero-day exploits aren't waiting around for organizations to adopt Zero Trust. Letting go of a traditional security model is a daunting task, but the modern cyberattack landscape demands it.
The big picture: The financial and reputational fallout from a breach is much more costly than prevention. More than a heightened security posture, Zero Trust is an investment in your company's future.
Threats you need to know
Exposed APIs and targeted persistence campaigns
Public Google Cloud API keys exposed
When AI enablement expands credential risk
What you need to know: Security researchers discovered thousands of publicly exposed Google Cloud API keys embedded in client-side code and repositories. The API keys alone don't always grant full access, but many were tied to services that could be abused for data access, service manipulation, or resource consumption. Some keys were overly permissive and allowed attackers to interact directly with backend cloud resources. The issue occurs when users enable Gemini API on a Google Cloud project. Existing API keys can then inherit access to Gemini endpoints.
Why it matters: Attackers routinely scan for exposed API keys, and API-based access often bypasses MFA entirely. Organizations need to consider how AI-enabled endpoints can interact with prompts, generated content, or connected cloud services.
The bottom line: Google has implemented proactive measures to detect and block leaked API keys that attempt to access the Gemini API. Users should verify if their AI-related APIs are enabled, and if so, be sure to rotate them regularly. Older keys are more likely to have retroactively gained Gemini privileges.
What you need to know: Threat group UAT-10027 has been targeting U.S. education and healthcare organizations with an end goal of delivering a newly identified backdoor codenamed Dohdoor. This backdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control communications. Phishing techniques are suspected to be the initial access vector. The activity has focused on gaining valid account access, maintaining persistence, and moving laterally. No data exfiltration or final payloads have been observed at this time, but the actions are suspected to be driven by financial gain.
Why it matters: This attack is built on targeted phishing and legitimate account usage, making it harder to detect and contain. Education and healthcare are increasingly common targets for cybercriminals, but the attack techniques are scalable to any organization with distributed users and cloud services.
The bottom line: The origin of UAT-10027 is unknown, but researchers have noted similarities between Dohdoor and techniques used by the hacking group Lazarus. Security teams should treat phishing-resistant MFA as a baseline while continuing to monitor for privilege escalation and abnormal session activity.
Issue 3 of Cyber Hero Frontline is officially live, and we're thrilled to share it with you.
The path to Zero Trust starts with awareness. Inside the issue you'll find:
Industry focus on media and finance sectors
How to defend against SMB attacks
Staffing a resilient in-house SOC
Decoding Australia's Essential Eight
Request a print copy or access the digital copy today:
