Microsoft 365 Users Targeted 🎯, Glassworming Back into Code 🐛, Ollama + Nvidia Flaws 🦙

The Quantum Route Redirect phishing-as-a-service platform leverages ~1,000 pre-configured domains to steal Microsoft 365 credentials ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2025-11-12 When your CEO calls, will you know it's real? (Sponsor) Phishing has evolved. Today's attackers use AI-generated voices, videos, and interactive deepfakes of company executives. They fool 99% of people. Adaptive Security - backed by $55M+ in funding from OpenAI and a16z - is the first security awareness platform built to stop AI-powered social engineering. Adaptive trains your team with tools that stay one step ahead: Deepfake phishing simulations featuring your real executives in realistic attack scenarios Interactive, personalized training content tailored for each employee AI-driven risk scoring that reveals what attackers can learn from your public data >> Book a demo and chat with a custom interactive deepfake of your boss >> Take a self-guided tour of the platform (3 minutes) 🔓 Attacks & Vulnerabilities Quantum Route Redirect PhaaS targets Microsoft 365 users worldwide (4 minute read) The Quantum Route Redirect phishing-as-a-service platform leverages ~1,000 pre-configured domains with automated bot filtering to steal Microsoft 365 credentials across 90 countries (76% US-targeted), using specific URL patterns matching "/([\w\d-]+.){2}[\w]{,3}/quantum.php/" and hosting on legitimate compromised domains to evade detection. The platform redirects humans to credential-harvesting pages while sending security scanning tools to benign sites. Security teams should implement URL filtering that targets the identified pattern, deploy account compromise monitoring, and recognize phishing lures that mimic DocuSign, payment notifications, and QR codes. Quantum Route Redirect represents an evolution in PhaaS sophistication similar to VoidProxy and Tycoon2FA campaigns. Hitachi-owned GlobalLogic admits data stolen on 10k current and former staff (2 minute read) GlobalLogic, owned by Hitachi, suffered a significant data breach that exposed the personal and financial data of over 10,000 current and former staff members. The attack, attributed to the Clop ransomware group, exploited vulnerabilities in the Oracle E-Business Suite. Clop focuses on stealing and leaking data while pressuring victims for payment. Oracle has issued emergency patches to counter these attacks. Hackers Exploit Triofox Zero-Day to Deploy Malicious Payloads Using Anti-Virus Feature (2 minute read) Researchers from Mandiant discovered a critical zero-day in Gladinet's Triofox file-sharing platform. The vulnerability allowed unauthenticated attackers to login to the platform by changing the HTTP host header to localhost. The attackers then configured the anti-virus scanner path to a malicious batch script. 🧠 Strategies & Tactics How GlassWorm wormed its way back into developers' code — and what it says about open source security (6 minute read) The GlassWorm self-propagating worm resurfaced two weeks after eradication, infecting three new OpenVSX VS Code extensions (with over 10,000 downloads) and GitHub repositories using invisible Unicode characters and a blockchain-based C2 infrastructure, with victims including global enterprises and Middle Eastern government entities. The Russia-based attack steals GitHub credentials, pushes malicious AI-generated commits appearing as legitimate code changes, and exploits OpenVSX's lack of manual code review resources. Security teams should whitelist only trusted extension publishers, disable auto-updates, monitor for credential harvesting and abnormal outbound connections, and treat developer toolchains with the same security rigor as production infrastructure, as automated scanning alone cannot reliably stop these supply chain attacks. Tips for Reliable Split-Second DNS Rebinding in Chrome and Safari (7 minute read) DNS rebinding attacks occur when an attacker can trick a victim into leaking data by having the victim first communicate with the attacker's public server and then switching the DNS record to point to a private server. In Safari, a private IP address will be prioritized over a public IP address, but an attacker can circumvent this by delaying the DNS response with the private IP address. In Chrome, IPv6 will be prioritized over IPv4, allowing an attacker to send an IPv6 response with a public IP address and then an IPv4 response with a private IP address. In both cases, the attacker blocks the user from their server after connection, forcing the browser to rebind to the private IP. No