Today we are joined by Amanda Rousseau, Principal AI Security Researcher from Straiker, discussing their work on "The Silent Exfiltration: Zero‑Click Agentic AI Hack That Can Leak Your Google Drive with One Email." Straiker’s research found that enterprise AI agents can be silently manipulated to leak sensitive data, even without user clicks or alerts. By chaining small gaps across tools like Gmail, Google Drive, and calendars, attackers achieved zero-click exfiltration, system mapping, and even policy rewrites. The findings highlight that excessive agent autonomy creates a new attack surface, requiring least-privilege design, runtime guardrails, and continuous red-teaming to stay secure.
The research can be found here:
The Silent Exfiltration: Zero‑Click Agentic AI Hack That Can Leak Your Google Drive with One Email
Learn more about your ad choices. Visit megaphone.fm/adchoices
--------
22:02
--------
22:02
Don’t trust that app!
Today we are joined by Selena Larson, co-host of Only Malware in the Building and Staff Threat Researcher and Lead Intelligence Analysis and Strategy at Proofpoint, sharing their work on "Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing." Proofpoint researchers have identified campaigns where threat actors use fake Microsoft OAuth apps to impersonate services like Adobe, DocuSign, and SharePoint, stealing credentials and bypassing MFA via attacker-in-the-middle phishing kits, mainly Tycoon.
These attacks redirect users to fake Microsoft login pages to capture credentials, 2FA tokens, and session cookies, targeting nearly 3,000 Microsoft 365 accounts across 900 environments in 2025. Microsoft’s upcoming security changes and strengthened email, cloud, and web defenses, along with user education, are recommended to reduce these risks.
The research can be found here:
Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing
Learn more about your ad choices. Visit megaphone.fm/adchoices
--------
20:41
--------
20:41
Cracks in the wall.
This week, we are joined by Jamie Levy, Director of Adversary Tactics at Huntress, who is discussing their work on "Active Exploitation of SonicWall VPNs." Huntress has released an urgent threat advisory on active exploitation of SonicWall VPNs, with attackers bypassing MFA, pivoting to domain controllers, and ultimately deploying Akira ransomware. The campaigns involve techniques such as disabling defenses, clearing logs, credential theft, and Bring Your Own Vulnerable Driver (BYOVD) attacks with legitimate Windows drivers.
Organizations using SonicWall devices are strongly advised to disable SSL VPN access or restrict it via IP allow-listing, rotate credentials, and hunt for indicators of compromise as this remains an ongoing and evolving threat.
Complete our annual audience survey before August 31.
The research can be found here:
Huntress Threat Advisory: Active Exploitation of SonicWall VPNs
Learn more about your ad choices. Visit megaphone.fm/adchoices
--------
13:13
--------
13:13
Beyond the smoke screen.
This week, we are joined by Dr. Renée Burton, VP of Infoblox Threat Intel, who is discussing their work on VexTrio, a notorious traffic distribution system (TDS) involved in digital fraud. The VexTrio investigation uncovers a massive global ad fraud and scam operation powered by just 250 virtual machines, tying it directly to named individuals and shell companies across Europe.
The research exposes VexTrio’s full criminal supply chain—including fake apps, dating scams, affiliate networks, and payment processors—alongside a powerful CDN infrastructure ranked among the world’s top 10k domains. It also calls on the adtech industry to take accountability for enabling and sustaining such widespread abuse.
Complete our annual audience survey before August 31.
The research can be found here:
VexTrio’s Origin Story : From Spam to Scam to Adtech
Learn more about your ad choices. Visit megaphone.fm/adchoices
--------
22:22
--------
22:22
The CVE countdown clock.
Bob Rudis, VP Data Science from GreyNoise, is sharing some insights into their work on "Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities." New research reveals a striking trend: in 80% of cases, spikes in malicious activity against enterprise edge technologies like VPNs and firewalls occurred weeks before related CVEs were disclosed.
The report breaks down this “6-week critical window,” highlighting which vendors show the strongest early-warning patterns and offering tactical steps defenders can take when suspicious spikes emerge. These findings reveal how early attacker activity can be transformed into actionable intelligence, enabling defenders to anticipate and neutralize threats before vulnerabilities are publicly disclosed.
Complete our annual audience survey before August 31.
The research can be found here:
Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities
Learn more about your ad choices. Visit megaphone.fm/adchoices
Netherlands