Cyber Intelligence Weekly

Cyber Intelligence Weekly (February 15, 2026): Our Take on Three Things You Need to Know

By Dan Desko
Posted on Feb 15 / 2026

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we turn to this week’s edition of Cyber Intelligence Weekly, I want to introduce a new CISO Spotlight Series: The Human Side of Cybersecurity

This series is grounded in conversation rather than commentary. It centers on CISOs who are in the seat—navigating real leadership pressure, complex risk decisions, and the human realities of building and sustaining security programs. Some are earlier in their journey, others further along paths many of you may recognize or aspire toward. What they share isn’t theory. It’s experience—earned through moments of progress, frustration, growth, and reflection. These conversations are for the professionals who show up every day to quietly carry the weight of this industry.

Dom Glavach (CyberSN) — “Build teams before you buy technology.”

In this episode, I sat down with Dom Glavach, CISSP, strategic cybersecurity leader at CyberSN, whose career began deep in the technical trenches—long before “cybersecurity” was even a formal field. From database administration and Unix to offensive security, incident response, and executive leadership, Dom’s journey reflects a steady evolution from securing systems to securing businesses. What drives him isn’t the technology—it’s curiosity, a passion for understanding how things fail, and a belief that cybersecurity is ultimately a people-versus-people challenge.

One of the most powerful themes in our conversation was Dom’s defining leadership shift: realizing that people matter more than any technology that can be purchased. Whether defending against nation-state actors or building enterprise programs, the real differentiator is the creativity, commitment, and resilience of the team. His message for security leaders is clear: build teams before you buy technology. Hiring is just the start—great leaders mentor, develop, retain, and grow their people every day.

He also shared a memorable “professional scar” from a high-pressure incident response. A single ambiguous instruction led to a responder sending one ICMP packet—which triggered a full external attack escalation. The lesson: no matter the pressure or fatigue, pause, think, and communicate clearly. In cybersecurity, precision in communication can matter as much as technical skill.

____________________________________

RSA 2026, Come Meet With Us!

Also, to highlight upcoming events, we hope to meet you at RSAC 2026! If you are heading out to RSA and want to meet up with the Echelon team, come see us at our exclusive happy hour at the prestigious Olympic Club, a quiet oasis from the busy hustle and bustle of RSA.

Join Echelon Risk + Cyber for our annual RSA Happy Hour at The Olympic Club on Monday, March 23, from 3:00–5:00 PM PT, just before the official RSA Welcome Reception, with our sponsors Drata and Schellman!

Good people, great conversations, easy networking, no pressure.

📍 The Olympic Club, San Francisco

👉 Reserve your spot here: https://lnkd.in/enj3Q9D3
 

Away we go!

1. Ring Pulls Back Flock Integration After Privacy Backlash

Amazon’s Ring has quietly backed away from a planned integration with surveillance technology provider Flock Safety, just days after a Super Bowl commercial triggered a wave of public concern about privacy and residential monitoring. The proposed partnership—first announced in October—would have allowed Ring users to share doorbell footage with law enforcement through Ring’s Community Requests ecosystem. According to Amazon, the integration was never launched and no data was ever shared between the platforms.

The timing of the decision is hard to ignore. Ring’s Super Bowl ad, framed around using video to locate lost pets, instead sparked a broader conversation about how AI-enabled image recognition and neighborhood camera networks could be used to track people, not just animals. Lawmakers quickly weighed in, warning that the commercial highlighted the civil liberties implications of expanding facial recognition and persistent monitoring into residential environments.

Flock Safety, which operates a growing nationwide network of automated license plate reader (ALPR) cameras, has already faced scrutiny in several jurisdictions over concerns about cross-agency searches, unauthorized data access, and the potential for broad population tracking. A deeper integration between Ring’s vast consumer camera footprint and Flock’s law enforcement infrastructure would have significantly expanded the scope of community-level surveillance—one of the core issues driving the public backlash.

From a cybersecurity and risk perspective, this story isn’t just about surveillance—it’s about trust, governance, and the growing expectation that companies anticipate the societal impact of their technology before deployment. The technical capability to collect and correlate massive amounts of visual data already exists. The harder challenge—and the one organizations are increasingly being judged on—is how transparently, responsibly, and deliberately they choose to use it.

Cybercriminals Abuse Google Cloud Email Feature in Multi-Stage Phishing Campaign

Threat researchers have documented an advanced phishing campaign that exploits the Google Cloud Application Integration email feature to execute multi-stage credential harvesting — a clear example of attackers abusing trusted automation. Over a two-week period in December 2025, adversaries sent nearly 9,400 malicious messages from legitimate Google infrastructure to roughly 3,200 organizations worldwide, spanning sectors including manufacturing, finance, and technology.

The attack leverages the “Send Email” capability to distribute phishing messages that bypass DMARC/SPF/DKIM protections, exploiting the trust placed in Google’s own domains. Once recipients click a link hosted on trusted Google Cloud storage, they are redirected through a layered redirect sequence to a fraudulent login page designed to harvest credentials.

