Cybersecurity researcher Johann Rehberger has disclosed a vulnerability he found in Microsoft 365 Copilot that allows attackers to steal users' sensitive information. According to Rehberger, the exploitation of this flaw involves several advanced techniques, including prompt injection, automatic tool invocation, and ASCII smuggling. The attack starts with a prompt injection through a malicious email or shared document. This injection prompts Microsoft 365 Copilot to search for additional emails and documents without consent from the user.

A massive QR code phishing campaign has exploited Microsoft Sway, a cloud-based tool used for creating online presentations, to host landing pages aimed at tricking Microsoft 365 users into providing their credentials. Netskope Threat Labs discovered the attacks in July 2024, after detecting a significant increase in attacks involving Microsoft Sway to host phishing pages that steal Microsoft 365 credentials. This wave of attacks strongly differs from the minimal activity reported in the first half of the year, suggesting the campaign's large scale.

According to a new Charles Darwin University (CDU) study, smartwatches can provide hackers with a wealth of personal information to exploit. The researchers hacked various smart wearable devices priced between $25 and $150 to learn about the technology's vulnerabilities and what information can be accessed and exploited. These devices enable people to track their health, monitor their fitness, perform medical tests, and more, but they frequently use Bluetooth Low Energy (BLE) technology, thus sacrificing security for low energy consumption.

According to AppOmni, about 31 percent of global organizations experienced a data breach in their Software-as-a-Service (SaaS) applications last year while attempting to gain visibility and control over their cloud environment. To compile its "State of SaaS Security 2024 Report", the security vendor surveyed 644 enterprises with 2,500 or more employees in the US, UK, France, Germany, Japan, and Australia. The five-point increase in the share of breached respondents this year can be attributed to a number of factors identified in the study.

A recent audit conducted by the Department of Justice's (DoJ) Office of the Inspector General (OIG) discovered that the FBI is exposing sensitive and classified data because of "significant weaknesses" in its inventory management and disposal of electronic storage media.

The Science of Security team is pleased to announce the opening of... 

NSA’s Summer 2025 internship opportunities   

Ads open: September 1- October 1 

Who may Apply: College students (starting in freshman year) 

A study led by the University of Michigan found that emerging self-driving vehicle networks that collaborate and communicate with one another or with infrastructure to make decisions are vulnerable to data fabrication attacks. The Vehicle-to-Everything (V2X) network of collaboration and communication is still in development as many countries are still testing it on a small scale. Information sharing among vehicles allows hackers to introduce fake objects or remove real objects from perception data, potentially causing vehicles to brake hard or crash.

An ongoing campaign infects high-level organizations in Southeat Asia using two stealth techniques. The first method called "GrimResource," lets attackers run arbitrary code in the Microsoft Management Console (MMC). The second method, "AppDomainManager Injection," uses malicious Dynamic Link Libraries (DLLs). According to NTT researchers, an attacker similar to China's "APT41" has been using these methods to drop Cobalt Strike onto the Information Technology (IT) systems of Taiwanese government agencies, the Philippine military, and energy organizations in Vietnam.

Less than a week after releasing Chrome 128 to the stable channel, Google warns that another bug resolved with the update is being exploited in the wild.  The issue tracked as CVE-2024-7965 (CVSS score of 8.8) is described by Google as an inappropriate implementation in the V8 JavaScript engine that allows a remote attacker to exploit heap corruption via crafted HTML pages.  Google noted that if the victim visits a compromised or malicious web page, the vulnerability could allow the attacker to execute code or access sensitive information.

California-based Patelco Credit Union has recently started informing customers and employees about a data breach after a ransomware group managed to steal information from databases containing personal information from its systems. Patelco is a member-owned, non-profit credit union serving Northern California, particularly the San Francisco Bay Area. The organization detected a ransomware attack involving unauthorized access to its databases on June 29. An investigation revealed that the hackers accessed its systems between May 23 and June 29.