Cisco hacked, Microsoft 365 abused by phishing scam, vulnerable DELL devices and Salesforce breached...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. We’ve also got the latest CVE information to help you stay ahead of vulnerabilities. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
News & Articles
Hackers Abuse Microsoft 365’s Direct Send Feature to Deliver Internal Phishing Attacks
Cybercriminals have discovered a sophisticated new attack vector by exploiting Microsoft 365’s Direct Send feature to deliver phishing campaigns that masquerade as legitimate internal communications.
This emerging threat leverages a legitimate Microsoft service designed for multifunction printers and legacy applications, turning it into a weapon for social engineering attacks that bypass traditional email security controls.
The attack campaign represents a significant evolution in phishing tactics, as threat actors can now send malicious emails that appear to originate from within the target organisation without requiring valid credentials or authentication.
By exploiting Direct Send’s inherent trust model, attackers achieve unprecedented credibility in their phishing attempts, making detection and prevention considerably more challenging for security teams.
The attack mechanism follows a carefully orchestrated four-step process that exploits multiple layers of email infrastructure.
Attackers initially establish connections to virtual hosts running Windows Server 2022 through Remote Desktop Protocol on port 3389, providing them with a legitimate Windows environment for their operations.
From these compromised hosts, they initiate SMTP connections to unsecured third-party email security appliances hosted by regional Infrastructure-as-a-Service providers.
These compromised appliances serve as SMTP relays, featuring valid DigiCert SSL certificates and supporting AUTH PLAIN LOGIN with STARTTLS encryption.
However, the appliances expose vulnerable ports 8008, 8010, and 8015 with expired or self-signed certificates, creating security gaps that attackers exploit.
The malicious messages are then relayed through these appliances directly to Microsoft 365 tenants, where they are delivered via Direct Send using spoofed internal sender addresses.
Organisations can implement immediate protection by executing the PowerShell command Set-OrganizationConfig -RejectDirectSend $true to disable Direct Send functionality.
Additionally, monitoring message headers for composite authentication failures marked as compauth=fail can help identify these sophisticated spoofing attempts before they reach end users.
Cisco Hacked – Attackers Stole Profile Details of Users Registered on Cisco.com
Cisco has confirmed it was the target of a cyberattack where a malicious actor successfully stole the basic profile information of an undisclosed number of users registered on Cisco.com.
The technology giant revealed that the breach occurred after an employee was deceived by a sophisticated voice phishing, or “vishing,” attack.
The incident, which Cisco became aware of on July 24, 2025, did not compromise sensitive information such as passwords, financial details, or confidential corporate data. However, it exposes the growing threat of social engineering tactics targeting employees as a gateway into corporate systems.
Millions of Dell Laptops Vulnerable to Device Takeover and Persistent Malware Attacks
A wide range of vulnerabilities affects millions of Dell laptops used by government agencies, cybersecurity professionals, and enterprises worldwide.
The vulnerabilities, collectively dubbed “ReVault,” target the Broadcom BCM5820X security chip embedded in Dell’s ControlVault3 firmware, creating opportunities for attackers to steal passwords, biometric data, and maintain persistent access to compromised systems.
The vulnerabilities affect more than 100 different models of Dell laptops, primarily from the business-focused Latitude and Precision series that are widely deployed in sensitive environments.
Dell ControlVault serves as a “hardware-based security solution that provides a secure bank that stores your passwords, biometric templates, and security codes within the firmware,” according to the company.
Google Discloses Data Breach via Salesforce Hack
Google revealed that one of its corporate Salesforce instances was targeted by threat actors. The attack appears to be part of a campaign that has hit several major companies.
The tech giant said its Salesforce instance was targeted in June and attributed the activity to a threat group tracked as UNC6040.
Google said the hackers obtained contact information and related notes for small and medium businesses from the compromised environment.
“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google explained. “The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.”
Salesforce pointed out that its systems have not been compromised and the attacks do not exploit any vulnerability in its platform. The company suggested that the recent attacks are the result of sophisticated phishing and other social engineering attacks targeting its customers.
Latest Vulnerabilities & Exploits
CVE-2025-8578
High - Google Chrome
Use after free in Cast in Google Chrome prior to 139.0.7258.66 allowed a remote attacker
to potentially exploit heap corruption via a crafted HTML page. (Chromium security
severity: Medium).
CVE-2025-35970
High - EPSON and FUJIFILM
On multiple products of SEIKO EPSON and FUJIFILM Corporation, the initial administrator
password is easy to guess from the information available via SNMP. If the administrator
password is not changed from the initial one, a remote attacker with SNMP access can
log in to the product with the administrator privilege.
CVE-2025-32094
Medium - Akamai Ghost
An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before
2025-03-26. Under certain circumstances, a client making an HTTP/1.x OPTIONS request
with an “Expect: 100-continue” header, and using obsolete line folding, can lead to a
discrepancy in how two in-path Akamai servers interpret the request, allowing an
attacker to smuggle a second request in the original request body.
CVE-2025-8577
Medium - Google Chrome
Inappropriate implementation in Picture in Google Chrome prior to 139.0.7258.66
allowed a remote attacker who convinced a user to engage in specific UI gestures to
perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium).
Sources: cybersecuritynews.com, securityweek.com, Tenable