From a security governance viewpoint, this incident highlights the need for policy and controls around cloud automation features that can send externally facing communications. Teams should enforce strict access controls on automation tasks, incorporate anomaly detection for unusual emailing behaviors, and ensure exhaustive logging and alerting for API-driven activities.

Incorporating this threat into phishing awareness training is crucial: standard user education must evolve beyond generic phishing to include scenarios where trusted domains are abused. For compliance programs, formalizing cloud service use policies and monitoring configurations for privilege creep can reduce the risk that such automation features are used for malicious purposes.

The campaign also underscores the value of advanced email security gateways capable of behavioral analysis rather than relying solely on authentication checks, aligning with zero-trust email principles.

2. Ivanti EPMM Under Active Exploitation as Attackers Position for Next-Stage Intrusions

A new wave of targeted cyber activity is unfolding around critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), and early indicators suggest this campaign is less about immediate disruption and more about quietly establishing future access. The flaws—CVE-2026-1281 and CVE-2026-1340—allow remote code execution on on-premises EPMM systems, effectively handing attackers a foothold into mobile management infrastructure that often sits close to identity services and sensitive enterprise data.

The impact is already material. European authorities confirmed investigations into multiple incidents, including a breach of the European Commission’s central mobile infrastructure that exposed staff contact information. Dutch government entities have also reported compromise tied to the same vulnerabilities. While containment efforts appear to have limited operational damage in some cases, the pattern is consistent: targeted access, limited immediate action, and signs of persistence rather than smash-and-grab activity.

Threat intelligence paints a broader and more concerning picture. Researchers have observed hundreds of unique IP addresses probing and exploiting exposed systems, with attackers deploying web shells, reverse shells, and custom Java loaders. The tradecraft strongly suggests the involvement of initial access brokers—operators who specialize in gaining and maintaining entry before selling that access to ransomware groups or other threat actors. At last count, dozens of confirmed compromises had been identified, with thousands of internet-exposed login interfaces still visible worldwide.

For security leaders, the takeaway is familiar but urgent. When exploitation activity looks quiet and methodical, it often means attackers are laying groundwork, not launching the main event. Mobile device management platforms have become high-value targets because of their reach across users, devices, and identity. Organizations running on-prem EPMM should assume active scanning is underway, prioritize patching and exposure reduction immediately, and treat any signs of compromise as a potential precursor to a larger, follow-on attack.

Google Gemini Calendar Flaw Shows New AI Attack Vectors

Researchers found a novel vulnerability in Google Gemini’s integration with calendar invites that can lead to unauthorized data exposure. By embedding malicious instructions in event descriptions, attackers can trigger unintended actions by Gemini — such as summarizing private events — without traditional malware or user interaction. This type of prompt-injection exploit represents a new class of AI-native attack surface that exists within linguistic input rather than code.

This incident highlights how AI interpretation logic itself can be weaponized and demonstrates that AI’s integration into productivity tools changes the threat calculus. As AI assistants and automation agents proliferate, security teams must consider data flow governance, runtime behavioral analysis, and model-aware filtering to safeguard against semantic exploits that traditional scanners miss.

3. Insider Sold Offensive Tools to Russian Broker in Case With Global Cyber Implications

A federal case unfolding in Washington is offering a rare look inside one of cybersecurity’s most sensitive risks: the insider threat within the offensive tooling ecosystem. U.S. prosecutors say a former executive at Trenchant—a division of defense contractor L3Harris—stole and sold eight advanced exploitation tools to a Russian broker between 2022 and 2025, earning more than $1.3 million in cryptocurrency. According to the Department of Justice, the tools were capable of enabling large-scale compromise of systems worldwide.

What makes the case particularly concerning is the potential scale of impact. Prosecutors stated the exploits could have been used to access “millions of computers and devices,” including systems inside the United States. While the tools themselves were not classified, their transfer to a broker linked to Russian government customers significantly increased the risk that nation-state operators, cybercriminals, or ransomware groups could weaponize them for surveillance or disruption.

The timeline also underscores the complexity of insider risk. The accused executive was involved in managing the internal investigation into the stolen tools—even as he continued selling them. At one point, a subordinate was terminated under suspicion related to the incident. Authorities say the activity continued despite ongoing FBI engagement, highlighting how financial motivation and privileged access can override traditional organizational controls.

For security leaders, the lesson goes beyond one individual case. Offensive cyber capabilities—whether developed internally or acquired commercially—carry strategic risk if governance, monitoring, and access controls aren’t tightly managed. As the market for zero-days and exploitation tools continues to grow, the boundary between legitimate cyber operations and global threat enablement is increasingly thin. Insider risk, particularly around high-impact intellectual property, is no longer a theoretical concern—it’s a national security issue.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?