Reason for Google outage revealed, Microsoft releases updates, malware being distributed on Discord, Entra ID accounts attacked...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Microsoft Releases June 2025 Security Updates
Microsoft has released security updates to address 66 flaws, including one actively exploited vulnerability and another that was publicly disclosed. The Patch Tuesday also fixes ten “Critical” vulnerabilities, eight being remote code execution vulnerabilities and two being elevation of privileges bugs. The number of bugs in each vulnerability category is listed below:
- 13 Elevation of Privilege Vulnerabilities
- 3 Security Feature Bypass Vulnerabilities
- 25 Remote Code Execution Vulnerabilities
- 17 Information Disclosure Vulnerabilities
- 6 Denial of Service Vulnerabilities
- 2 Spoofing Vulnerabilities
The platforms known to be affected are Microsoft Windows, Microsoft Windows, Microsoft Office, Microsoft SharePoint server and many more. This month’s Patch Tuesday fixes one actively exploited zero-day and one publicly disclosed vulnerability. Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available. Microsoft has reported that CVE-2025-33053 in Web Distributed Authoring and Versioning (WEBDAV) is under active exploitation. The NHS England National CSOC assesses further exploitation as likely. Additionally, Microsoft has reported that a proof-of-concept exploit is available for CVE-2025-33073 in Windows SMB Client. Affected organisations are encouraged to review Microsoft’s June 2025 Security Updates and apply the relevant updates.
Palo Alto Networks Patches Privilege Escalation Vulnerabilities
Palo Alto Networks on Wednesday published seven security advisories that detail as many vulnerabilities in its products, along with the implementation of recent Chrome fixes. The most severe of the resolved flaws is CVE-2025-4232, a high-severity improper neutralization of wildcards bug in GlobalProtect for macOS that leads to code injection.
Impacting the log collection feature of the application, the security defect can be exploited by authenticated attackers to elevate their privileges to root, Palo Alto Networks warns. The company also drew attention to a set of 11 Chrome fixes it implemented in its products alongside a patch for CVE-2025-4233, an inappropriate implementation in cache vulnerability affecting the Prisma Access Browser.
Patches were also released for a medium-severity command injection flaw in PAN-OS, tracked as CVE-2025-4231, that allows an attacker authenticated as an administrator to perform actions as root. “The attacker must have network access to the management web interface and successfully authenticate to exploit this issue,” the company says. Another PAN-OS command injection bug, CVE-2025-4230, allows an attacker logged into an administrator account with access to the CLI to bypass system restrictions and execute arbitrary commands as root. “The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators,” Palo Alto Networks says.
The company has also resolved a PAN-OS defect that could allow users able to intercept packets sent from the firewall to view unencrypted data being sent through the SD-WAN interface, and an incorrect privilege assignment issue in Cortex XDR Broker VM allowing attackers to escalate their privileges to root.
Cyber Attacks
Password-spraying attacks target 80,000 Microsoft Entra ID accounts
Cybersecurity researchers have uncovered a new account takeover (ATO) campaign that leverages an open-source penetration testing framework called TeamFiltration to breach Microsoft Entra ID (formerly Azure Active Directory) user accounts.
The activity, codenamed UNK_SneakyStrike by Proofpoint, has targeted over 80,000 user accounts across hundreds of organizations’ cloud tenants since a surge in login attempts was observed in December 2024, leading to successful account takeovers. “Attackers leverage Microsoft Teams API and Amazon Web Services (AWS) servers located in various geographical regions to launch user-enumeration and password-spraying attempts,” the enterprise security company said. “Attackers exploited access to specific resources and native applications, such as Microsoft Teams, OneDrive, Outlook, and others”.
TeamFiltration, publicly released by researcher Melvin “Flangvik” Langvik in August 2022 at the DEF CON security conference, is described as a cross-platform framework for “enumerating, spraying, exfiltrating, and backdooring” Entra ID accounts. The tool offers extensive capabilities to facilitate account takeover using password spraying attacks, data exfiltration, and persistent access by uploading malicious files to the target’s Microsoft OneDrive account. At its peak, the campaign targeted 16,500 accounts in a single day in early January 2025. The three primary source geographies linked to malicious activity based on the number of IP addresses include the United States (42%), Ireland (11%), and Great Britain (8%).
