This week’s Threat Report: a critical zero-click exploit in Microsoft 365 Copilot, espionage-driven malware targeting UK infrastructure, SEO poisoning campaigns spreading malware through Google results, and confirmation of Scattered Spider’s involvement in high-profile breaches.
Researchers from RAIM Security’s Aim Labs have uncovered a zero-click cross-prompt injection vulnerability in Microsoft 365 Copilot, named EchoLeak. This flaw, with a CVSS score of 9.3, allows attackers to exfiltrate sensitive user data—such as API keys and metadata—without requiring any interaction from the victim.
How It Works
Crafted phishing emails contain markdown-style reference links that exploit Copilot’s background processing. As Copilot attempts to summarise or preview emails, it inadvertently follows these links and sends context-rich data back to attacker-controlled domains.
Proof-of-Concept
Researchers demonstrated Copilot leaking API keys and triggering image generation flows to exfiltrate content. Even with Microsoft’s security policies in place, these attacks succeeded through indirect paths like SharePoint and Teams invites.
Implications
No user interaction needed
Copilot trusts metadata in summarised content
Highlights how AI-based automation can become a liability
Microsoft’s Response
A rapid patch was issued, requiring no user action. Microsoft confirmed no incidents in the wild and is rolling out additional defence-in-depth measures.
Recommendations
Disable or restrict Copilot in environments where sensitive data is routinely exchanged
Review logs for unexpected outbound traffic to attacker domains
Train security teams on AI-specific attack vectors and detection
Harden systems using heuristic AI detection tools and update filtering policies
The UK’s National Cyber Security Centre has issued a fresh advisory on Umbrella Stand—a malware strain actively used by hostile nation-state actors. The malware targets critical infrastructure and government contractors via compromised software supply chains and phishing lures.
Tactics
Long-term espionage campaigns
Malware delivered through manipulated updates and compromised emails
Designed to blend into enterprise traffic and evade endpoint detection tools
Impact
Disruption to public services and infrastructure
Increased risk of data exfiltration and operational sabotage
Recommendations
Audit third-party software supply chains and validate update sources
Implement strict network segmentation and privilege controls
Ensure endpoint protection and anomaly detection are current and monitored
Follow the latest guidance from the NCSC and associated threat advisories
Cybercriminals are using search engine optimisation (SEO) poisoning to hijack Google search results and direct users to malicious websites. These campaigns often target individuals looking for popular software downloads, patches, or fixes.
How It Works
Malicious actors create fake websites and blog posts loaded with keyword-optimised content. Once these sites are indexed by search engines, they rank high in results. Unsuspecting users are lured into clicking links that initiate malware downloads such as info-stealers or loaders like Gootloader.
Key Risks
Mass exposure from seemingly routine search activity
Increased difficulty distinguishing legitimate from malicious links
Often targets professionals and administrators, amplifying business risk
Recommendations
Train users to avoid downloading software from unofficial sources
Use DNS filtering to block suspicious domains
Deploy browser isolation and behavioural malware detection tools
New evidence links the Scattered Spider cybercrime group to recent breaches at Snowflake, Caesars Entertainment, and MGM Resorts. Known for their advanced social engineering and SIM-swapping techniques, this group bypasses MFA protections and exploits internal tools.
Attack Strategy
Breached credentials sourced from third parties
SIM-swapping to hijack SMS-based MFA
Leveraged enterprise tools like Citrix and Okta for privilege escalation
Snowflake Incident
The group gained access to customer environments by exploiting accounts linked to Snowflake. This incident highlights the cascading risk of third-party data breaches.
Impact
Large-scale data theft and potential extortion
Operational disruption
Regulatory and legal consequences
Recommendations
Enforce phishing-resistant MFA such as hardware-based FIDO2 keys
Apply least-privilege access policies and monitor internal tool usage
Strengthen vendor and third-party risk management processes
Continuously monitor for signs of privilege escalation or unusual access
Our updates provide you with critical information on the latest vulnerabilities, attacks, and security trends—all designed to help you protect your business and make informed decisions.
Your first line of defence starts with staying informed.