Place Like Localhost: Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480 (8 minute read) Mandiant has uncovered a significant security flaw in the Triofox file-sharing platform (tracked as CVE-2025-12480), which allows attackers to bypass authentication by manipulating the Host header to impersonate "localhost." This gave unauthorized access to critical admin configuration pages, enabling the creation of privileged accounts. Attackers can exploit this to upload and execute arbitrary files, abusing Triofox's anti-virus feature to run malicious scripts with high privileges. The vulnerability is now patched, but organizations using Triofox should urgently update, check for rogue admin accounts, audit anti-virus configuration, and monitor for unusual administrator and SSH activity. 🧑‍💻 Launches & Tools Huntress: Enterprise-grade cybersecurity for non-enterprise budgets (Sponsor) Security shouldn't just be for mega-corporations with the budgets to match. 💸 ALL businesses deserve that level of protection—and that's what Huntress provides. Fully owned and managed tech and 24/7 expert team to protect your endpoints, identities, data, people, and more. Get a free demo Flare (Product Launch) Flare provides a threat exposure management platform that uses intelligence from the clear and dark web to help organizations prevent ransomware, data breaches, and other incidents, leveraging AI and machine learning for tailored cybersecurity insights and credential exposure detection. Unix-like Artifacts Collector (GitHub Repo) Unix-like Artifacts Collector (UAC) is a tool that automates the collection of forensics artifacts from a wide range of Unix-like systems. Awesome Annual Security Reports (GitHub Repo) A curated list of annual cybersecurity reports. 🎁 Miscellaneous European Commission moves to loosen GDPR for AI and cookie tracking (5 minute read) The EU's leaked "Digital Omnibus" proposal would shift cookie tracking from opt-in to opt-out by moving regulation from ePrivacy Directive to GDPR, explicitly permit AI training on personal data under "legitimate interest" without consent, and narrow sensitive data protections to only data that directly reveals protected characteristics. Companies would no longer need consent management for most cookies, but must document legitimate interest justifications, while privacy advocates warn this fundamentally weakens GDPR's core protections. Security professionals should prepare for the November 19 formal unveiling by reviewing data processing practices, documenting AI training justifications, and reassessing compliance frameworks for the shift from explicit consent to legitimate interest models. APT37 hackers abuse Google Find Hub in Android data-wiping attacks (4 minute read) North Korean APT37/KONNI actors are targeting South Koreans via KakaoTalk spear-phishing with digitally-signed MSI files that deploy AutoIT scripts which establish persistence, deliver RemcosRAT/QuasarRAT/RftRAT, and steal Google/Naver credentials to access Find Hub for GPS tracking and remote Android device wiping. The attackers are exploiting stolen credentials to execute factory resets three times, preventing recovery, use GPS data to time attacks when victims are outside, then hijack compromised KakaoTalk PC sessions to spread malware laterally through contacts. Organizations should enforce MFA on Google accounts, verify messenger file senders via direct calls before opening attachments, and maintain accessible recovery accounts. This attack abuses legitimate Find Hub features rather than exploiting vulnerabilities. Ollama, Nvidia Flaws Put AI Infrastructure at Risk (4 minute read) Security researchers have uncovered critical vulnerabilities in Ollama and NVIDIA Triton Inference Server that could allow for remote code execution, exposing companies to significant risks in their AI infrastructure. These flaws, now fixed, reflect a shift in AI security research from attacking models to probing the underlying infrastructure. ⚡ Quick Links The "novel Turing test" detects AI with up to 80% accuracy (3 minute read) A computational Turing test achieves 70-80% accuracy in detecting AI-generated social media content by analyzing affective language patterns. OWASP Top 10 (4 minute read) Updated list of the OWASP Top 10 that adds two new categories, consolidates SSRF into Broken Access Control, and expands supply chain scope. Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland (1 minute read) Synology urgently patched CVE-2025-12686, requiring immediate upgrade to BeeStation OS 1.3.2-65648, as no mitigations are available. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.