Heroes, daylight starts increase soon in the Nothern Hemisphere. Not that operating in the dark was stopping any of y'all. Here's a curated look at the current cybersecurity landscape for December 20, 2025.
Denmark has officially attributed a destructive 2024 cyberattack on a water utility to Russia, characterizing it as part of a hybrid warfare campaign against Western critical infrastructure. This signals an escalation in state-sponsored targeting of operational technology (OT) sectors.
Business impact
For organizations in critical infrastructure or utilities, this confirms the threat is geopolitical and destructive; a successful attack could lead to physical service disruption, public safety hazards, and severe regulatory penalties.
Recommended action
Ask your OT Security lead: "Have we reviewed our air-gapping and segmentation controls for our operational technology networks in light of confirmed state-sponsored destructive attacks?"
The U.S. CISA has confirmed active exploitation of a critical vulnerability in WatchGuard Firebox firewalls, mandating immediate patching for federal agencies. This flaw allows attackers to take full control of perimeter security devices, potentially granting access to the internal network.
Business impact
Failure to patch immediately leaves the network perimeter wide open to intrusion; for regulated entities, this constitutes a direct violation of FISMA and SOX compliance mandates, risking significant fines and operational shutdown.
Recommended action
Ask your IT team: "Have we identified all WatchGuard Firebox devices in our environment and applied the patch for CVE-2025-14733 as required by the CISA directive?"
Cisco has disclosed a critical zero-day vulnerability in its Secure Email Gateway actively being exploited by a China-linked threat actor (UAT-9686). This flaw allows sophisticated attackers to bypass authentication and access sensitive email communications.
Business impact
If exploited, this vulnerability allows espionage actors to read confidential executive communications and intellectual property, leading to catastrophic loss of trade secrets and potential insider trading risks.
Recommended action
Ask your Security Operations team: "Are we running Cisco Secure Email Gateway, and have we implemented the emergency mitigations or patches for the zero-day disclosed yesterday?"
Security researchers have identified over 25,000 Fortinet devices exposed to the internet with FortiCloud SSO enabled, which are currently being targeted by attackers using a critical authentication bypass vulnerability. This massive exposure surface represents a ticking time bomb for organizations relying on these devices for network security.
Business impact
An unpatched device serves as an open door for ransomware groups to enter the network, encrypt data, and demand payment, causing extended operational downtime and reputational ruin.
Recommended action
Ask your Network Engineering team: "Do we have any Fortinet devices with FortiCloud SSO enabled exposed to the internet, and have we verified they are not among the 25,000 vulnerable instances?"
Threat actors are launching a widespread phishing campaign leveraging the OAuth device code flow to compromise Microsoft 365 accounts. By tricking users into authorizing malicious applications, attackers gain persistent access to email and files without needing the user's password.
Business impact
This attack bypasses traditional password resets and often MFA; a successful compromise allows attackers to exfiltrate sensitive corporate data and launch internal phishing attacks, leading to data breach reporting requirements.
Recommended action
Ask your Identity team: "Can we block or alert on OAuth device code flow requests from non-compliant locations or unmanaged devices?"
A key operator of the Nefilim ransomware group has pleaded guilty to attacks targeting U.S. and European organizations. While a legal victory, the group's tactics of double extortion (encrypting and stealing data) remain a model for other active gangs.
Business impact
This case reinforces the legal and financial severity of ransomware; while one operator is down, the business model persists, requiring continued vigilance against extortion attempts.
Recommended action
Ask your Legal and Risk team: "Does our incident response plan account for the specific legal implications of 'double extortion' ransomware scenarios?"
A new campaign is distributing the CountLoader malware via cracked software sites and YouTube videos. This loader serves as a beachhead for deploying additional payloads, including ransomware and info-stealers.
Business impact
Employees downloading unauthorized software on company devices introduce severe risk; infection can lead to credential theft and full network compromise.