Discord flaw lets hackers reuse expired invites in malware campaign
Attackers are monitoring deleted or expired Discord invitations and use them in a campaign that has impacted 1,300 users in the US, UK, France, the Netherlands, and Germany, based on Check Point’s download count of the malicious payloads. The researchers say that cybercriminals are hijacking Discord invite links from legitimate communities and share them on social media or official community websites.
To add credibility to the deceit, hackers design the malicious servers to look authentic. The malicious Discord servers only show a single channel to the visitor, #verify, and a bot prompts the user to go through a verification process. Hackers are hijacking expired or deleted Discord invite links to redirect users to malicious sites that deliver remote access trojans and information-stealing malware. The campaign relies on a flaw in the Discord invitation system to leverage multi-stage infections that evade multiple antivirus engines. Discord invite links are URLs that allow someone to join a specific Discord server. They contain an invite code, which is a unique identifier that grants access to a server and can be temporary, permanent, or custom – vanity links available to ‘level 3’ servers paying for special perks. As part of the perks for level 3 Discord servers, administrators can create a personalized invite code. For regular servers, Discord generates random invite links automatically and the chance of one repeating itself is very low. However, hackers noticed that when a level 3 server loses its boost status, the custom invite code becomes available and can be reclaimed by another server.
Researchers at cybersecurity company Check Point say that this is also true in the case of expired temporary invites or deleted permanent invitation links. They say that “the mechanism for creating custom invite links surprisingly lets you reuse expired temporary invite codes, and, in some cases, deleted permanent invite codes.”
In Other News...
Google links massive cloud outage to API management issue
Google says an API management issue is behind Thursday’s massive Google Cloud outage, which disrupted or brought down its services and many other online platforms. Besides Google Cloud, the incident also impacted Gmail, Google Calendar, Google Chat, Google Cloud Search, Google Docs, Google Drive, Google Meet, Google Tasks, Google Voice, Google Lens, Discover, and Voice Search. However, it also caused widespread issues for third-party platforms that rely on Google Cloud, including but not limited to Spotify, Discord, Snapchat, NPM, Firebase Studio, and a limited number of Cloudflare services relying on the Workers KV key-value store. “We are deeply sorry for the impact to all of our users and their customers that this service disruption/outage caused.
Businesses large and small trust Google Cloud with your workloads and we will do better,” Google said. While it’s still working on publishing a full incident report, Google revealed the root cause of what caused an increased number of 503 errors in external API requests during yesterday’s three-hour-long outage. As the company explained, its Google Cloud API management platform failed due to invalid data, an issue that wasn’t discovered and remediated promptly because it lacked effective testing and error-handling systems. “From our initial analysis, the issue occurred due to an invalid automated quota update to our API management system, which was distributed globally, causing external API requests to be rejected. To recover we bypassed the offending quota check, which allowed recovery in most regions within 2 hours,” the company added.
Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction
A novel attack technique named EchoLeak has been characterized as a “zero-click” artificial intelligence (AI) vulnerability that allows bad actors to exfiltrate sensitive data from Microsoft 365 (M365) Copilot’s context sans any user interaction. The critical-rated vulnerability has been assigned the CVE identifier CVE-2025-32711 (CVSS score: 9.3). It requires no customer action and has been already addressed by Microsoft. There is no evidence that the shortcoming was exploited maliciously in the wild.
“AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network,” the company said in an advisory released Wednesday. It has since been added to Microsoft’s Patch Tuesday list for June 2025, taking the total number of fixed flaws to 68. Aim Security, which discovered and reported the issue, said it’s an instance of a large language model (LLM) Scope Violation that paves the way for indirect prompt injection, leading to unintended behaviour. LLM Scope Violation occurs when an attacker’s instructions embedded in untrusted content, e.g., an email sent from outside an organisation, successfully tricks the AI system into accessing and processing privileged internal data without explicit user intent or interaction. “The chains allow attackers to automatically exfiltrate sensitive and proprietary information from M365 Copilot context, without the user’s awareness, or relying on any specific victim behaviour,” the Israeli cybersecurity company said. “The result is achieved despite M365 Copilot’s interface being open only to organisation employees”.
In EchoLeak’s case, the attacker embeds a malicious prompt payload inside markdown-formatted content, like an email, which is then parsed by the AI system’s retrieval-augmented generation (RAG) engine. The payload silently triggers the LLM to extract and return private information from the user’s current context.