Microsoft Teams Vulnerability 👥, Hourly Rewriting AI Malware 🤖, €600M Crypto Fraud Network Dismantled 🇪🇺

Google identified PROMPTFLUX, an experimental malware, using a hardcoded Gemini API key to query Google's LLM with prompts for code obfuscation ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2025-11-06 👀 Dare to see what's lurking in your Microsoft 365 environment? (Sponsor) Threat actors don't need to break in anymore—they just log in. The Huntress Identity Security Assessment shows you where. Start a Managed ITDR trial and you'll get a FREE customized report for your Microsoft 365 tenant, instantly. It shows you: Which accounts and logins look risky, Rogue apps granting way too much access, Hidden inbox rules attackers love to abuse, Suspicious activity that screams "stolen creds." It's quick, visual, and maybe a little unsettling (in a good way). Happy hunting… 🔍 👉 Start your free trial + access the free assessment 🔓 Attacks & Vulnerabilities Researchers Warn of Flaws That Allow Manipulation of Microsoft Teams Messages (2 minute read) Researchers from Check Point have discovered four vulnerabilities that allow attackers to manipulate Teams messages. The vulnerabilities could allow attackers to edit Teams messages without leaving the "edited" label, alter message notifications so they appear to be from a different sender, change the display name inside private chats, and alter caller identities in video and audio calls. Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks (2 minute read) A severe vulnerability in the widely used @react-native-community/cli npm package posed a high risk, allowing remote attackers to execute malicious OS commands on developers' machines running the React Native development server. Affecting millions and scoring 9.8 in severity, the flaw was patched in version 20.0.0. Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly (3 minute read) Google identified PROMPTFLUX, an experimental malware, using a hardcoded Gemini API key to query Google's LLM with prompts for code obfuscation and AV evasion. It was able to self-modify and rewrite its source code to evade detection. Believed to be in testing by a financially-motivated actor, the malware includes a "Thinking Robot' that logs AI responses, persists via Windows Startup, and attempts propagation through drives and network shares, though it currently has no real attack capabilities. Security teams should monitor LLM-assisted malware like other variants, implement API key rotation, and be aware of threat actors bypassing AI safety via social engineering. 🧠 Strategies & Tactics OAuth Device Code Phishing: Azure vs. Google Compared (11 minute read) Device code phishing exploits OAuth 2.0's legitimate device authorization flow to steal access tokens by tricking victims into authenticating attacker-generated device codes, with Microsoft Azure allowing attackers to request powerful scopes (including Primary Refresh Tokens) through undocumented "Family of Client IDs" while Google severely restricts device flow to only YouTube and Google Drive scopes. Azure's implementation enables attackers to use legitimate Microsoft URLs and APIs throughout the entire attack chain without requiring client authentication, making phishing campaigns highly effective at bypassing MFA and gaining initial access with tokens scoped to Graph API, Intune enrollment, or other sensitive resources. Security teams should implement Conditional Access policies that restrict device code authentication, monitor suspicious device code flow usage patterns in Azure sign-in logs, educate users about the risks of entering codes from unsolicited communications, and consider Google's restrictive scope model as a defensive blueprint for limiting OAuth attack surface. Bedrock'n'roll: Annoying Trust Relationships in Bedrock Service Roles (4 minute read) Amazon Bedrock provides a wizard for creating execution roles using the Agent Builder UI. The trust policy on the created role allows any agent in the account to assume the role by default via a wildcard aws:SourceArn condition. Users should ensure that this condition is scoped to their specific agent. Fixing the Blindspot in Endpoint Security (5 minute read) Deploying Mobile Device Management (MDM) solutions to developer endpoints often presents complications, as security tools are sometimes not well-suited to developer workflows. This leads to many organizations putting in extensive exemptions for developer endpoints, significantly weakening their security posture. This post advocates for a developer MDM that operates by injecting visibility using existing agents such as Zscaler and CrowdStrike. 