Recommended action
Ask your Endpoint Security team: "Do we have application whitelisting or strict blocks on known 'warez' and cracked software download sites?"
Palo Alto Networks is deepening its partnership with Google Cloud to integrate Vertex AI and Gemini models into its security stack. This move aims to enhance threat detection capabilities against AI-driven attacks.
Updated guidance for PCI DSS 4.0.1 emphasizes stricter controls for web applications and APIs, specifically regarding inventory management and payment page scripts to prevent skimming.
Organizations are reporting "near miss" incidents where external attackers impersonate IT helpdesk staff via Microsoft Teams calls, attempting to trick users into running the "Quick Assist" remote tool.
The FBI reports continued use of AI voice cloning tools to impersonate U.S. government officials since 2023, aiming to extract sensitive information. This highlights the growing sophistication of social engineering.
New indicators of North Korean IT worker infiltration include specific keystroke latency patterns (110ms lag) used to detect remote access tools during interviews.
Spotlight Rationale: With the surge in Microsoft 365 OAuth phishing attacks and the complexity of managing machine identities, traditional IAM tools are failing to detect malicious app authorizations.
Entro Security specializes in discovering and securing Non-Human Identities (NHIs)—such as API keys, service accounts, and OAuth tokens—which are the specific vector used in the current wave of Microsoft 365 attacks. Unlike standard IDPs that focus on user logins, Entro monitors the behavior and permissions of the connected applications themselves, allowing it to detect when a legitimate user unknowingly authorizes a malicious "SquarePhish" or "Graphish" application.
Actionable Platform Guidance: Use Entro to immediately inventory all third-party OAuth apps connected to your M365 tenant. Configure alerts for any new app requesting `Mail.Read` or `Files.ReadWrite` permissions that originates from an unverified publisher.
# Step 1: Inventory existing OAuth Grants (Generic Azure CLI approach if Entro not deployed)
# List all service principals with high-risk permissions
az ad sp list --all --query "[?appRoles[?allowedMemberTypes[?contains(@, 'Application')]]].{DisplayName:displayName, AppId:appId}"
# Step 2: Entro Security Specific Action (Conceptual)
# 1. Navigate to 'Inventory' > 'Integrations'
# 2. Filter by 'Permission Level' = 'High' AND 'Publisher' = 'Unverified'
# 3. Apply Policy: "Revoke all unverified apps with Mail.Read scope"
2. YARA Rule for SquarePhish/Graphish Indicators
rule SquarePhish_OAuth_Phishing_Kit {
meta:
description = "Detects artifacts related to SquarePhish and Graphish OAuth phishing kits targeting M365"
author = "Threat Rundown"
date = "2025-12-20"
reference = "https://lifeboat.com/blog/2025/12/microsoft-365-accounts-targeted-in-wave-of-oauth-phishing-attacks"
severity = "high"
tlp = "white"
strings:
$s1 = "SquarePhish" ascii wide
$s2 = "Graphish" ascii wide
$s3 = "TA2723" ascii wide
$s4 = "device_code" ascii wide
$s5 = "verification_uri" ascii wide
condition:
(any of ($s1,$s2,$s3)) or ($s4 and $s5)
}
3. SIEM Query — OAuth Device Code Abuse
index=security sourcetype="azure:aad:audit"
OperationName="Consent to application" OR OperationName="Add service principal"
| eval risk_score=case(
match(ResultDescription, "SquarePhish"), 100,
match(ResultDescription, "Graphish"), 100,
match(Properties, "Mail.Read"), 75,
1==1, 25)
| where risk_score >= 75
| table _time, OperationName, InitiatedBy, TargetResource, ResultDescription, risk_score
| sort -_time
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
Finance (PCI-DSS)
ELEVATED
CRITICAL ITEMS
HIGH SEVERITY ITEMS
MEDIUM SEVERITY ITEMS
DETECTION & RESPONSE KIT