23.06.25 Threat Report

This week’s Threat Report:  a critical zero-click exploit in Microsoft 365 Copilot, espionage-driven malware targeting UK infrastructure, SEO poisoning campaigns spreading malware through Google results, and confirmation of Scattered Spider’s involvement in high-profile breaches.

1. Critical Zero-Click “EchoLeak” Bug in Microsoft 365 Copilot (CVE‑2025‑32711)

Researchers from RAIM Security’s Aim Labs have uncovered a zero-click cross-prompt injection vulnerability in Microsoft 365 Copilot, named EchoLeak. This flaw, with a CVSS score of 9.3, allows attackers to exfiltrate sensitive user data—such as API keys and metadata—without requiring any interaction from the victim.

How It Works

Crafted phishing emails contain markdown-style reference links that exploit Copilot’s background processing. As Copilot attempts to summarise or preview emails, it inadvertently follows these links and sends context-rich data back to attacker-controlled domains.

Proof-of-Concept

Researchers demonstrated Copilot leaking API keys and triggering image generation flows to exfiltrate content. Even with Microsoft’s security policies in place, these attacks succeeded through indirect paths like SharePoint and Teams invites.

Implications

• No user interaction needed

• Copilot trusts metadata in summarised content

• Highlights how AI-based automation can become a liability

Microsoft’s Response

A rapid patch was issued, requiring no user action. Microsoft confirmed no incidents in the wild and is rolling out additional defence-in-depth measures.

Recommendations

• Disable or restrict Copilot in environments where sensitive data is routinely exchanged

• Review logs for unexpected outbound traffic to attacker domains

• Train security teams on AI-specific attack vectors and detection

• Harden systems using heuristic AI detection tools and update filtering policies

2. NCSC Warns of Umbrella Stand Malware Targeting UK Critical Infrastructure

The UK’s National Cyber Security Centre has issued a fresh advisory on Umbrella Stand—a malware strain actively used by hostile nation-state actors. The malware targets critical infrastructure and government contractors via compromised software supply chains and phishing lures.

Tactics

• Long-term espionage campaigns

• Malware delivered through manipulated updates and compromised emails

• Designed to blend into enterprise traffic and evade endpoint detection tools

Impact

• Disruption to public services and infrastructure

• Increased risk of data exfiltration and operational sabotage

Recommendations

• Audit third-party software supply chains and validate update sources

• Implement strict network segmentation and privilege controls

• Ensure endpoint protection and anomaly detection are current and monitored

• Follow the latest guidance from the NCSC and associated threat advisories

3. SEO Poisoning: Hackers Manipulating Google Search Results

Cybercriminals are using search engine optimisation (SEO) poisoning to hijack Google search results and direct users to malicious websites. These campaigns often target individuals looking for popular software downloads, patches, or fixes.

How It Works

Malicious actors create fake websites and blog posts loaded with keyword-optimised content. Once these sites are indexed by search engines, they rank high in results. Unsuspecting users are lured into clicking links that initiate malware downloads such as info-stealers or loaders like Gootloader.

Key Risks

• Mass exposure from seemingly routine search activity

• Increased difficulty distinguishing legitimate from malicious links

• Often targets professionals and administrators, amplifying business risk

Recommendations

• Train users to avoid downloading software from unofficial sources

• Use DNS filtering to block suspicious domains

• Deploy browser isolation and behavioural malware detection tools

4. Scattered Spider Attributed to MGM, Caesars, and Snowflake Attacks

New evidence links the Scattered Spider cybercrime group to recent breaches at Snowflake, Caesars Entertainment, and MGM Resorts. Known for their advanced social engineering and SIM-swapping techniques, this group bypasses MFA protections and exploits internal tools.

Attack Strategy

• Breached credentials sourced from third parties

• SIM-swapping to hijack SMS-based MFA

• Leveraged enterprise tools like Citrix and Okta for privilege escalation

Snowflake Incident
The group gained access to customer environments by exploiting accounts linked to Snowflake. This incident highlights the cascading risk of third-party data breaches.

Impact

• Large-scale data theft and potential extortion

• Operational disruption

• Regulatory and legal consequences

Recommendations

• Enforce phishing-resistant MFA such as hardware-based FIDO2 keys

• Apply least-privilege access policies and monitor internal tool usage

• Strengthen vendor and third-party risk management processes

• Continuously monitor for signs of privilege escalation or unusual access

Stay ahead of emerging cyber threats with real-time insights from our Weekly Threat Feed.

Our updates provide you with critical information on the latest vulnerabilities, attacks, and security trends—all designed to help you protect your business and make informed decisions.

Subscribe to the Periculo Threat Feed Today 

Your first line of defence starts with staying informed.