🧑‍💻 Launches & Tools How compliance teams can save 15+ hours/week with Agentic AI (Sponsor) SOC 2 and ISO 27001 shouldn't eat 40% of your team's time in 2026. Sprinto uses Agentic AI to autonomously collect evidence, monitor risks, and keep you audit-read. Anaconda got compliant with Sprinto and closed a seven-figure deal within weeks. TLDR readers get $1,000 off + an Ultrahuman Ring once you get compliant. Personal Security Checklist (GitHub Repo) A compiled checklist of 300+ tips for protecting digital security and privacy. Vega (Product Launch) Vega delivers AI-powered security analytics and operations. It streamlines SOC workflows by analyzing data in place, surfacing critical alerts, and automatically fixing coverage gaps and noisy rules for faster response. Acunetix (Product) Acunetix is a comprehensive web application vulnerability scanner that performs in-depth testing of modern, JavaScript-heavy apps, APIs, and traditional web platforms to identify issues such as SQL injection, XSS, and complex logic flaws, all with low false positives through automated verification. It seamlessly integrates into CI/CD pipelines to enable continuous security testing during development and offers compliance reporting for standards such as PCI DSS, HIPAA, GDPR, and OWASP Top 10. Security teams can utilize Acunetix for pre-production assessments, embed it into DevSecOps workflows for early testing, and leverage its API scanning capabilities to secure microservices and GraphQL endpoints that are often missed by traditional scanners. 🎁 Miscellaneous Phone location data of top EU officials for sale, report finds (2 minute read) Journalists discovered that location data from top EU officials was being sold by brokers, making it easy to track officials' movements, even with Europe's strict privacy laws. A leaked dataset revealed precise information on officials' whereabouts and highlighted weak enforcement against brokers. Google Expands Chrome Autofill to Passports and Licenses, But Is It Safe? (2 minute read) Google Chrome now supports autofill for sensitive documents like passports and driver's licenses, with encryption and user consent. However, security experts warn that this centralizes critical identity data in a vulnerable location, contradicting cybersecurity advice against storing such info in browsers. Malware like Shuyal Stealer targets browser-stored credentials, and Chrome autofill data isn't stored securely. Security teams should advise against storing sensitive IDs in autofill, enforce policies to restrict this in workplaces, monitor for info-stealer malware, and recommend dedicated password managers with stronger encryption instead of browser storage. Cloudflare Scrubs Aisuru Botnet from Top Domains List (3 minute read) The Aisuru botnet, with hundreds of thousands of compromised IoT devices and 30 Tbps DDoS power, manipulated Cloudflare's domain rankings by switching from Google's 8.8.8.8 DNS to Cloudflare's 1.1.1.1 in October. This caused malicious domains, mainly in the .su TLD, to outrank major companies like Amazon and Google due to massive DNS queries. The incident revealed vulnerabilities in trust-based domain ranking systems, which treat highly-ranked domains as trustworthy, and attackers used mainly US-based compromised devices from ISPs such as AT&T and Verizon. Security teams should monitor DNS connections to the .su TLD, block it if needed, and avoid relying solely on domain popularity for trust, as DNS query volume can be artificially inflated by botnets. ⚡ Quick Links How Gartner sees the PAM market - and why StrongDM debuted in the latest Magic Quadrant (Sponsor) The market is in flux - with new vendors like StrongDM building platforms that focus on authorization, not just authentication, as the primary control plane. Read the blog CISA Warns of CWP Vulnerability Exploited in the Wild (2 minute read) A newly discovered critical flaw in Control Web Panel (CWP) lets remote attackers execute commands without authentication. European Authorities Dismantle €600 Million Crypto Fraud Network in Global Sweep (2 minute read) In a major international operation, law enforcement agencies have shut down a vast crypto fraud ring, arresting nine suspects accused of laundering €600 million. Apple addresses more than 100 vulnerabilities in security updates for iPhones, Macs, and iPads (2 minute read) Apple released unusually large security updates patching 105 vulnerabilities in macOS 26.1 and 56 in iOS/iPadOS 26.1. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.